Extension.Citypage --> Bing Engine Re-Direct

[DaBosun]

Malwarebytes, 

I've run into a redirect hack that will automatically route any search made from Google, whether it be in Chrome, Edge or Firefox, through a quick hit on a citypage site, then on to Bing.  

So far, I've cleared my search engine preferences in each browser, with absolutely no sign of any changes to home pages, default search engine settings, or DNS settings.  There are no extensions that I do not recognize in the extensions toolkit for either engine.  

SFC and DISM tool have been run, and returned 0 problems. 

Malwarebytes, Adaware, HitmanPro, AVG and rKill have all been run, with no result changing the re-direct.  

I have run FRST tool from an external drive, where the program was loaded onto from a clean computer. 

Here are the logs: 

 

Addition.txt

FRST.txt

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

1. Open Malwarebytes for Windows
2. To the left, click Scan > Scan Types.
   
3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
   
4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

1. Double-click to run it. When the tool opens click Yes to the disclaimer.
2. Press the Scan button.
   
3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

Please Note the Following:

• One of our expert helpers will give you one-on-one assistance when one becomes available.
• Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
• Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
• If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

• FAQ - Malwarebytes won't run or failed to resolve my issues
• Groups authorized to help with Malware Removal for Windows logs

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Hi,

I have identified a bad SmartService infection.

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...

I need to know first if you can enable the Recovery Environment...

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Quote

Start:
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End:

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

[DaBosun]

I attempted the copy/paste to the text area.  Upon hitting fix, it failed to run with an error stating, "No fixlist found.  Make sure it's located in the same folder as the application."  
 

[nasdaq]

Hi,

Try this. 
I changed the commands. 

Quote

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

 

[DaBosun]

Fix result of Farbar Recovery Scan Tool (x64) Version: 12.05.2018
Ran by Horizon (12-05-2018 12:26:02) Run:4
Running from C:\Users\Horizon\Desktop\FRST-OlderVersion
Loaded Profiles: Horizon (Available Profiles: Horizon)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************

========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========

========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========

==== End of Fixlog 12:26:02 ====

[DaBosun]

I have managed to get a quick screenshot of the URL when it re-directs: 

 

http://extension.citypage.today/?affID=970801784&q

That's what pops up between hitting the search icon, and it re-directing to Bing from Google or Yahoo or Mozilla.

Edited May 14, 2018 by AdvancedSetup

[nasdaq]

Hi,

Lets proceed:

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive 
 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

Do not plug Flash Drive into sick PC until booted to Recovery Environment.

===

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"

Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Post the Fixlog.txt and the FRST.txt logs for my review.

Wait for further instructions.

[DaBosun]

Log Attached

FRST.txt

Out of the available ways to boot into recovery environment, I was forced to use an External USB Recovery Media drive I created.   The standard ways of booting to recovery environment from the internal drive did not work.

 

Edited May 13, 2018 by DaBosun

[nasdaq]

Hi,

Looking better.

Please run Malwarebytes.

Clean all items reported.

Run the Farbar Program and post Fresh FRST and Addition.txt logs.

Let me know what problem persists.

 

 

 

[DaBosun]

Here's the log. 

Currently, you're a magician.  I tried all these similar steps before, but for some reason, now, the re-direct is currently NOT happening.  So far so good. 

Addition.txt

FRST.txt

[nasdaq]

Hi,

You did well!

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

 

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks