Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RogueKiller Found AdvinstAnalytics


  • This topic is locked This topic is locked
17 replies to this topic

#1 benta

benta

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 28 December 2017 - 08:35 AM

Today my RogueKiller detected AdvinstAnalytics as PUP, but I don't think I have done anything that could infect my PC with PUP. Is this something I should be worried?

 

 

RogueKiller V12.11.29.0 (x64) [Dec 18 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : tbhben [Administrator]
Started from : E:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 12/27/2017 19:56:35 (Duration : 00:26:20)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[PUP.OnlineIO][Folder] E:\Users\tbhben\AppData\Local\AdvinstAnalytics -> Deleted
[PUP.OnlineIO][File] E:\Users\tbhben\AppData\Local\AdvinstAnalytics\591db77a20ba7c275a9e6c7b\6.9.18\tracking.ini -> Deleted
[PUP.OnlineIO][Folder] E:\Users\tbhben\AppData\Local\AdvinstAnalytics\591db77a20ba7c275a9e6c7b\6.9.18 -> Deleted
[PUP.OnlineIO][Folder] E:\Users\tbhben\AppData\Local\AdvinstAnalytics\591db77a20ba7c275a9e6c7b -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKX-00ERMA0 ATA Device +++++
--- User ---
[MBR] 4ca7b3423dfcdba40e7a050846880767
[BSP] ad049b8585a1cc07fd135efa83e4ae26 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 236001 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 483331590 | Size: 240935 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Edited by hamluis, 28 December 2017 - 08:47 AM.
Moved from AII to MRL - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:04 AM

Posted 28 December 2017 - 01:47 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


:step1: Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2: Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Let me know what problems persists.
==============================

#3 benta

benta
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 28 December 2017 - 08:33 PM

I just found out that file "AdvinstAnalytics" came from NordVPN. Does this mean it's a false positive?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:04 AM

Posted 29 December 2017 - 07:56 AM

Hi,

It's an Add driven addon.

If it comes back after running Malwarebytes and AdwCleaner then it a Syncing issue.

To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

FOX SYNCING.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer
===

If the problem persists then please run the Farbar program and post both logs for my review.

#5 benta

benta
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 29 December 2017 - 10:02 AM

But It only comes back if I install NordVPN. I tried to uninstall and install NordVPN again, and it came back right after I reinstalled NordVPN.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:04 AM

Posted 29 December 2017 - 01:59 PM

Hi,

Unless you can check the option (if available) to NOT install it at the installation process it will return.

#7 benta

benta
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 29 December 2017 - 10:18 PM

I just further tested it. AdvinstAnalytics came back after just opening the NordVPNSetup.exe (without installing). I even tested it on my sister's laptop to download NordVPNSetup.exe from NordVPN website and open NordVPNSetup.exe. Then AdvinstAnalytics was secretly placed on sister's laptop: AppData\Local\AdvinstAnalytics

 

Is AdvinstAnalytics from NordVPN safe or?



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:04 AM

Posted 30 December 2017 - 08:47 AM



Hi,

Read aboutit.
https://www.google.ca/search?q=AdvinstAnalytics&oq=AdvinstAnalytics&aqs=chrome..69i57j69i61j69i60l2&sourceid=chrome&ie=UTF-8

It's a PUP Potentially Unwanted Program because of the Adds.

If you do have adds and want to accept that then it's OK to use.

Are you Syncing this computer with your other Devices?

If yes did you remove the Syncing as suggested in post no. 4?
If not I suggest you do it.

Thien open NordVPN to find out if it returns or not.

===

If you like I will check your logs from running the Farbar program.
There might be some unwanted entries that should be removed. Your call.

#9 benta

benta
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 31 December 2017 - 08:39 PM

No, I'm not Syncing my PC with other devices.And here are the logs from the Farbar program.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-12-2017
Ran by tbhben (administrator) on TBHBEN-PC (30-12-2017 23:46:30)
Running from E:\Users\tbhben\Downloads
Loaded Profiles: tbhben &  (Available Profiles: tbhben)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) E:\Windows\System32\atiesrxx.exe
(AMD) E:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\Antivirus\sched.exe
(Realtek Semiconductor) E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Skype Technologies S.A.) E:\Program Files (x86)\Skype\Phone\Skype.exe
(Tonec Inc.) E:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Epic Privacy Browser) E:\Users\tbhben\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe
(SUPERAntiSpyware) E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Google Inc.) E:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) E:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Splashtop Inc.) E:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe
(Mister Group) E:\Program Files (x86)\System Explorer\SystemExplorer.exe
(SUPERAntiSpyware.com) E:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Advanced Micro Devices Inc.) E:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Piriform Ltd) E:\Program Files\CCleaner\CCleaner64.exe
(Advanced Micro Devices, Inc.) E:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Nero AG) E:\Program Files (x86)\Nero\Update\NASvc.exe
(Microsoft Corporation) E:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\perfhost.exe
(Splashtop Inc.) E:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Malwarebytes) E:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Tonec Inc.) E:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(ATI Technologies Inc.) E:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(IObit) E:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Malwarebytes) E:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Mister Group) E:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
(Microsoft Corporation) E:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Skype Technologies) E:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) E:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Skype Technologies) E:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) E:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13307496 2011-10-17] (Realtek Semiconductor)
HKLM-x32\...\Run: [STCAgent] => E:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe [776064 2011-03-04] (Splashtop Inc.)
HKLM-x32\...\Run: [ZyngaGamesAgent] => E:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe [841544 2010-11-15] (Splashtop Inc.)
HKLM-x32\...\Run: [StartCCC] => E:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-07-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SystemExplorerAutoStart] => "E:\Program Files (x86)\System Explorer\SystemExplorer.exe" /TRAY
HKU\RK_Administrator_ON_C_FD7A\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3541008 2012-12-20] (Tonec Inc.)
HKU\RK_Administrator_ON_C_FD7A\...\Run: [ctfmon.exe] => C:\WINDOWS\system32\ctfmon.exe [20992 2005-03-25] (Microsoft Corporation)
HKU\RK_Administrator_ON_C_FD7A\...\Run: [AdobeBridge] => [X]
HKU\RK_Administrator_ON_C_FD7A\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
HKU\RK_Administrator_ON_C_FD7A\...\Run: [Advanced SystemCare 6] => C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe [490880 2012-09-25] (IObit)
HKU\RK_Administrator_ON_C_FD7A\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [3111712 2017-12-15] (Valve Corporation)
HKU\RK_Default User_ON_C_E99F\...\RunOnce: [tscuninstall] => %systemroot%\system32\tscupgrd.exe
HKU\RK_Default User_ON_C_E99F\...\RunOnce: [_nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\RK_Default User_ON_C_E99F\Control Panel\Desktop\\SCRNSAVE.EXE -> E:\Windows\System32\logon.scr
HKU\RK_LocalService_ON_C_9B62\...\RunOnce: [tscuninstall] => %systemroot%\system32\tscupgrd.exe
HKU\RK_LocalService_ON_C_9B62\...\RunOnce: [_nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\RK_LocalService_ON_C_9B62\Control Panel\Desktop\\SCRNSAVE.EXE -> E:\Windows\System32\logon.scr
HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440194\...\RunOnce: [SPReview] => E:\Windows\System32\SPReview\SPReview.exe [301568 2017-05-06] (Microsoft Corporation)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\Run: [Skype] => E:\Program Files (x86)\Skype\Phone\Skype.exe [27545048 2017-03-14] (Skype Technologies S.A.)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\Run: [CCleaner Monitoring] => E:\Program Files\CCleaner\CCleaner64.exe [9773272 2017-05-19] (Piriform Ltd)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\Run: [IDMan] => E:\Program Files (x86)\Internet Download Manager\IDMan.exe [3487128 2013-02-05] (Tonec Inc.)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\Run: [Epic Privacy Browser Installer] => E:\Users\tbhben\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe [509096 2017-09-10] (Epic Privacy Browser)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\Run: [SUPERAntiSpyware] => E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7964576 2017-10-17] (SUPERAntiSpyware)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\RunOnce: [FlashPlayerUpdate] => E:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_26_0_0_131_pepper.exe [1280000 2017-06-22] (Adobe Systems Incorporated)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\...\Run: [Skype] => E:\Program Files (x86)\Skype\Phone\Skype.exe [27545048 2017-03-14] (Skype Technologies S.A.)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\...\Run: [CCleaner Monitoring] => E:\Program Files\CCleaner\CCleaner64.exe [9773272 2017-05-19] (Piriform Ltd)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\...\Run: [IDMan] => E:\Program Files (x86)\Internet Download Manager\IDMan.exe [3487128 2013-02-05] (Tonec Inc.)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\...\Run: [Epic Privacy Browser Installer] => E:\Users\tbhben\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe [509096 2017-09-10] (Epic Privacy Browser)
HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\...\Run: [SUPERAntiSpyware] => E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7964576 2017-10-17] (SUPERAntiSpyware)
HKU\S-1-5-18\...\RunOnce: [SPReview] => E:\Windows\System32\SPReview\SPReview.exe [301568 2017-05-06] (Microsoft Corporation)
Startup: E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Universal Media Server.lnk [2017-07-26]
ShortcutTarget: Universal Media Server.lnk -> E:\Users\tbhben\Desktop\New folder (4)\Universal Media Server\UMS.exe (No File)
GroupPolicy: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A09BC5DD-D4C4-4A86-B704-3A19C74A7896}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\RK_Administrator_ON_C_FD7A\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1034722268-116428125-1122422439-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-my/?ocid=iehp
HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-my/?ocid=iehp
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7}
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7}
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000 -> {25BF1A43-F955-45db-AFB5-DDE2014F86C2} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000 -> {4A67AB7E-7428-4e50-8E12-D0428B254B47} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A7941509802&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A7941509802&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765 -> {25BF1A43-F955-45db-AFB5-DDE2014F86C2} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV
SearchScopes: HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765 -> {4A67AB7E-7428-4e50-8E12-D0428B254B47} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A7941509802&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A7941509802&q={searchTerms}
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> E:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2017-05-22] (IObit)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> E:\Program Files\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> E:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> E:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> E:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - E:\Windows\system32\explorerframe.dll [2016-08-29] (Microsoft Corporation)
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - E:\Windows\system32\shell32.dll [2016-08-29] (Microsoft Corporation)
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - E:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - E:\Windows\system32\urlmon.dll [2015-12-10] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - E:\Windows\SysWOW64\urlmon.dll [2015-12-10] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - E:\Windows\system32\urlmon.dll [2015-12-10] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - E:\Windows\SysWOW64\urlmon.dll [2015-12-10] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: 975xz4t1.default
FF ProfilePath: E:\Users\tbhben\AppData\Roaming\Mozilla\Firefox\Profiles\975xz4t1.default [2017-12-30]
FF HKLM-x32\...\Firefox\Extensions: [{91c612bf-2a7a-48b8-8c8c-6de28589b7a1}] - E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a1}
FF Extension: (Splashtop Connect Companion) - E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a1} [2017-05-06] [Legacy] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{91c612bf-2a7a-48b8-8c8c-6de28589b7a0}] - E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a0}
FF Extension: (Splashtop Connect) - E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{91c612bf-2a7a-48b8-8c8c-6de28589b7a0} [2017-05-06] [Legacy] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{d9284e50-81fc-11da-a72b-0800200c9a66}] - E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{d9284e50-81fc-11da-a72b-0800200c9a66}
FF Extension: (Yoono) - E:\Program Files (x86)\Splashtop\Splashtop Connect for Firefox\{d9284e50-81fc-11da-a72b-0800200c9a66} [2017-05-06] [Legacy] [not signed]
FF HKU\RK_Administrator_ON_C_FD7A\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Documents and Settings\Administrator\Application Data\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Documents and Settings\Administrator\Application Data\IDM\idmmzcc5 [2013-01-12] [Legacy] [not signed]
FF HKU\RK_Administrator_ON_C_FD7A\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Documents and Settings\Administrator\Application Data\IDM\idmmzcc5
FF HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - E:\Users\tbhben\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - E:\Users\tbhben\AppData\Roaming\IDM\idmmzcc5 [2017-08-13] [Legacy] [not signed]
FF HKU\S-1-5-21-1034722268-116428125-1122422439-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - E:\Users\tbhben\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - E:\Users\tbhben\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - E:\Users\tbhben\AppData\Roaming\IDM\idmmzcc5
FF Plugin: @adobe.com/FlashPlayer -> E:\Windows\system32\Macromed\Flash\NPSWF64_26_0_0_131.dll [2017-06-22] ()
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> E:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> E:\Windows\SysWOW64\Macromed\Flash\NPSWF32_26_0_0_131.dll [2017-06-22] ()
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> E:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> E:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> E:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll [2009-12-10] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> E:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll [2009-12-10] (RealNetworks, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> E:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> E:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin HKU\S-1-5-21-1034722268-116428125-1122422439-1000: @updates.epicbrowser.com/Epic Privacy Browser Installer;version=3 -> E:\Users\tbhben\AppData\Local\Epic Privacy Browser\Installer\1.3.27.13\npEpicUpdate3.dll [2017-09-10] (Epic Privacy Browser)
FF Plugin HKU\S-1-5-21-1034722268-116428125-1122422439-1000: @updates.epicbrowser.com/Epic Privacy Browser Installer;version=9 -> E:\Users\tbhben\AppData\Local\Epic Privacy Browser\Installer\1.3.27.13\npEpicUpdate3.dll [2017-09-10] (Epic Privacy Browser)
FF Plugin HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765: @updates.epicbrowser.com/Epic Privacy Browser Installer;version=3 -> E:\Users\tbhben\AppData\Local\Epic Privacy Browser\Installer\1.3.27.13\npEpicUpdate3.dll [2017-09-10] (Epic Privacy Browser)
FF Plugin HKU\S-1-5-21-1034722268-116428125-1122422439-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12302017042440765: @updates.epicbrowser.com/Epic Privacy Browser Installer;version=9 -> E:\Users\tbhben\AppData\Local\Epic Privacy Browser\Installer\1.3.27.13\npEpicUpdate3.dll [2017-09-10] (Epic Privacy Browser)
 
Chrome: 
=======
CHR Profile: E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default [2017-12-30]
CHR Extension: (Slides) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-28]
CHR Extension: (Docs) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-28]
CHR Extension: (Google Drive) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-10-28]
CHR Extension: (YouTube) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-10-28]
CHR Extension: (Sheets) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-28]
CHR Extension: (Google Docs Offline) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-10-28]
CHR Extension: (Chrome Web Store Payments) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-28]
CHR Extension: (Gmail) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-10-28]
CHR Extension: (Chrome Media Router) - E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-14]
CHR Profile: E:\Users\tbhben\AppData\Local\Google\Chrome\User Data\System Profile [2017-12-29]
CHR HKLM\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; E:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com)
R2 AMD FUEL Service; E:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2011-07-28] (Advanced Micro Devices, Inc.) [File not signed]
S2 AntiVirMailService; E:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1128944 2017-12-07] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; E:\Program Files (x86)\Avira\Antivirus\sched.exe [490968 2017-12-07] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; E:\Program Files (x86)\Avira\Antivirus\avguard.exe [490968 2017-12-07] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; E:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1526832 2017-12-07] (Avira Operations GmbH & Co. KG)
S3 AppleChargerSrv; E:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 Avira.ServiceHost; E:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [434248 2017-11-06] (Avira Operations GmbH & Co. KG)
S2 IObitUnSvr; E:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [206112 2017-06-14] (IObit)
R2 MBAMService; E:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R3 SystemExplorerHelpService; E:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [820960 2014-12-20] (Mister Group)
R2 WCUService_STC_FF; E:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe [493384 2010-11-29] (Splashtop Inc.)
S3 WinDefend; E:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdide64; E:\Windows\System32\DRIVERS\amdide64.sys [11832 2010-06-29] (Advanced Micro Devices Inc.)
R1 AppleCharger; E:\Windows\System32\DRIVERS\AppleCharger.sys [21616 2011-11-02] ()
R0 avdevprot; E:\Windows\System32\DRIVERS\avdevprot.sys [64504 2017-12-07] (Avira Operations GmbH & Co. KG)
R2 avgntflt; E:\Windows\System32\DRIVERS\avgntflt.sys [196344 2017-12-07] (Avira Operations GmbH & Co. KG)
R1 avipbb; E:\Windows\System32\DRIVERS\avipbb.sys [153072 2017-12-07] (Avira Operations GmbH & Co. KG)
R1 avkmgr; E:\Windows\System32\DRIVERS\avkmgr.sys [35328 2017-12-07] (Avira Operations GmbH & Co. KG)
R2 avnetflt; E:\Windows\System32\DRIVERS\avnetflt.sys [78600 2017-12-07] (Avira Operations GmbH & Co. KG)
R0 avusbflt; E:\Windows\System32\Drivers\avusbflt.sys [34128 2017-12-07] (Avira Operations GmbH & Co. KG)
R3 IUFileFilter; E:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IUFileFilter.sys [21928 2017-06-06] (IObit.com)
R3 IURegProcessFilter; E:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IURegProcessFilter.sys [21872 2017-09-28] (IObit.com)
R3 MBAMSwissArmy; E:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2017-12-30] (Malwarebytes)
R1 SASDIFSV; E:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; E:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 tapipvanish; E:\Windows\System32\DRIVERS\tapipvanish.sys [34520 2017-09-19] (The OpenVPN Project)
S3 tapnordvpn; E:\Windows\System32\DRIVERS\tapnordvpn.sys [75088 2017-03-29] (The OpenVPN Project)
