Hijacked by topsecurity.net - Hijack this log

Welcome to Majorgeeks!

You need to run the below procedure and then attach the smitfiles.txt log:

SpywareQuake & SpyFalcon Removal Procedure


Then also attach a new HJT log and let me know if there is any change to your problems.

 

Okay you have one of the more recent forms of the infection that I have just added to the procedure today. You need to run the procedure again. Make sure you download the fixquake.reg patch again because it has changed a bunch.

Also the key file you will be looking for is %System32%\rmzdzx.dll but look for the all anyway because as you can see there are dozens of forms of this crud.

You have a few other problems will need to fix too after getting SpywareQuake removed.

 

You must be more specific! What is it finding and where? Give file & path names! Give virus/trojan names.....etc.

Let's continue fixing the other problems that I mentioned you still have!

First download about:Buster

Now continue with the below. Some items may be gone due to running the above. Just ignore and continue if not found.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Thom\LOCALS~1\Temp\sp.dll/sp.html
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iiffcbc.dll
O2 - BHO: (no name) - {F8765124-5F7E-448D-A159-7B112FB2A931} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: iiffcbc - C:\WINDOWS\SYSTEM32\iiffcbc.dll
O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\iiffcbc.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I don't believe I asked for two HijackThis logs????


You did not do the below step. At least you did not do it exactly as requested. If you did as requested you start page would no be about:blank.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

You still have one of the infections present. I wanted to try the simple method first but it does not work so on to the more complex method.

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps (it will not work otherwise) and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of iiffcbc.dll once and then click the kill button. After you have killed all of the iiffcbc.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of iiffcbc.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iiffcbc.dll
O20 - Winlogon Notify: iiffcbc - C:\WINDOWS\SYSTEM32\iiffcbc.dll


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:

Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\SYSTEM32\iiffcbc.exe
C:\WINDOWS\SYSTEM32\iiffcbc.dll


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.


Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

If the Reset of Web Settings was done, it should have removed the above file. The awvtr.dll file would have to have been removed manually though. It was however inactive because this infection was not showing in your HJT log.

Just complete the latest instructions and attach the new HJT log and let me know how things are working. Make absolutely sure you DO NOT have any browsers opened while running those steps.

 

Are you sure you have enabled viewing of hidden files and extensions etc per the READ ME. It could also be that you are looking for them after McAfee has already deleted them and then perhaps something is bringing them back after reboot. Try uninstalling McAfee and then reboot and look for the files.

Antivirus and Antispyware are two different things and you need both. If you install security suites from McAfee, Symantec, Panda, etc, you will typically get both of those and then some more (like firewall, popup blocker, antispam). I don't recommend these security suites because they are usually tremendous resource hogs.

You also still have Ewido and AOL'S antispyware applications running. I personally would not use AOL's stuff at all. And if Ewido is the free version, you really should uninstall it to avoid possible conflicts with Windows Defender and also the excess use of system resources. If Ewido is a paid subscription version, I would keep it and uninstall Windows Defender.

What we recommend and you should do anyway since we have clean your PC is the below.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

This does not sound like malware but I will check one more thing first before sending you to the Software Forum.

Run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

 

Lets try one more thing!

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot and let me know if there is any change. I don't expect this to fix the symptoms you were descrbing.