Problem z icwsetup.exe

[Koso]

Witam mam problem z tym plikiem icwsetup.exe wykrywa mi w nim rootkita. Nie wiem już jak go usunąć ;/ Proszę o pomoc.

C:\Documents and Settings\All Users\Application Data\Microsoft\Shortcuts\icwsetup.exe - to gdzie ten plik sie znajduje.

Patrzyłem bo był temat podobny, ale tamto zbytnio nic mi nie pomogło.

Log z Hijack'a

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:44, on 09-07-06
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Fmctrl.EXE
D:\Gadu-Gadu\gg.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
D:\Sciagnięcia z neta\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: bignetdaddy - {f5082f62-b394-440e-cb2a-d6549a2033b5} - C:\WINDOWS\system32\nsl4B.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [Internet Connection Wizard Setup Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: rncsys32.exe
O4 - Global Startup: icwsetup.exe
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{53E2BF5D-3C63-4BEE-BB7F-71B9417B195B}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{53E2BF5D-3C63-4BEE-BB7F-71B9417B195B}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Usługa inteligentnego transferu w tle (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Aktualizacje automatyczne (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4235 bytes


A drugim problemem jest plik w system32\drivers\4a575d0f.sys też zbytnio nie wiem jak go usunąć ;<
Prosze o dobrą pomoc


edit# log z combo fixa

Kod: Zaznacz wszystko

ComboFix 09-06-22.05 - AS 09-07-06 20:12.4 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.511.189 [GMT 2:00]
Uruchomiony z: d:\sciagnięcia z neta\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090705-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- TRYB ZREDUKOWANEJ FUNKCJONALNOŚCI -
.

(((((((((((((((((((((((((   Pliki utworzone od 2009-06-06 do 2009-07-06  )))))))))))))))))))))))))))))))
.

2009-07-06 16:09 . 2009-07-06 18:12   102400   ----a-w-   c:\windows\system32\drivers\4a575d0f.sys
2009-07-06 16:07 . 2009-07-06 16:07   --------   d-sh--w-   C:\FOUND.005
2009-07-05 07:00 . 2009-07-05 07:00   --------   d-sh--w-   C:\FOUND.004
2009-07-03 21:42 . 2009-07-03 21:42   1283072   ----a-w-   c:\windows\system32\nsl4B.dll
2009-07-03 06:02 . 2009-07-03 06:02   --------   d-sh--w-   C:\FOUND.003
2009-07-02 16:33 . 2009-07-02 16:33   --------   d-sh--w-   C:\FOUND.002
2009-06-30 17:07 . 2004-08-03 23:44   221184   ----a-w-   c:\windows\system32\wmpns.dll
2009-06-30 15:44 . 2001-08-18 04:36   8704   ----a-w-   c:\windows\system32\kbdjpn.dll
2009-06-30 15:44 . 2001-08-18 04:36   8704   ----a-w-   c:\windows\system32\dllcache\kbdjpn.dll
2009-06-30 15:44 . 2001-08-18 04:36   8192   ----a-w-   c:\windows\system32\kbdkor.dll
2009-06-30 15:44 . 2001-08-18 04:36   8192   ----a-w-   c:\windows\system32\dllcache\kbdkor.dll
2009-06-30 15:44 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\kbd106.dll
2009-06-30 15:44 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\kbd101c.dll
2009-06-30 15:44 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\dllcache\kbd106.dll
2009-06-30 15:44 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\dllcache\kbd101c.dll
2009-06-30 15:44 . 2001-08-17 20:55   5632   ----a-w-   c:\windows\system32\kbd103.dll
2009-06-30 15:44 . 2001-08-17 20:55   5632   ----a-w-   c:\windows\system32\dllcache\kbd103.dll
2009-06-30 15:44 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\kbd101b.dll
2009-06-30 15:44 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\dllcache\kbd101b.dll
2009-06-30 13:16 . 2009-06-30 13:16   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\FastStone
2009-06-24 17:35 . 2009-07-05 06:18   85888   ----a-w-   c:\windows\system32\745c5e57-dfcc-46aa-6817-5c4750100b62.exe
2009-06-24 11:36 . 2009-06-24 11:36   --------   d-sh--w-   C:\FOUND.001
2009-06-23 04:56 . 2009-06-23 04:56   --------   d-----w-   c:\windows\system32\dllcache\cache
2009-06-23 04:55 . 2002-09-28 20:00   2944   ----a-w-   c:\windows\system32\drivers\null.sys
2009-06-23 04:55 . 2002-09-28 20:00   2944   ----a-w-   c:\windows\system32\dllcache\null.sys
2009-06-16 12:15 . 2009-06-16 12:15   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\DAEMON Tools Pro
2009-06-16 12:15 . 2009-06-16 12:15   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\DAEMON Tools
2009-06-16 12:15 . 2009-06-16 12:15   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite
2009-06-16 12:12 . 2009-06-16 12:12   717296   ----a-w-   c:\windows\system32\drivers\sptd.sys
2009-06-16 12:12 . 2009-06-16 12:12   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\DAEMON Tools Lite
2009-06-16 12:09 . 2009-06-16 12:09   --------   d--h--r-   c:\documents and settings\AS\Dane aplikacji\SecuROM
2009-06-16 12:09 . 2009-06-16 12:09   107888   ----a-w-   c:\windows\system32\CmdLineExt.dll
2009-06-10 13:27 . 2009-06-10 13:27   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\CyberLink

