Still having problems... Please help!

I've been through the thread "READ & RUN ME FIRST Before Asking for Support", but am still having a couple of issues. I had to run all the scans/processes in normal mode as Safe Mode doesn't appear to be working as it should. It loads up, the start bar briefly flickers on then disappears. Also no icons are displayed and I can't do anything. There's also malware still present I think - 1. small red icon with yellow ! next to the clock in the bottom right corner. Hover over it and a balloon appears that states "Security Warning: your computer may be infected with harmful or unwanted software!" 2. In Add/Remove Programs, "Safety Alerted 2006" seems to have appeared and I can't get rid of it. I've attached all requested logs/scan results. Please help! I've been trying to fix this all morning! Thanks

 

Here are the remaining logs....

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

Please look in Add/Remove Programs for the following and uninstall them if found:

VSToolbar

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/

R3 - URLSearchHook: (no name) - {52E92599-ED56-B18D-7954-BECE6CB3BCBB} - C:\WINDOWS\system32\wauj.dll (file missing)

O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {52E92599-ED56-B18D-7954-BECE6CB3BCBB} - C:\WINDOWS\system32\wauj.dll (file missing)
O2 - BHO: (no name) - {7844C74D-14F5-4927-856F-E5FD8803BAF6} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\vvmncuas.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpov.dll,startup
O4 - HKCU\..\Run: [almgr.exe] C:\WINDOWS\system32\almgr.exe
O4 - HKCU\..\Run: [Bthlwsfv] C:\WINDOWS\?ssembly\n?tepad.exe
O4 - HKCU\..\Run: [Hcod] "C:\PROGRA~1\COMMON~1\APPATC~1\attrib.exe" -vt ndrv

O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)

O21 - SSODL: archenteric - {d7bdd42a-7e69-4bb8-aac3-d76ff65a3aa3} - (no file)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\?ssembly ← Search for this folder and delete if found. Please note that ? represents an unprintable character so it will not look normal!

C:\Program Files\Common Files\APPATC~1 ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also, please attach a fresh HJT log.

 

bjgarrick, thanks very much for your help. All went well. HJT log attached. Only thing I encountered - C:\WINDOWS\?ssembly and C:\Program Files\Common Files\APPATC~1 didn't exist. There are 2 assembly folders in C:\WINDOWS though, one is displayed under A when listed alphabetically, the other is listed after Z. I'm thinking this second folder may be the one you're talking about. Is it safe to delete it? Thanks again

 

Yes, that's the bad one, you can remove this folder by booting into Safe Mode. Once you delete this folder you should be ready to go. Your last log looked good.

Are you having any current problems?

 

Everything seems to be working fine now. No annoying yellow balloon icons in the system tray, no hijacked IE and no more malware warnings popping up. Hopefully it won't happen again, but if it does, I know where to come! Thanks again

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!