Jump to content

Adware.Netfilter (30tab.com adware)


Recommended Posts

Hello. I've hit a roadblock trying to get rid of the adware mentioned in the topic title. Every time MBAM picks it up and tries to delete it, it always comes back. It shows up as a registry key, that key being the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb22

It seems nothing I do seems to get rid of it. I'm at a complete loss and I don't really want to have to format my PC just to get rid of it for good. I scanned my laptop with FRST. The logs are as follows. Please, any help will be greatly appreciated. I'm at my wits end.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello SojiroChris and welcome to Malwarebytes,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

RogueKiller is a powerful tool. So, it is preferable that a helper checks the scan results to avoid potential false positives removal...
Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.

Do not use the Remove Selected option until i`ve had a look at the log..

 

Let me see those two logs,

Thank you,

Kevin...

 

 

 

fixlist.txt

Link to post
Share on other sites

Hello. Apologies for the delay. Here's the contents of the RogueKiller report TXT and Fixlog.txt at the bottom of the reply:

RogueKiller V12.11.29.0 (x64) [Dec 18 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Souljiro62x [Administrator]
Started from : C:\Users\Souljiro62x\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/23/2017 12:57:01 (Duration : 00:28:12)

¤¤¤ Processes : 2 ¤¤¤
[Proc.Injected] svchost.exe(828) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] explorer.exe(3452) -- C:\Windows\explorer.exe[7] -> Found

¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Firefox:Config] g4h4rxe6.default : user_pref("browser.startup.homepage", "www.youtube.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] 39d42bc4702facf301f916f3603947d9
[BSP] 8562b6dda5866ea0b9d4e54ea1943c2a : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 381546 MB
4 - Basic data partition | Offset (sectors): 783718400 | Size: 550704 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK

 

Fixlog.txt

Link to post
Share on other sites

RogueKiller log is OK, nothing malicious... I want you to boot system to Recovery Environment and run a fix via USB Flash drive (memory stick)

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Download and also save to same Flash drive the attached file fixlist.txt (end of reply)

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

If you are using Windows 8 or 10 consult How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt.
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Let me see that log.. Also let me know if there are any remaining issues or concerns...

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

Here's the Fixlog contents from the fix performed in the flash drive:

Fix result of Farbar Recovery Scan Tool (x64) Version: 23-12-2017 01
Ran by SYSTEM (23-12-2017 15:32:59) Run:2
Running from e:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
Start
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet1\services\amdfx
R1 amdfx; C:\Windows\system32\drivers\amdfx.sys [0 2017-12-23] () <==== ATTENTION (zero byte File/Folder)
C:\Windows\system32\drivers\amdfx.sys
End
*****************

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet1\services\amdfx => key not found.
"HKLM\System\ControlSet001\Services\amdfx" => removed successfully
amdfx => service removed successfully
C:\Windows\system32\drivers\amdfx.sys => moved successfully

==== End of Fixlog 15:32:59 ====

Link to post
Share on other sites

Delete RogueKiller portable from your Desktop, also delete this folder if present: C:\ProgramData\RogueKiller

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.