Jump to content

Browser - Citypage.today/ redirect to Bing

lyleg

By lyleg
in Resolved Malware Removal Logs

 Share

Recommended Posts

lyleg

lyleg

Posted
Posted

Hello,

I have an urgent problem. I have run Malwarebytes several times but it has not solved the problem.  All browsers, when you search for anything with any search engine, will show the results for a second and then redirect to extension.citypage.today and then gets bing results.

I believe the below had a similar problem and I believe I identified the same two files.  Igfxmtc.exe and iakmgod.exe

They are located in appdata - they are not able to be deleted, opened, etc.

Attached is my mbcheck filemb-check-results.zip

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for those logs lyleg,

I want you to boot your system to Safe Mode with Networking, if you cannot do that post back and let me know... Instructions at following link if needed:

https://www.bleepingcomputer.com/tutorials/how-to-start-windows-10-in-safe-mode-with-networking/

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Let me see that log...

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Ok, you have smartservice infection, it has many protections to stop our tools from running. Stay in Safe Mode with Networking and do the following...

Open FRST, do not progress any further, just leave it open. Select these keys together Ctrl - Y a blank notepad page will open, copy and paste the following script into that page: 

Start::
CloseProcesses:
unlock: C:\Users\Stuar\AppData\Local\iakmgod\pcnrhib.exe
C:\Users\Stuar\AppData\Local\iakmgod\pcnrhib.exe
unlock: C:\Users\Stuar\AppData\Local\igfxmtc\igfxmtc.exe
C:\Users\Stuar\AppData\Local\igfxmtc\igfxmtc.exe
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2038427194-1495602597-3476069763-1001\...\Run: [mitte] => C:\Program Files (x86)\lathan\mitte.exe [68552 2017-11-24] ()
C:\Program Files (x86)\lathan
HKU\S-1-5-21-2038427194-1495602597-3476069763-1001\...\Run: [rebuff] => C:\Program Files (x86)\Transwestern\catchable.exe [11776 2017-11-24] ()
C:\Program Files (x86)\Transwestern
Startup: C:\Users\Stuar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\christianson.lnk [2017-11-24]
ShortcutTarget: christianson.lnk -> C:\Program Files (x86)\Transwestern\catchable.exe ()
BootExecute: autocheck autochk * sdnclean64.exe
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{322e66cf-3fe3-4c6a-a959-0ce06dae2419}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{49cc80f6-bc45-4f0e-85da-0b81891cfa4a}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{49cc80f6-bc45-4f0e-85da-0b81891cfa4a}: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{55696b06-10d7-44ff-87d8-5bc671cf9039}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{55696b06-10d7-44ff-87d8-5bc671cf9039}: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{672e7acd-4d52-46c7-b2f0-86d0d4575b07}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{720c7e75-c80b-11e6-aaad-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{e11165c7-9f09-49e2-8857-4109f6eaa883}: [NameServer] 8.8.8.8
R2 Windows Management Cycle; C:\Users\Stuar\AppData\Local\Temp\radeon\Windows Management Cycle.exe [103424 2017-11-24] (Microsoft) [File not signed] <==== ATTENTION
C:\Users\Stuar\AppData\Local\Temp\radeon\Windows Management Cycle.exe
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 amdkmdag; \SystemRoot\System32\DriverStore\FileRepository\c0320046.inf_amd64_8e8f6af872d98101\atikmdag.sys [X]
S3 amdkmdap; \SystemRoot\System32\DriverStore\FileRepository\c0320046.inf_amd64_8e8f6af872d98101\atikmpag.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
R3 udiskMgr; system32\drivers\psvzcf.sys [X]
Unlock: C:\WINDOWS\system32\Drivers\mbbjmptw.sys
C:\WINDOWS\system32\Drivers\mbbjmptw.sys
2017-11-24 17:08 - 2017-11-26 10:08 - 000000000 ____D C:\Users\Stuar\AppData\Local\cwegtuk
2017-11-24 17:05 - 2017-11-29 22:05 - 000000000 ____D C:\Users\Stuar\AppData\Local\iakmgod
2017-11-24 17:05 - 2017-11-24 17:08 - 000000000 ____D C:\Users\Stuar\AppData\Local\igfxmtc
2017-11-24 17:04 - 2017-11-29 20:08 - 002884096 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\pcosxdmsvc.exe
2017-11-24 17:04 - 2017-11-24 17:04 - 000000000 ___HD C:\Program Files (x86)\lathan
2017-11-24 17:04 - 2017-11-24 17:04 - 000000000 ____D C:\WINDOWS\SysWOW64\vdcgkia
2017-11-24 17:04 - 2017-11-24 17:04 - 000000000 ____D C:\WINDOWS\system32\vdcgkia
2017-11-24 17:04 - 2017-11-24 17:04 - 000000000 ____D C:\Users\Stuar\AppData\Roaming\et
2017-11-24 17:03 - 2017-11-25 03:49 - 000000000 ____D C:\Program Files (x86)\Transwestern
2017-11-24 17:03 - 2017-11-25 03:48 - 000000000 ___HD C:\Program Files (x86)\Uighur
2017-11-24 17:03 - 2017-11-24 17:03 - 000000000 ____D C:\Program Files (x86)\korolev
2017-11-24 16:55 - 2017-11-24 16:55 - 000024612 _____ (Valssaamontie 53) C:\Users\Stuar\AppData\Local\Temp\capi.exe
2017-11-24 17:08 - 2017-11-24 17:08 - 000016384 _____ (noOrg) C:\Users\Stuar\AppData\Local\Temp\cubesta.exe
2017-11-24 16:55 - 2017-11-24 16:55 - 003061772 _____ () C:\Users\Stuar\AppData\Local\Temp\golm.exe
2017-11-24 16:55 - 2017-11-24 16:55 - 001792069 _____ () C:\Users\Stuar\AppData\Local\Temp\pi.exe
2017-11-23 14:56 - 2017-11-23 14:56 - 007729152 _____ () C:\Users\Stuar\AppData\Local\Temp\vlc-2.2.6-win32.exe
Task: {46F23BAD-46DB-482D-8739-684BEEFDD88B} - System32\Tasks\G5ATRbcaehgX => g5atrbcaehgx.exe
FirewallRules: [{49719741-EABE-4EB1-A49C-EC0CF232CA44}] => (Allow) C:\Program Files (x86)\Uighur\catchable.exe
C:\Program Files (x86)\Uighur
EmptyTemp:
end::

