Tried all kinds of removal tools. None worked.
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:25 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\gdez\Application Data\Color_Server_Client_Tools\JRE\JRE1.4.2\bin\DEX_IC-304V1.EXE
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Media Player Classic - {D2A8552D-4340-413E-B94E-245827FBC269} - C:\WINDOWS\ausctv32a.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DexStarter_IC-304V1] "C:\Documents and Settings\gdez\Application Data\Color_Server_Client_Tools\PrinterDriver\IC-304V1\DexRunner.bat"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2FA9C06-A901-47D2-937B-0A0372D21514}: NameServer = 64.65.128.6,66.213.224.2
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
--
End of file - 6305 bytes
COMBOFIX LOG
ComboFix 08-03-22.3 - gdez 2008-03-24 12:31:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1113 [GMT -7:00]
Running from: C:\Documents and Settings\gdez\Desktop\ComboFix.exe
.
-- Other TimeOuts --
CF19848.exe /c " VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\* >Windir.dat"
VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\*
CF19848.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*"
CF19848.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.
2008-03-24 10:38 . 2008-03-24 10:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-24 10:38 . 2008-03-24 10:59 <DIR> d-------- C:\Documents and Settings\gdez\Application Data\SUPERAntiSpyware.com
2008-03-24 10:38 . 2008-03-24 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-24 07:59 . 2008-03-24 07:59 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-03-24 07:45 . 2008-03-24 10:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-24 07:25 . 2008-03-24 07:25 219,648 --a------ C:\WINDOWS\ausctv32a.dll
2008-03-24 07:25 . 2008-03-24 07:25 48 --a------ C:\xmp.bat
2008-03-24 07:04 . 2008-03-24 07:04 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-03 10:23 . 2008-03-03 10:23 <DIR> d-------- C:\Documents and Settings\gdez\Application Data\Motive
2008-03-03 10:20 . 2008-03-03 10:26 <DIR> d-------- C:\Program Files\Verizon
2008-03-03 10:20 . 2008-03-03 10:20 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-03-03 10:20 . 2008-03-03 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-03-03 07:43 . 2008-03-03 07:43 <DIR> d-------- C:\Program Files\iTunes
2008-03-03 07:43 . 2008-03-03 07:43 <DIR> d-------- C:\Program Files\iPod
2008-03-03 07:43 . 2008-03-24 12:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 07:43 . 2008-03-03 07:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 07:42 . 2008-03-03 07:42 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 17:14 --------- d-----w C:\Documents and Settings\gdez\Application Data\uTorrent
2008-03-21 21:38 --------- d-----w C:\Program Files\NC2K
2008-03-18 17:22 --------- d-----w C:\Documents and Settings\gdez\Application Data\AdobeUM
2008-02-22 15:09 --------- d-----w C:\Program Files\Xvid
2008-02-20 14:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-20 14:51 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-20 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-02-14 21:18 --------- d-----w C:\Documents and Settings\gdez\Application Data\Acronis
2008-02-14 21:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Acronis
2008-02-14 21:09 441,760 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-02-14 21:09 44,384 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-02-14 21:09 368,544 ----a-w C:\WINDOWS\system32\drivers\tdrpman.sys
2008-02-14 21:09 129,248 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-02-14 21:09 --------- d-----w C:\Program Files\Common Files\Acronis
2008-02-14 21:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-14 21:08 --------- d-----w C:\Program Files\Acronis
2008-02-13 20:59 --------- d-----w C:\Program Files\BUFFALO
.
((((((((((((((((((((((((((((( snapshot@2008-03-24_11.52.00.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-15 00:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A8552D-4340-413E-B94E-245827FBC269}]
2008-03-24 07:25 219648 --a------ C:\WINDOWS\ausctv32a.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DexStarter_IC-304V1"="C:\Documents and Settings\gdez\Application Data\Color_Server_Client_Tools\PrinterDriver\IC-304V1\DexRunner.bat" [2007-12-18 14:40 438]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-05-12 16:22 249856]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2006-08-18 15:54 28672]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 21:06 2595616]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 21:11 909208]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 21:07 140568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 11:30 936960]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-21 13:13:15 113664]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-08-18 15:54:51 335872]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Adobe\\Adobe Acrobat 6.0\\Acrobat\\Acrobat.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\gdez\\Application Data\\Color_Server_Client_Tools\\JRE\\JRE1.4.2\\bin\\DEX_IC-304V1.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-14 14:09]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-10-30 21:51]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-08-18 15:28]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 07:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 12:34:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\gdez\Application Data\Color_Server_Client_Tools\JRE\JRE1.4.2\bin\DEX_IC-304V1.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-24 12:36:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-24 19:36:03
ComboFix2.txt 2008-03-24 18:52:14
.
2008-03-12 17:01:29 --- E O F ---