Hi greenfish,
I'd like to add one more thing
I was talking to a friend about this and she suggested that, after removing the visible baddies, it might be necessary to reset TCP/IP as per the instructions in the link below:
http://support.microsoft.com/kb/299357
I should probably include the netsh int ip reset resetlog.txt command in the fix I put together.
She also told me that combofix.exe should be able to remove the visible components of this malware.
-- First, delete old combofix.exe already on your machine
-- You should download a fresh combofix.exe to your Desktop and leave it there.
-- Then, boot to SAFE MODE
-- Click Start > Run and enter the following exactly as it is here: "%userprofile%\desktop\combofix.exe" /wow
(if need be, you can save it locally to notepad and copy&paste it into the box)
Let the tool run and submit the combofix log along with a fresh HJT log.
It may be a good idea to rerun the above combofix.exe steps. In re-examining all of the various logs, I see an item I missed! It is a different piece of malware - probably from last summer.
I looks like Adware to deliver popups. I missed it because I thought it was a Chinese language plug in.
04/17/2006 10:02 PM 188,413 bg_ppgoumini.exe
Checking %WinDir% folder...
aspack 6/25/2006 11:31:32 PM 100170 C:\WINDOWS\IEYHelper.dll (Eastday Corporation)
aspack 6/25/2006 11:32:26 PM 98896 C:\WINDOWS\YayaBands.dll (Eastday Corporation)
aspack 6/28/2006 12:19:44 AM 158288 C:\WINDOWS\YayaVerAtl.dll (Eastday Corporation)
Checking %System%\Drivers folder and sub-folders...
UPX! 6/25/2006 11:23:58 PM 71402 C:\WINDOWS\SYSTEM32\drivers\cdnprot.sys (Öйú»¥ÁªÍøÂçÐÅÏ¢ÖÐÐÄ(CNNIC))
Sorry about all the "fragmented" advice! I've been really busy lately, but this piece of malware was bugging me, so I asked a few friends about it and thought I should pass along their suggestions.
Best Luck & Happy Holidays
PP
Reply With Quote