SojiroChris Posted December 23, 2017 ID:1193937 Share Posted December 23, 2017 Hello. I've hit a roadblock trying to get rid of the adware mentioned in the topic title. Every time MBAM picks it up and tries to delete it, it always comes back. It shows up as a registry key, that key being the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb22 It seems nothing I do seems to get rid of it. I'm at a complete loss and I don't really want to have to format my PC just to get rid of it for good. I scanned my laptop with FRST. The logs are as follows. Please, any help will be greatly appreciated. I'm at my wits end. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 23, 2017 ID:1193942 Share Posted December 23, 2017 Hello SojiroChris and welcome to Malwarebytes, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, RogueKiller is a powerful tool. So, it is preferable that a helper checks the scan results to avoid potential false positives removal... Download RogueKiller and save it on your desktop, ensure to download correct version..RogueKiller (X86)RogueKiller (x64) Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Do not use the Remove Selected option until i`ve had a look at the log.. Let me see those two logs, Thank you, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
SojiroChris Posted December 23, 2017 Author ID:1194002 Share Posted December 23, 2017 Hello. Apologies for the delay. Here's the contents of the RogueKiller report TXT and Fixlog.txt at the bottom of the reply: RogueKiller V12.11.29.0 (x64) [Dec 18 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 8.1 (6.3.9600) 64 bits version Started in : Normal mode User : Souljiro62x [Administrator] Started from : C:\Users\Souljiro62x\Desktop\RogueKiller_portable64.exe Mode : Scan -- Date : 12/23/2017 12:57:01 (Duration : 00:28:12) ¤¤¤ Processes : 2 ¤¤¤ [Proc.Injected] svchost.exe(828) -- C:\Windows\System32\svchost.exe[7] -> Found [Proc.Injected] explorer.exe(3452) -- C:\Windows\explorer.exe[7] -> Found ¤¤¤ Registry : 4 ¤¤¤ [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com/?pc=ASJB -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3048815083-640257404-3178529390-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 1 ¤¤¤ [PUM.HomePage][Firefox:Config] g4h4rxe6.default : user_pref("browser.startup.homepage", "www.youtube.com"); -> Found ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: HGST HTS721010A9E630 +++++ --- User --- [MBR] 39d42bc4702facf301f916f3603947d9 [BSP] 8562b6dda5866ea0b9d4e54ea1943c2a : Empty|VT.Unknown MBR Code Partition table: 0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB 1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB 2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB 3 - Basic data partition | Offset (sectors): 2312192 | Size: 381546 MB 4 - Basic data partition | Offset (sectors): 783718400 | Size: 550704 MB 5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB User = LL1 ... OK User = LL2 ... OK Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 23, 2017 ID:1194010 Share Posted December 23, 2017 RogueKiller log is OK, nothing malicious... I want you to boot system to Recovery Environment and run a fix via USB Flash drive (memory stick) Please download Farbar Recovery Scan Tool from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit Download and also save to same Flash drive the attached file fixlist.txt (end of reply)Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC. If you are using Windows 8 or 10 consult How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt. Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply. Let me see that log.. Also let me know if there are any remaining issues or concerns... Thank you, Kevin.. fixlist.txt Link to post Share on other sites More sharing options...
SojiroChris Posted December 23, 2017 Author ID:1194033 Share Posted December 23, 2017 Here's the Fixlog contents from the fix performed in the flash drive: Fix result of Farbar Recovery Scan Tool (x64) Version: 23-12-2017 01 Ran by SYSTEM (23-12-2017 15:32:59) Run:2 Running from e:\ Boot Mode: Recovery ============================================== fixlist content: ***************** Start DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet1\services\amdfx R1 amdfx; C:\Windows\system32\drivers\amdfx.sys [0 2017-12-23] () <==== ATTENTION (zero byte File/Folder) C:\Windows\system32\drivers\amdfx.sys End ***************** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet1\services\amdfx => key not found. "HKLM\System\ControlSet001\Services\amdfx" => removed successfully amdfx => service removed successfully C:\Windows\system32\drivers\amdfx.sys => moved successfully ==== End of Fixlog 15:32:59 ==== Link to post Share on other sites More sharing options...
kevinf80 Posted December 23, 2017 ID:1194037 Share Posted December 23, 2017 Excellent, how is your PC behaving, any odd or erratic behavior...? Link to post Share on other sites More sharing options...
SojiroChris Posted December 23, 2017 Author ID:1194038 Share Posted December 23, 2017 I opened up Chrome and no 30tab.com redirect. Safe to assume the malware is removed? If so, I highly thank you so much for your time and help! Link to post Share on other sites More sharing options...
kevinf80 Posted December 23, 2017 ID:1194055 Share Posted December 23, 2017 Delete RogueKiller portable from your Desktop, also delete this folder if present: C:\ProgramData\RogueKiller Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we may have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
SojiroChris Posted December 23, 2017 Author ID:1194061 Share Posted December 23, 2017 I can confirm the PC is now clean. MBAM picked up no traces of Adware.Netfilter and Chrome is properly starting up where it should. Thank you so very much! Link to post Share on other sites More sharing options...
kevinf80 Posted December 23, 2017 ID:1194068 Share Posted December 23, 2017 You`re very welcome SojiroChris, comeback anytime... Regards, Kevin Link to post Share on other sites More sharing options...
kevinf80 Posted December 27, 2017 ID:1194923 Share Posted December 27, 2017 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts