Jump to content

I can't remove malware

LucaParkes

By LucaParkes
in Resolved Malware Removal Logs

 Share

Recommended Posts

LucaParkes

LucaParkes

Posted
Posted

I have tried many anti-malware systems including malwarebytes but none of them have removed the series of malware that I have been experiencing that guides me to another page when clicking on a website. I was wondering if there is any way to remove this malware. One of pieces of malware is called citypage.today.

Link to post
Share on other sites
RPMcMurphy

RPMcMurphy

Posted
Posted

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I have given you the "All clear"  Absence of symptoms does not mean your machine is clean! 
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that if I don't hear from you within five days this thread will be closed.

Please  update Malwarebytes and run a Threat Scan, then post that log for me.

Link to post
Share on other sites
RPMcMurphy

RPMcMurphy

Posted
Posted

You have Hola installed on your system and  Hola is know to be malicious.  Please uninstall it now to ensure a better clean-up:

  • Go to Start > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista / Windows 7/8/10 and remove:

Hola™ 1.123.976 - Better Internet

  • Once you've done that, please run another scan with FRST and post that log for me.
Link to post
Share on other sites
RPMcMurphy

RPMcMurphy

Posted
Posted

Please do this next:

icon11.gif   Right click on the FRST icon and select Run as administrator
Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time
The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below

CreateRestorePoint:
CloseProcesses:
SearchScopes: HKLM -> DefaultScope value is missing
C:\Users\Lucap\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
CHR Profile: C:\Users\Lucap\AppData\Local\Google\Chrome\User Data\Guest Profile [2019-02-22]
CHR Profile: C:\Users\Lucap\AppData\Local\Google\Chrome\User Data\System Profile [2019-02-22]
S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [X]
S3 GalaxyClientService; "C:\Program Files (x86)\GOG Galaxy\GalaxyClientService.exe" [X]
S4 NvStreamSvc; "C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe" [X]
S3 BlueStacksDrv; \??\C:\Program Files\BlueStacks\BstkDrv.sys [X]
S3 EasyAntiCheatSys; \??\C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys [X]
S3 ETDSMBus; \SystemRoot\System32\drivers\ETDSMBus.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {13887160-B366-430F-B527-42A7FC69D3FA} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
FirewallRules: [{733DB6BB-3EC3-40C5-8765-7DEC46F6CD4B}] => (Allow) C:\Program Files (x86)\Apowersoft\Video Download Capture 6\rtmpsrv.exe No File
FirewallRules: [{8981407E-0A25-4FD1-8570-E12D6BFD6050}] => (Allow) C:\Program Files (x86)\Apowersoft\Video Download Capture 6\rtmpsrv.exe No File
FirewallRules: [{2CEA84D7-8C59-4B6D-B0ED-2710F5976CC0}] => (Allow) C:\Program Files (x86)\Apowersoft\Video Download Capture 6\Video Download Capture 6.exe No File
FirewallRules: [{9C54FBDB-7AD8-4766-8CCE-87258AB0B03A}] => (Allow) C:\Program Files (x86)\Apowersoft\Video Download Capture 6\Video Download Capture 6.exe No File
FirewallRules: [UDP Query User{67093BF6-5FEA-411E-8563-EBD972C18E40}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Block) C:\program files\blackmagic design\davinci resolve\resolve.exe No File
FirewallRules: [TCP Query User{72B0F161-C4E3-4C53-96AB-C3393E4C8C05}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Block) C:\program files\blackmagic design\davinci resolve\resolve.exe No File
FirewallRules: [{D73624F3-CB5D-4F11-958D-C307157D8533}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe No File
FirewallRules: [{52088505-9A7D-4B07-B1C6-308A516DE9ED}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DPDecoder.exe No File
FirewallRules: [{4BBDA54B-FA3B-4C63-9ED0-917B03D3529E}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe No File
FirewallRules: [{90B3E549-7F0F-4484-BEF4-935C3BC6CF2B}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe No File
FirewallRules: [{373020CB-4079-4B51-B3E7-68E3F46D23A2}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\TangentPanelDaemon.exe No File
FirewallRules: [{912E23CF-BCE4-4D79-8EB5-A63C337AD182}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\EuphonixPanelDaemon.exe No File
FirewallRules: [{BF292259-66F4-4B67-A4B3-0761DFC9F296}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\JLCooperPanelDaemon.exe No File
FirewallRules: [{17E7451E-E1CA-451E-ABCB-0C300B828E4E}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DaVinciPanelDaemon.exe No File
FirewallRules: [{CF3B21F4-DEE5-4A8C-9B65-D78EA7947734}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\bmdpaneld.exe No File
FirewallRules: [{EF2CB9DE-C0F3-401B-A352-6721DADAEEBB}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\Resolve.exe No File
FirewallRules: [UDP Query User{34EF6DEA-7075-4527-8D33-955BCBCE1CCE}C:\program files\jetbrains\pycharm community edition 2018.1\bin\pycharm64.exe] => (Allow) C:\program files\jetbrains\pycharm community edition 2018.1\bin\pycharm64.exe No File
FirewallRules: [TCP Query User{1FAAC4C1-A01C-47E6-B185-025BBA7C75C5}C:\program files\jetbrains\pycharm community edition 2018.1\bin\pycharm64.exe] => (Allow) C:\program files\jetbrains\pycharm community edition 2018.1\bin\pycharm64.exe No File
FirewallRules: [UDP Query User{82E3A8BD-39F4-4E92-BE1E-D9A0508A538E}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe No File
FirewallRules: [TCP Query User{3457D3B1-9659-4D5C-8F30-6339D6FC3AD9}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe No File
FirewallRules: [UDP Query User{7AF8F42E-02B2-48F0-90D3-EB56F1478CD6}C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe No File
FirewallRules: [TCP Query User{39A4082C-8271-4664-B49D-06C2BA7985E7}C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe] => (Allow) C:\program files (x86)\epic games\launcher\portal\binaries\win32\epicgameslauncher.exe No File
FirewallRules: [{B01D3A2E-56BC-42F8-9D4A-176267A571DF}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe No File
FirewallRules: [{8CD74C6E-86F0-4924-8DAD-6CBAA9665FB9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe No File
FirewallRules: [UDP Query User{8556CD3F-B73A-4C2D-B155-598F999EE87B}C:\program files (x86)\steam\steamapps\common\trine 2\trine2_32bit.exe] => (Block) C:\program files (x86)\steam\steamapps\common\trine 2\trine2_32bit.exe No File
FirewallRules: [TCP Query User{7877B7CC-1583-44BE-8187-567CF1CC8AB9}C:\program files (x86)\steam\steamapps\common\trine 2\trine2_32bit.exe] => (Block) C:\program files (x86)\steam\steamapps\common\trine 2\trine2_32bit.exe No File
FirewallRules: [{CE4C79F6-811E-45DF-A924-7312C6FE0BC7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Trine 2\trine2_launcher.exe No File
FirewallRules: [{A087D5CB-7623-496B-8938-065743C1C935}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Trine 2\trine2_launcher.exe No File
FirewallRules: [{68CE57A3-01AD-47AF-A848-E5B2325223E4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Broforce\Broforce_beta.exe No File
FirewallRules: [{BE14E650-61B6-46FB-9A85-8E0E105C3D74}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Broforce\Broforce_beta.exe No File
FirewallRules: [UDP Query User{1B9BD218-2BDE-4818-B1DE-488239BFA98A}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe No File
FirewallRules: [TCP Query User{2A1D0CD5-791A-4351-B5AB-DCB6095D7B93}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe No File
FirewallRules: [{DD8110B5-803A-4069-B1D8-36BDA2742AF1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Empires of the Undergrowth\EotU.exe No File
FirewallRules: [{CC427482-EDA0-4929-9B2F-C64925E3673F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Empires of the Undergrowth\EotU.exe No File
FirewallRules: [{B21DD54A-7992-4C56-B902-59B9D4C40797}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{AA87F973-E3CD-44ED-AB2F-754D865F0F7D}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{5EA4056D-B5B9-4245-9BFF-465E16B55790}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\American Truck Simulator Demo\bin\win_x64\amtrucks.exe No File
FirewallRules: [{386197B6-BEDF-4B52-A973-41BC6395C715}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\American Truck Simulator Demo\bin\win_x64\amtrucks.exe No File
FirewallRules: [{A06FAA5A-634B-48E2-B1ED-415950184CBA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\Launcher.exe No File
FirewallRules: [{0F4CE67E-78B0-4BD4-9155-AE939378ADF1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\Launcher.exe No File
FirewallRules: [{1E5B58FC-CFFD-4E1C-A2B4-6CA9498D8DC0}] => (Allow) C:\Program Files\BlueStacks\HD-Player.exe No File
FirewallRules: [TCP Query User{54457A72-EBC1-4A23-8E10-AB63FF3AEAE2}C:\creative destruction\client.exe] => (Allow) C:\creative destruction\client.exe No File
FirewallRules: [UDP Query User{CCE6E0D7-E824-4DE3-8372-43B8B9624CEF}C:\creative destruction\client.exe] => (Allow) C:\creative destruction\client.exe No File
FirewallRules: [{BEA2BFC8-AB7B-4089-B07C-023B2D668585}] => (Block) C:\creative destruction\client.exe No File
FirewallRules: [{60CFB417-6CA9-4412-A1F5-C1B9EE8C98FB}] => (Block) C:\creative destruction\client.exe No File
FirewallRules: [TCP Query User{0FB2CE7D-D90E-4479-B3FC-E3E8C4DDA791}C:\creative destruction\ccmini\ccmini.exe] => (Allow) C:\creative destruction\ccmini\ccmini.exe No File
FirewallRules: [UDP Query User{C8DEEC2C-1716-4A54-9F14-C9BC5794A520}C:\creative destruction\ccmini\ccmini.exe] => (Allow) C:\creative destruction\ccmini\ccmini.exe No File
FirewallRules: [TCP Query User{19424FA7-6AEC-47DD-B537-0CAE08BA90C3}C:\users\lucap\appdata\local\cuisine royale\slauncher.exe] => (Allow) C:\users\lucap\appdata\local\cuisine royale\slauncher.exe No File
FirewallRules: [UDP Query User{A66E392D-1849-43E7-871C-6AB0AFAA3DB2}C:\users\lucap\appdata\local\cuisine royale\slauncher.exe] => (Allow) C:\users\lucap\appdata\local\cuisine royale\slauncher.exe No File
FirewallRules: [{116309D8-071D-47EE-837E-9EB95823721A}] => (Allow) C:\users\lucap\appdata\local\cuisine royale\slauncher.exe No File
FirewallRules: [{9CF07138-9E2A-47DA-97CA-7B9D8944FD82}] => (Allow) C:\users\lucap\appdata\local\cuisine royale\slauncher.exe No File
FirewallRules: [TCP Query User{7454DCB8-BB36-450A-9ED7-6A8F1687CC37}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_51\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_51\bin\javaw.exe No File
FirewallRules: [UDP Query User{2E8F86AB-A0A3-41AE-B29A-18D9D3E76E80}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_51\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_51\bin\javaw.exe No File
FirewallRules: [{3227B3C2-6ECD-444E-9129-279FF8D9ECE3}] => (Allow) C:\Program Files\AVG\Antivirus\AvEmUpdate.exe No File
FirewallRules: [{CBEC5AAC-7441-4B0D-8732-AE2F3C63068A}] => (Allow) C:\Program Files\AVG\Antivirus\AvEmUpdate.exe No File
FirewallRules: [{62A521D2-08DC-4FFB-8443-1BCE220D69B5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\LaunchPad\LaunchPad.exe No File
FirewallRules: [{940475DB-F114-4000-9668-70F823B75061}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Sid Meier's Civilization V\LaunchPad\LaunchPad.exe No File
FirewallRules: [TCP Query User{C2CAE26B-C582-4986-85A2-FCFA77296AC4}C:\program files (x86)\gog galaxy\games\hello neighbor demo\helloneighbour\binaries\win64\helloneighbour-win64-shipping.exe] => (Allow) C:\program files (x86)\gog galaxy\games\hello neighbor demo\helloneighbour\binaries\win64\helloneighbour-win64-shipping.exe No File
FirewallRules: [UDP Query User{E2EE2E2A-4389-47F8-A502-4887D77B7190}C:\program files (x86)\gog galaxy\games\hello neighbor demo\helloneighbour\binaries\win64\helloneighbour-win64-shipping.exe] => (Allow) C:\program files (x86)\gog galaxy\games\hello neighbor demo\helloneighbour\binaries\win64\helloneighbour-win64-shipping.exe No File
EmptyTemp:


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Click Fix

When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
 

Link to post
Share on other sites
RPMcMurphy

RPMcMurphy

Posted
Posted

Download AdwCleaner and move it to your Desktop.

  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users).
  • Accept the EULA (I accept), then click on Scan.
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button.
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, please do so.
  • After the restart, a log will open when logging in. Please copy and paste the contents of that log into your next reply.

Link to post
Share on other sites
RPMcMurphy

RPMcMurphy

Posted
Posted (edited)

Run this, then follow the instructions in the link below to completely reset Internet Explorer

https://support.microsoft.com/en-us/help/17441/windows-internet-explorer-change-reset-settings
- - -

  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below 
SearchScopes: HKU\S-1-5-21-2530422714-4099723196-3748319213-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE04SearchScopes: HKU\S-1-5-21-2530422714-4099723196-3748319213-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE04SearchScopes: HKU\S-1-5-21-2530422714-4099723196-3748319213-1002 -> {B675E96E-2FB8-4512-8697-EB63E162017D} URL = BHO: IEBrowserAssistant -> {2421CBA2-89B7-4734-8438-49E0D7EB8A75} -> C:\Users\Lucap\AppData\Roaming\IEBrowserAssistant\adxloader64.dll [2018-11-13] (Default Company) [File not signed]
SearchScopes: HKU\S-1-5-21-2530422714-4099723196-3748319213-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE04
SearchScopes: HKU\S-1-5-21-2530422714-4099723196-3748319213-1002 -> {B675E96E-2FB8-4512-8697-EB63E162017D} URL = 
BHO: IEBrowserAssistant -> {2421CBA2-89B7-4734-8438-49E0D7EB8A75} -> C:\Users\Lucap\AppData\Roaming\IEBrowserAssistant\adxloader64.dll [2018-11-13] (Default Company) [File not signed]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR Extension: (Chrome Media Router) - C:\Users\Lucap\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-02-23]


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.


 

Edited by RPMcMurphy
added link
Link to post
Share on other sites
RPMcMurphy

RPMcMurphy

Posted
Posted

Sorry, my last FRST script had a typo.  Please do this:
- - -

  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below


C:\Users\Lucap\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

How the computer is running now?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.