Jump to content

30tab Adware mrxsmb22, Need Fixlist Help !!


Recommended Posts

Hello everyone, I need your help. My laptop was infected by 30tab.com Safe Navigation virus. It hijacked my browser IE and Opera. I've already tried many antivirus and adware cleaner including Malwarebytes, AdwCleaner. I tried all of them, but no result at all. I also reset my browser to default setting or even uninstall the browser. But the virus come out again when I install it back. When I scanned with the antivirus, I found of the infected location in here :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb22

I already scanned my laptop with FRST.. But I don't know how to fix it. If anyone has another way to clean this virus, please let me know.
Here the attachment below of FRST scan log. I hope you can help me. Thank you..

 

FRST.txt

Addition.txt

Edited by ikimementomori
Link to post
Share on other sites

Hello ikimementomori and welcome to Malwarebytes,

Do the following and post URL link to results:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Windows\KeyHook32.dll
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Thanks,

Kevin...

Link to post
Share on other sites

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Malwarebytes does not seem to be installed, there are however several remnant drivers, lets remove those first then reinstall and run Malwarebytes

Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop..
 
  • Double-click mb-clean.exe to run it
  • A prompt to confirm the cleanup will appear, select Yes or No
  • Yes - will proceed with the cleanup process <---- Select this option to start the tool
  • No - will exit the utility
  • The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes.
  • Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot
  • We recommend an immediate reboot <--- Do Not miss out this step
  • Suppressing the reboot may result in an incomplete cleanup
  • Upon reboot Malwarebytes will be totally removed from your system


To re-install Malwarebytes:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/
 
  • Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....
  • When the install completes and is updated do the following:
  • Open Malwarebytes, select > "settings" > "protection tab"
  • Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....
  • Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Let me see those logs in your reply, also let me know if there are any remaining issues or concerns...

Thanks,

Kevin

fixlist.txt

Link to post
Share on other sites

Do you have a USB flash drive, if so see if you can run the following:

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Also download the attached file fixlist.txt ave that to the same Flash drive

How to access System Recovery Options in Windows 7 follows

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer (If applicable).
  • Press Fix button.
  • It will make a log (fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Next,

Boot back to Normal Windows, then run the following:

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.

Do not use the Remove Selected option until i`ve had a look at the log..

Let me see those logs in your reply....

Thank you,

Kevin

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

Thanks for your help sir ! My laptop is not infected again by annoying 30tab.com adware, and now my browser is clean. I did all the intructions you gave me.. 

I tried to boot into Advanced Boot Options using F8 key, but there was no option to choose Repair your computer. Also, I don't have the CD installation of Win 7.

So, I skipped it to normal boot, and tried to fix again using FRST.  I fixed twice and here's the fixlog I got..

Quote

First Log :

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 23-12-2017 10:28:05)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\amdfx => removed successfully.

==== End of Fixlog 10:28:05 ====

 

Quote

Second Log :

Fix result of Farbar Recovery Scan Tool (x86) Version: 17-12-2017
Ran by Mementomori (23-12-2017 10:29:09) Run:2
Running from C:\Users\Mementomori\Downloads
Loaded Profiles: Mementomori (Available Profiles: Mementomori)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
R1 amdfx; C:\Windows\system32\drivers\amdfx.sys 
Unlock: C:\Windows\system32\drivers\amdfx.sys
C:\Windows\system32\drivers\amdfx.sys
End
*****************

amdfx => service not found.
"C:\Windows\system32\drivers\amdfx.sys" => not found.
"C:\Windows\system32\drivers\amdfx.sys" => not found.

==== End of Fixlog 10:29:17 ====

 

But I got another threat in registry detected by Rogue Killer when I scanned it.
Here's the scan report..

Quote

RogueKiller V12.11.29.0 [Dec 18 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Mementomori [Administrator]
Started from : C:\Users\Mementomori\Downloads\Programs\RogueKiller_portable32.exe
Mode : Scan -- Date : 12/23/2017 10:23:05 (Duration : 00:38:44)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 1 ¤¤¤
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1662289759-2656025963-3465781237-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HITACHI HTS542516K9SA00 +++++
--- User ---
[MBR] bb771710e065ed6d6cf81da88c537b2e
[BSP] 4ebd4bc968e4238a48bf6aa96d42183d : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 99514 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 203808440 | Size: 53109 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([32] The request is not supported. )
Error reading LL2 MBR! ([32] The request is not supported. )

 

Edited by ikimementomori
Link to post
Share on other sites

Thanks for the update and logs,

Run RogueKiller again....

  •   Wait for the scan to complete
  •   On completion, the results will be displayed
  •   Checkmark all found entries then click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply....


 

Post that new log, also let me know if you have any remaining issues or concerns...

Thank you,

Kevin....

Link to post
Share on other sites

Here's the log after I removed the threat that has been scanned..

Thank you so much sir, I think my problem has been solved. I really appreciate your help.
 

Quote

RogueKiller V12.11.29.0 [Dec 18 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Mementomori [Administrator]
Started from : C:\Users\Mementomori\Downloads\Programs\RogueKiller_portable32.exe
Mode : Delete -- Date : 12/23/2017 20:22:34 (Duration : 00:33:38)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 1 ¤¤¤
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1662289759-2656025963-3465781237-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] bb771710e065ed6d6cf81da88c537b2e
[BSP] 4ebd4bc968e4238a48bf6aa96d42183d : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 99514 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 203808440 | Size: 53109 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([32] The request is not supported. )
Error reading LL2 MBR! ([32] The request is not supported. )

 

Link to post
Share on other sites

Thanks for the log/update, continue to clean up...

Delete RogueKiller portable from your Downloads/Programs folder, also delete this folder: C:\ProgramData\RogueKiller

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.