S3 gdrv; \??\E:\Windows\gdrv.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\E:\Windows\xhunter1.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-30 04:23 - 2017-12-30 04:23 - 000253880 _____ (Malwarebytes) E:\Windows\system32\Drivers\mbamswissarmy.sys
2017-12-29 21:12 - 2017-12-29 21:12 - 002391552 _____ (Farbar) E:\Users\tbhben\Downloads\FRST64.exe
2017-12-29 21:07 - 2017-12-29 21:07 - 000003454 _____ E:\Users\tbhben\Documents\AdwCleaner[S0].txt
2017-12-29 21:06 - 2017-12-29 21:06 - 000001236 _____ E:\Users\tbhben\Documents\Malwarebytes.txt
2017-12-29 14:53 - 2017-12-29 14:53 - 012356992 _____ (NordVPN) E:\Users\tbhben\Downloads\NordVPNSetup.exe
2017-12-28 21:53 - 2017-12-29 21:06 - 000000000 ____D E:\AdwCleaner
2017-12-28 20:40 - 2017-12-28 20:42 - 036309224 _____ (Adlice Software ) E:\Users\tbhben\Downloads\setup.exe
2017-12-28 19:50 - 2017-12-28 19:51 - 008198432 _____ (Malwarebytes) E:\Users\tbhben\Downloads\adwcleaner_7.0.6.0.exe
2017-12-26 22:02 - 2017-12-26 22:02 - 000000000 ____D E:\Program Files (x86)\NVIDIA Corporation
2017-12-26 22:02 - 2017-12-26 22:02 - 000000000 ____D E:\Program Files (x86)\AGEIA Technologies
2017-12-26 21:28 - 2017-12-26 21:28 - 000000000 ____D E:\Users\tbhben\Documents\My Games
2017-12-25 02:34 - 2017-12-25 02:34 - 000000000 ____D E:\Users\tbhben\OpenVPN
2017-12-19 22:16 - 2017-12-28 21:25 - 000000000 ____D E:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-12-19 22:16 - 2017-12-28 21:25 - 000000000 ____D E:\Program Files\RogueKiller
2017-12-19 22:16 - 2017-12-19 22:17 - 000000000 ____D E:\ProgramData\RogueKiller
2017-12-19 22:15 - 2017-12-19 22:15 - 000000000 ____D E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-19 22:15 - 2017-11-29 09:11 - 000077432 _____ E:\Windows\system32\Drivers\mbae64.sys
2017-12-19 22:14 - 2017-12-19 22:14 - 000001818 _____ E:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2017-12-19 22:14 - 2017-12-19 22:14 - 000000000 ____D E:\Users\tbhben\AppData\Roaming\SUPERAntiSpyware.com
2017-12-19 22:14 - 2017-12-19 22:14 - 000000000 ____D E:\ProgramData\SUPERAntiSpyware.com
2017-12-19 22:14 - 2017-12-19 22:14 - 000000000 ____D E:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2017-12-19 22:14 - 2017-12-19 22:14 - 000000000 ____D E:\Program Files\SUPERAntiSpyware
2017-12-19 22:11 - 2017-12-19 22:14 - 083316440 _____ (Malwarebytes ) E:\Users\tbhben\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe
2017-12-19 22:07 - 2017-12-30 22:10 - 000003292 _____ E:\Windows\System32\Tasks\Avira_Antivirus_Systray
2017-12-19 22:07 - 2017-12-07 16:37 - 000196344 _____ (Avira Operations GmbH & Co. KG) E:\Windows\system32\Drivers\avgntflt.sys
2017-12-19 22:07 - 2017-12-07 16:37 - 000153072 _____ (Avira Operations GmbH & Co. KG) E:\Windows\system32\Drivers\avipbb.sys
2017-12-19 22:07 - 2017-12-07 16:37 - 000078600 _____ (Avira Operations GmbH & Co. KG) E:\Windows\system32\Drivers\avnetflt.sys
2017-12-19 22:07 - 2017-12-07 16:37 - 000064504 _____ (Avira Operations GmbH & Co. KG) E:\Windows\system32\Drivers\avdevprot.sys
2017-12-19 22:07 - 2017-12-07 16:37 - 000035328 _____ (Avira Operations GmbH & Co. KG) E:\Windows\system32\Drivers\avkmgr.sys
2017-12-19 22:07 - 2017-12-07 16:37 - 000034128 _____ (Avira Operations GmbH & Co. KG) E:\Windows\system32\Drivers\avusbflt.sys
2017-12-19 21:57 - 2017-12-19 22:07 - 000000000 ____D E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-12-19 21:57 - 2017-12-19 22:07 - 000000000 ____D E:\ProgramData\Avira
2017-12-19 21:57 - 2017-12-19 22:07 - 000000000 ____D E:\Program Files (x86)\Avira
2017-12-19 21:57 - 2017-12-19 21:57 - 000003122 _____ E:\Windows\System32\Tasks\Avira SystrayStartTrigger
2017-12-19 21:57 - 2017-12-19 21:57 - 000001198 _____ E:\Users\Public\Desktop\Avira.lnk
2017-12-19 21:55 - 2017-12-19 21:56 - 005348656 _____ (Avira Operations GmbH & Co. KG) E:\Users\tbhben\Downloads\avira_en_av_5a39ce8000a90__ws6.exe
2017-12-19 03:58 - 2017-12-19 03:58 - 000000000 ____D E:\ProgramData\MB3CoreBackup
2017-12-19 00:07 - 2017-12-27 19:58 - 000007194 _____ E:\Users\tbhben\Documents\install.txt
2017-12-18 03:03 - 2017-12-18 23:45 - 000000852 __RSH E:\ProgramData\ntuser.pol
2017-12-09 21:51 - 2017-12-09 21:51 - 000255928 _____ (Malwarebytes) E:\Windows\system32\Drivers\2722C27F.sys
2017-12-06 19:38 - 2017-12-28 19:53 - 000000000 ____D E:\ProgramData\ProductData
2017-12-06 19:38 - 2017-12-06 19:38 - 000001376 _____ E:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller.lnk
2017-12-06 19:38 - 2017-12-06 19:38 - 000000000 ____D E:\Users\tbhben\AppData\LocalLow\IObit
2017-12-06 19:38 - 2017-12-06 19:38 - 000000000 ____D E:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2017-12-06 19:37 - 2017-12-16 22:01 - 000000000 ____D E:\ProgramData\IObit
2017-12-06 19:37 - 2017-12-06 19:38 - 000000000 ____D E:\Users\tbhben\AppData\Roaming\IObit
2017-12-06 19:37 - 2017-12-06 19:37 - 000000000 ____D E:\Program Files (x86)\IObit
2017-12-06 19:35 - 2017-12-06 19:36 - 015871160 _____ (IObit ) E:\Users\tbhben\Downloads\iobituninstaller (1).exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-30 23:46 - 2017-05-07 07:38 - 000000000 ____D E:\Users\tbhben\AppData\Roaming\Skype
2017-12-30 23:43 - 2017-09-10 03:10 - 000000000 ____D E:\Users\tbhben\AppData\Local\Epic Privacy Browser
2017-12-30 21:47 - 2017-06-07 23:30 - 000000000 ____D E:\Users\tbhben\AppData\Roaming\Mozilla
2017-12-30 21:47 - 2017-05-14 08:49 - 000000000 ____D E:\Users\tbhben\AppData\LocalLow\Mozilla
2017-12-30 08:48 - 2009-07-14 00:13 - 000781298 _____ E:\Windows\system32\PerfStringBackup.INI
2017-12-30 08:48 - 2009-07-13 22:20 - 000000000 ____D E:\Windows\inf
2017-12-30 08:21 - 2017-11-18 23:14 - 000028272 _____ E:\Windows\system32\Drivers\TrueSight.sys
2017-12-30 04:29 - 2009-07-13 23:45 - 000014016 ____H E:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-12-30 04:29 - 2009-07-13 23:45 - 000014016 ____H E:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-12-30 04:18 - 2017-07-23 22:03 - 000000000 ____D E:\Program Files (x86)\Mozilla Firefox
2017-12-30 04:18 - 2017-06-22 11:44 - 000000000 ____D E:\Program Files (x86)\Mozilla Maintenance Service
2017-12-30 04:18 - 2009-07-14 00:08 - 000000006 ____H E:\Windows\Tasks\SA.DAT
2017-12-30 04:16 - 2017-05-07 04:15 - 000000000 ____D E:\Users\tbhben\AppData\Roaming\DMCache
2017-12-29 20:53 - 2017-11-26 19:55 - 000000000 ____D E:\Users\tbhben\AppData\Roaming\IPVanish
2017-12-29 16:29 - 2017-09-10 03:18 - 000002391 _____ E:\Users\tbhben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Epic Privacy Browser.lnk
2017-12-29 16:29 - 2017-09-10 03:18 - 000002383 _____ E:\Users\tbhben\Desktop\Epic Privacy Browser.lnk
2017-12-26 22:01 - 2017-11-18 22:18 - 000000000 ____D E:\Users\tbhben\AppData\Local\CrashDumps
2017-12-25 02:34 - 2017-05-06 18:20 - 000000000 ____D E:\Users\tbhben
2017-12-19 22:15 - 2017-05-06 19:07 - 000000000 ____D E:\ProgramData\Malwarebytes
2017-12-19 22:15 - 2017-05-06 19:07 - 000000000 ____D E:\Program Files\Malwarebytes
2017-12-19 21:57 - 2017-05-06 19:07 - 000000000 ____D E:\ProgramData\Package Cache
2017-12-19 21:29 - 2009-07-14 00:08 - 000032634 _____ E:\Windows\Tasks\SCHEDLGU.TXT
2017-12-18 20:53 - 2009-07-13 22:20 - 000000000 ____D E:\Windows\system32\NDF
2017-12-18 03:01 - 2009-07-13 22:20 - 000000000 ___HD E:\Windows\system32\GroupPolicy
2017-12-14 03:19 - 2017-10-28 00:22 - 000002205 _____ E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-14 03:19 - 2017-10-28 00:22 - 000002193 _____ E:\Users\Public\Desktop\Google Chrome.lnk
2017-12-09 22:11 - 2017-11-18 22:54 - 000000000 ____D E:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-12-01 01:26 - 2017-05-07 01:17 - 000000000 ____D E:\Users\tbhben\AppData\Roaming\Media Player Classic
 
==================== Files in the root of some directories =======
 
2017-11-27 21:40 - 2017-11-27 21:40 - 000000017 _____ () E:\Users\tbhben\AppData\Local\resmon.resmoncfg
 
Some files in TEMP:
====================
2017-11-18 21:50 - 2016-03-16 13:55 - 001732864 _____ (Microsoft Corporation) E:\Users\tbhben\AppData\Local\Temp\dllnt_dump.dll
2017-11-23 00:48 - 2017-12-04 09:30 - 059117248 _____ (Skype Technologies S.A.) E:\Users\tbhben\AppData\Local\Temp\SkypeSetup.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
E:\Windows\system32\winlogon.exe => File is digitally signed
E:\Windows\system32\wininit.exe => File is digitally signed
E:\Windows\SysWOW64\wininit.exe => File is digitally signed
E:\Windows\explorer.exe => File is digitally signed
E:\Windows\SysWOW64\explorer.exe => File is digitally signed
E:\Windows\system32\svchost.exe => File is digitally signed
E:\Windows\SysWOW64\svchost.exe => File is digitally signed
E:\Windows\system32\services.exe => File is digitally signed
E:\Windows\system32\User32.dll => File is digitally signed
E:\Windows\SysWOW64\User32.dll => File is digitally signed
E:\Windows\system32\userinit.exe => File is digitally signed
E:\Windows\SysWOW64\userinit.exe => File is digitally signed
E:\Windows\system32\rpcss.dll => File is digitally signed
E:\Windows\system32\dnsapi.dll => File is digitally signed
E:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
E:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-12-29 01:20
 
==================== End of FRST.txt ============================

 

Thanks in advance for your help!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:04 AM

Posted 01 January 2018 - 08:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\RK_Administrator_ON_C_FD7A\...\Run: [AdobeBridge] => [X]
ShortcutTarget: Universal Media Server.lnk -> E:\Users\tbhben\Desktop\New folder (4)\Universal Media Server\UMS.exe (No File)
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7}
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7}
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
S3 gdrv; \??\E:\Windows\gdrv.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\E:\Windows\xhunter1.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and include the Addiltion.txt log created by the Farbar program.

