Read & Run Complete - Still Screwed

Followed Read & Run to the letter.

Step 0: Nothing odd found with Add/Remove on the control panel
Step 1: Read it, didn't disable System Restore at this time.
Step 2: Viewing is enabled for all hidden files
Step 3: I'm only using AVG antivirus
Step 4: All tools downloaded, updated, and ready per instructions.
Step 5: Problems

Unable to boot to "Safe Mode"; scan run in Normal. ( See link for previous posting about not being able to enter "Safe Mode" http://forums.majorgeeks.com/showthread.php?t=84728 )

Unpluged cable modem, shut down all unrequired applications, ran Ccleaner, ran MS Windows Malware removal program (nothing found), ran AD-Aware SE (found 2 tracking cookies - tribal fusion and Zedo - and 1 "MRU List"). Ran MS Antispyware and found "FindTheWebsiteYouNeed" Browser modifier. Ran AVG Antispiware again - nothing found.

Step 6: Ran Bitdefender (log attached). Unable to run Panda ActiveScan. Active X Control was installed, screen asked what I would like scanned (My Computer, Local Disk, Floppy Disk, My Documents, E-Mail, Other Media), but I was unable to select any. Bar at the bottom of IE window said "Error on Page". Tried to run Panda several times with the same result.

Step 7: Ran HijackThis (log attached)


I'm glad you folks are around. I'm really looking forward to cleaning this garbage off of my computer. I'm attempting to post logs, but I'm only seeing how to put them inline. Removed inline from this post.

 

Thanks, D3m3nt3d.

Ran Spy Sweeper and was amazed at what it found that I thought was cleaned off. (Log attached). I'm concerned that I'm still seeing

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\AntivirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\AntivirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\UpdatesDisableNotify

in the registry and 4 dat files (gimmygames1, winsysupd51, drsmartload2 and myupdates1) that were previously fixed by other applications. (Spybot, Ad Aware SE).

 

New HJT log attached.

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\AntivirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\AntivirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\UPDATES\UpdatesDisableNotify

Are all in the registry.

Location of .dat files - long story short - F: is main drive and replaced C: years ago when master boot record on C: had problems. C: is working now, but doesn't have much on it. (I could kill this drive with a format and not really care) These .dat files are on the C: drive.

Path:
C:\windows\gimmygames1.dat
C:\windows\winsysupd51.dat
C:\windows\drsmartload2.dat
C:\windows\myupdates1.dat

In C:\windows, in addition to these .dat files, there is an empty folder labled system32. I never created these items. I find it curious that F:\WINDOWS is capitalized while C:\windows is lower case. Is there anything to read into that?

 

New HJT log. Forgot the attachment.

 

C:\windows\gimmygames1.dat - status ok
C:\windows\winsysupd51.dat - The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
C:\windows\drsmartload2.dat - The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
C:\windows\myupdates1.dat - The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Obviously not Zone Alarm preventing upload since gimmygames1.dat didn't have problems uploading and scanning.

I'm also concerned about BOOT.INI not being an available tab when I go to msconfig and try to boot in safemode. I posted on that previously w/o resolution. http://forums.majorgeeks.com/showthread.php?t=84728

After running Spy Sweeper,per your suggestion the computer seems to be running better, but I'm not convinced the problem is resolved. I did disable system restore, restart the system and then re-enabled system restore since it wasn't hijacking my browser every 10 seconds and might be fixed..

 

I don't know what head24.exe is, but Zone Alarm has notified me of the application and I denied access to the internet. The file is not at F:\WINDOWS\Head24.exe, nor is it anywhere else according to my search.

I have not done your HJT request and I will wait until I hear from you regarding head24.

 

All hidden folders are shown, as per Step 2. I confirmed this a 2nd time when I couldn't locate head24.exe.

Head24.exe has been disabled and now deleted, per your instructions. Scan with HJT does not show

Also, after I select the three files you request in HJT what did you want me to do to them? "Fix Checked", "Add Checked To Ignore List", something else?

 

One more thing, you told me to disable Head24.exe in the Services.msc, but it is still running. Is there something additional I need to do? I notice many of the services in this control panel have "Start, Stop, Restart" as options - this doesn't.

 

Thanks. I work nights so I'll get it first thing in the morning.

 

Followed these instructions, no problems.

After deleting Head24 in the HJT Delete an NT Service window I was unable to delete O23 - Service: Head24 - Unknown owner - F:\WINDOWS\Head24.exe - it wasn't there. The other two deleted without problem. I then emptied the contents of the F:\WINDOWS\Prefetch folder, ran Ccleaner, and have attached a new HJT log.

Everything seems to be running well, but I still have concern about the items in the registry that Spybot S&D identified as problems and couldn't remove. You previously said they are fine, but the names are ominous and S&D tried to remove them and couldn't. I think the malware infection and the feeling of helplessnes is getting me paranoid. Combine that with the inability to upload those .dat files to http://virusscan.jotti.org/ and I have the sense of impending doom

Your help is appreciated.

BTW, what are the chances this garbage got on the computer from my daughter playing on MySpace?


.

 

All the.dat files were created on Saturday Feb 4, all were accessed today.

HJT couldn't kill the process F:\WINDOWS\Head24.exe. The selected process could not be killed. It may already have closed or it is protected by Windows

There is still no file listed at the path F:\WINDOWS\Head24.exe

According to services.msc it is Status: Started, Startup Type: Disabled.

 

My first posting said that I was unable to boot in safe mode. I go to the msconfig and there is no BOOT.INI tab. Pressing F8 during startup sequence does nothing.

I downloaded Pocket Killbox.

 

Okay, all done. New HJT log

 

Okay, sounds good! I tried deleting them Saturday and they didn't go away, but they probably will now that we have all the garbage off. Thanks for hte help.