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 10:25 . 2009-06-06 10:25   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\Skype
2009-06-01 14:07 . 2009-06-01 14:07   --------   d-----w-   c:\program files\Realtek AC97
2009-05-30 06:23 . 2002-09-28 20:00   49492   ----a-w-   c:\windows\system32\perfc015.dat
2009-05-30 06:23 . 2002-09-28 20:00   355486   ----a-w-   c:\windows\system32\perfh015.dat
2009-05-30 06:18 . 2009-05-30 06:18   --------   d-----w-   c:\program files\Common Files\NVIDIA Shared
2009-05-30 05:22 . 2009-05-30 05:22   0   ----a-w-   c:\windows\ativpsrm.bin
2009-05-29 21:10 . 2009-05-29 21:10   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\Tibia
2009-05-29 21:04 . 2009-05-29 21:04   --------   d-----w-   c:\documents and settings\AS\Dane aplikacji\Gadu-Gadu
2009-05-29 20:04 . 2009-05-29 20:04   55808   ----a-w-   c:\windows\ALCFDRTM.EXE
2009-05-29 19:58 . 2009-05-29 19:58   0   ----a-w-   c:\windows\nsreg.dat
2009-05-28 19:13 . 2009-05-28 13:56   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-28 19:01 . 2009-05-28 19:01   12328   ----a-w-   c:\documents and settings\AS\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-05-28 18:52 . 2009-05-28 18:52   --------   d-----w-   c:\program files\Thomson
2009-05-28 18:51 . 2009-05-28 18:51   --------   d-----w-   c:\program files\Java Web Start
2009-05-28 18:51 . 2009-05-28 18:51   --------   d-----w-   c:\program files\Java
2009-05-28 18:51 . 2009-05-28 18:51   --------   d-----w-   c:\program files\Neostrada TP
2009-05-28 14:31 . 2009-05-28 14:31   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\CyberLink
2009-05-28 14:31 . 2009-05-28 14:31   --------   d-----w-   c:\program files\CyberLink
2009-05-28 14:30 . 2009-05-28 14:30   --------   d-----w-   c:\program files\Winamp
2009-05-28 14:30 . 2009-05-28 14:30   --------   d-----w-   c:\program files\SubEdit-Player
2009-05-28 14:29 . 2009-05-28 14:29   262884   ----a-w-   c:\windows\IPUI_DivXG400.exe
2009-05-28 14:29 . 2009-05-28 14:29   --------   d-----w-   c:\program files\ffdshow
2009-05-28 14:29 . 2009-05-28 14:29   --------   d-----w-   c:\program files\Real Alternative
2009-05-28 14:29 . 2009-05-28 14:29   --------   d-----w-   c:\program files\Media Player Classic
2009-05-28 14:12 . 2009-05-28 14:12   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-05-28 14:12 . 2009-05-28 14:12   --------   d-----w-   c:\program files\C-Media 3D Audio
2009-05-28 14:12 . 2009-05-28 14:12   --------   d-----w-   c:\program files\Common Files\InstallShield
2009-05-28 13:57 . 2009-05-28 13:57   --------   d-----w-   c:\program files\microsoft frontpage
2009-05-28 13:55 . 2009-05-28 13:55   --------   d-----w-   c:\program files\Usługi online
2009-05-28 13:53 . 2009-05-28 13:53   21856   ----a-w-   c:\windows\system32\emptyregdb.dat
.

(((((((((((((((((((((((((((((   SnapShot@2009-06-23_04.56.05   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-24 11:42 . 2009-06-24 11:42   16384              c:\windows\Temp\Perflib_Perfdata_4ec.dat
+ 2009-06-23 04:56 . 2008-10-16 12:09   51224              c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-23 04:56 . 2004-08-03 21:44   82944              c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-23 04:56 . 2004-08-03 21:44   25088              c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-23 04:56 . 2004-08-03 21:44   14336              c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-23 04:56 . 2004-08-03 21:44   57856              c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-23 04:56 . 2004-08-03 21:44   17408              c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-23 04:56 . 2004-08-03 21:44   13312              c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-23 04:56 . 2004-08-03 21:38   24960              c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-23 04:56 . 2004-08-03 20:00   29056              c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-23 04:56 . 2004-08-03 21:44   15360              c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-23 04:56 . 2004-08-03 21:44   504832              c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-23 04:56 . 2004-08-03 21:44   658944              c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-23 04:56 . 2004-08-03 21:44   578560              c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-23 04:56 . 2004-08-03 23:44   296448              c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-23 04:56 . 2004-08-03 20:14   359040              c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-23 04:56 . 2004-08-03 21:44   108544              c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-23 04:56 . 2004-08-03 20:14   182912              c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-23 04:56 . 2004-08-03 21:44   110080              c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-23 04:56 . 2004-08-03 21:43   172032              c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-23 04:56 . 2004-08-03 21:44   1548288              c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-23 04:56 . 2004-08-03 21:39   2182272              c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-23 04:56 . 2004-08-03 21:54   2058112              c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-23 04:56 . 2004-08-03 21:44   1012224              c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-23 04:56 . 2004-08-03 21:44   1033728              c:\windows\system32\dllcache\cache\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f5082f62-b394-440e-cb2a-d6549a2033b5}]
2009-07-03 21:42   1283072   ----a-w-   c:\windows\system32\nsl4B.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="d:\gadu-gadu\gg.exe" [2007-07-09 2119104]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"WooCnxMon"="c:\progra~1\NEOSTR~1\CnxMon.exe" [2003-10-16 24576]
"WOOWATCH"="c:\progra~1\NEOSTR~1\Watch.exe" [2003-10-16 20480]
"WOOTASKBARICON"="c:\progra~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 53248]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Internet Connection Wizard Setup Tool"="c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe" [2009-06-20 19968]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"FmctrlTray"="Fmctrl.EXE" - c:\windows\system32\fmctrl.exe [2001-08-20 270336]

c:\documents and settings\AS\Menu Start\Programy\Autostart\
rncsys32.exe [2004-8-3 22016]

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\
icwsetup.exe [2009-6-20 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Neostrada TP\\NeostradaTP.exe"=
"d:\\Program Files\\Valve\\hl.exe"=
"d:\\Gadu-Gadu\\gg.exe"=
"d:\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [09-06-02 14:41 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [09-06-02 14:41 20560]
R3 gameport;FM801 PCI Joystick;c:\windows\system32\drivers\FMJOY.SYS [09-06-02 17:31 9728]
R3 wdm_fm801;FM801 PCI Audio (WDM);c:\windows\system32\drivers\FM801.SYS [09-06-02 17:31 328320]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.neostrada.pl
IE: { - c:\program files\Messenger\msmsgs.exe
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 20:12
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4a575d0f]
"ImagePath"="\SystemRoot\System32\drivers\4a575d0f.sys"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(576)
d:\gadu-gadu\ggwhook.dll
.
Czas ukończenia: 2009-07-06 20:13
ComboFix-quarantined-files.txt  2009-07-06 18:13
ComboFix2.txt  2009-06-23 05:05
ComboFix3.txt  2009-06-23 04:57

Przed: 6 762 233 856 bajtów wolnych
Po: 6 768 459 776 bajtów wolnych

175

TAk btw. Wyłączyłem przywracanie systemu, zapore i zatrzymałem ochronę avasta.

[wojtas]

Daj loga z combofixa ale zainstaluj wraz z nim konsolę odzyskiwania ( instrukcja programu )