Let me know what problem persists.

#11 benta

benta
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 01 January 2018 - 08:44 AM

Here's the Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01.01.2018
Ran by tbhben (01-01-2018 08:21:00) Run:1
Running from E:\Users\tbhben\Downloads
Loaded Profiles: tbhben &  (Available Profiles: tbhben)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\RK_Administrator_ON_C_FD7A\...\Run: [AdobeBridge] => [X]
ShortcutTarget: Universal Media Server.lnk -> E:\Users\tbhben\Desktop\New folder (4)\Universal Media Server\UMS.exe (No File)
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7}
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7}
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File
S3 gdrv; \??\E:\Windows\gdrv.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\E:\Windows\xhunter1.sys [X]
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
HKU\RK_Administrator_ON_C_FD7A\...\Run: [AdobeBridge] => [X] => Error: No automatic fix found for this entry.
Could not move "E:\Users\tbhben\Desktop\New folder" => Scheduled to move on reboot.
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7} => Error: No automatic fix found for this entry.
SearchScopes: HKU\RK_Administrator_ON_C_FD7A -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10010&barid={263069F2-6D60-11E2-A307-94445298A0D7} => Error: No automatic fix found for this entry.
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File => Error: No automatic fix found for this entry.
Toolbar: HKU\RK_Administrator_ON_C_FD7A -> No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} -  No File => Error: No automatic fix found for this entry.
"HKLM\System\CurrentControlSet\Services\gdrv" => removed successfully
gdrv => service removed successfully
"HKLM\System\CurrentControlSet\Services\Synth3dVsc" => removed successfully
Synth3dVsc => service removed successfully
"HKLM\System\CurrentControlSet\Services\tsusbhub" => removed successfully
tsusbhub => service removed successfully
"HKLM\System\CurrentControlSet\Services\VGPU" => removed successfully
VGPU => service removed successfully
"HKLM\System\CurrentControlSet\Services\xhunter1" => removed successfully
xhunter1 => service removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 117999714 B
Java, Flash, Steam htmlcache => 98402383 B
Windows/system/drivers => 3723859 B
Edge => 0 B
Chrome => 576522243 B
Firefox => 138604089 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 135081 B
systemprofile32 => 148376 B
LocalService => 132177 B
NetworkService => 66228 B
tbhben => 429017521 B
 
RecycleBin => 0 B
EmptyTemp: => 1.3 GB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 01-01-2018 08:25:07)
 
E:\Users\tbhben\Desktop\New folder => Is moved successfully
 
==== End of Fixlog 08:25:07 ====

 

 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:04 AM

Posted 01 January 2018 - 11:16 AM

Hi,

No malware found on your Addition log.

You need to take care of this.

ATTENTION: System Restore is disabled
Turn your System Restore ON - Windows Help
https://support.microsoft.com/en-us/help/17228/windows-protect-my-pc-from-viruses
<<<>>>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#13 benta

benta
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 01 January 2018 - 05:41 PM

Does this mean AdvinstAnalytics came from NordVPNSetup.exe? Because AdvinstAnalytics was still secretly placed on my PC after just opening the NordVPNSetup.exe (without installing).



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:04 AM

Posted 02 January 2018 - 08:11 AM

Do you have any popups, adds or other issues with this computer?

#15 benta

benta
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 03 January 2018 - 07:55 AM

No, I don't have popups, adds or other issues with my PC. It's just AdvinstAnalytics is still secretly placed on my PC after just opening the NordVPNSetup.exe and RogueKiller still detects AdvinstAnalytics as PUP. Which it's strange since I did not consent NordVPNSetup to install AdvinstAnalytics on my PC (if it really comes from NordVPNSetup.exe). Can I still trust them?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users