Do not name that file, now select these keys together Ctrl -S

Now select the Fix tab on FRST just once, FRST will run and save a log on completion Fixlog.txt, attach that to your reply.....

Thanks,

Kevin...

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I doubt that will be for long, not all of the infection entries were shifted... run FRST again and post fresh logs...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Whilst I go over these logs do the following:

Open the search option on task bar, type in or copy paste create recovery drive A new window will open. Plug in your USB flash drive (be aware the drive will be formatted so anything important will be lost) In the new window that opened UnCheck Back up System Files to Recovery Drive... That will keep the size down, all utilities will still be loaded. Select "Next" just follow the prompts from there. Let me know if that completes successfully...

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I`m still checking logs, can you save FRST to same USB stick, i`ll have a fix for you to save shortly... One other job is to alter your BIOS so it will boot from USB first. If your PC is newish that may already be set. Mine is USB - CD/DVD - Hard drive. So if no bootable devices are in first two it boots windows from the hard drive, if I had a recovery drive it would boot from that. If installation DVD or repair DVD it would boot from that...

Are you aware of your BIOS set up..?

Link to post
Share on other sites
lyleg

lyleg

Posted
  • Author
Posted

I am struggling with this.

I got into the bios settings.  I changed the boot order to usb hard drive.

It then told me that I secure boot configuration that did not allow me to do it.

I went into the bios again and disabled the secure boot configuration.

Then I got a new message from that there was a change if I wanted accept the change I would have to type in a number and the enter key. I did that several times. (it did not seem it took the input from the keyboard - wireless) then it booted normally with my regular hard drive.

Since then - I have restarted and despite the boot order being my usb -hard drive being the first on boot order - it seems to skip usb drive and goes to regular hard drive. 

I assume when it is right - it will boot from by usb and show some sort of recovery console correct?

Any advice appreciated. I will keep trying to figure this out.  Possibly an HP pavilion thing.

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

When the boot order has USB first, plug in your recovery drive and start or restart your PC, it will boot to a screen where you select your Keyboard layout, mine is UK. When that is selected your next screen is "Choose Option" window, from there select "Troubleshoot" from there we will select command prompt.. I`ll give you full instructions when the boot order is sorted...

Your PC make is HP Pavilion, does it have a specific model number...?

Link to post
Share on other sites
lyleg

lyleg

Posted
  • Author
Posted

It looks like it's a no go. Tried both . I bit of research this problem (failing to boot) seems like it is an hp Pavillion issue.

Is there anyway to fix this problem with regular bootup?

The only option I didn't change in the bios is clearing secure boot keys ..not sure what that is 

Or else can you send me the fix with instructions and if I ever get this working I could try it.

You've been great. I will give you a donation but I'm bit grumpy right now.

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

The only way is to kill of the bad entries is via the Recovery Environment, that can be accessed from within windows but this infection will probably have that covered....

We still need FRST on a USB flashdrive, which we have. We also need the fix on the same flashdrive... Lets get that set up and see what happens....

Open your USB flashdrive from Start > This PC > The USB device, it will be named E, or F or similar. With the flashdrive open double click FRST to open, leave it like that. Select these keys together Ctrl - Y that will open a blank notepad page. Copy/paste the following to that page: 

C:\Users\Stuar\AppData\Local\cwegtuk
C:\Users\Stuar\AppData\Local\iakmgod
C:\Users\Stuar\AppData\Local\igfxmtc
C:\WINDOWS\system32\vdcgkia
R3 udiskMgr; system32\drivers\hknrux.sys [X]
C:\WINDOWS\system32\Drivers\mbblpsvy.sys
C:\Program Files (x86)\G5ATRbcaehgX

Do not name or close out, instead select these keys together Ctrl - S You should still have the recovery drive software, FRST64.exe and a random name file (The fix)

Leave the USB in place. We now need to enter the Recovery Environment... I`ve attached a zip file boot_into_RE_2.zip

Download and unzip that file to your Desktop, It should now be named boot_into_RE_2.bat right click on that and select "run as administrator" you should reboot to RE,,,?

Your PC should boot to the "Choose an Option" window, from that window select "Troubleshoot"

user posted image

From the next window select "Advanced Options"

user posted image

From the next window select "Command Prompt"

user posted image

Ensure to plug the Flashdrive into an open USB port, Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter
  • Note: Replace letter E with the drive letter of your flash drive. <<<----vey important
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press FIX button just once.
  • It will make a log (Fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC...
  • To boot back to windows, type exit at the prompt and hit enter
  • Please copy and paste or attach FRST log to your reply.

boot_into_RE_2.zip

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept