ZOMBIE?? Email passwords all changed overnight.

[faithjs]

One night after using my email accounts (gmail, hotmail, spinfinder) I logged off (gmail, hotmail - different passwords), closed the windows and hibernated my computer.

The next morning when I tried entering the same user info I get the same response from all servers: user and password don't match! APPARENTLY ALL MY EMAIL PASSWORDS ARE CHANGED. I follow the 'forgot my password' prompt, and in the security prompts it tells me things like 'wrong last name entered' (there's no way I'm getting my last name wrong). I get the security questions wrong (granted, it may have been me entering the wrong answers, but I suspect they've been changed), and I can't access any of my alternative emails anyway so that option is clsoed to me.

Incidentally, I also couldn't get into facebook (user and password don't match, again), I hit reset password and followed the link and found that my account had been deactivated (this has happened multiple times before this email incident, with damages done like half my contacts lost, all photos gone, a chunk of wallposts gone etc).

Yesterday I had my computer checked for anything possible (using adware, spybot, AVG, rootkit, hijack this), and no spyware, virus, trojan etc was found. There were only two dodgy things: my user access control was off, as was my windows firewall. (To my knowledge they hadn't been turned off, and should by default be on).

My previous antivirus software (Symantec - now I've AVG installed) had a tendency to be disabled once I enable it, and I've had to access the internet without antivirus at times. I suspect that my computer has been compromised during such vulnerable times and perhaps turned into a zombie. However, nothing concrete has been found, and though I have all the standard protections back on I still feel extremely unsafe using my computer.

No one I've talked to have heard of email passwords being changed (simultaneously too), and neither have I.

What should I do?? Should I reformat the hard disk, does that solve everything cleanly? Should I be accessing the internet/entering private information on the net using my comptuer? Can a remote access party still continue using a computer if it is on hibernate? If it is turned off? I have changed all my passwords on a separate computer and so far the more secure accounts like my banking and school webmail seem to be untouched.

This is a puzzle, to those people I brought my computer to as well, and of course highly distressing. CAN ANYONE SHED LIGHT ON THIS??

 

[ghost]

Well it deffo sounds like you got hacked, someone may have been gathering info from your PC while you were using it. How they done it I don't know. Must have been some sorta keylogger etc..

Unlucky, need up step up security on your PC that is one thing for sure.

 

[GameMaster]

Hello!
The way you've reported us about the problem, the only way is refirmatting, at least if you don't want your accounts hacked ( and I don't mean only Windows accounts! ).
You sounded sure, so you could reformat, that's what we always suggest in such cases, so you are sure that no more information will be handed to hackers.
However, you can post your HijackThis log here so we can judge how serious it is...although I repeat again, reformatting is the best way.

 

[faithjs]

HiJack Log

Hi GameMaster, here it is. Appreciate any insights and tips that don't require reformat (I'm not sure I have my recovery discs..).. thanks a lot!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:01 PM, on 1/15/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\controlskype\CSKYPE.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\ABBYY Lingvo 12\LvAgent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Faith\AppData\Roaming\Smilebox\SmileboxTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Faith\Program Files\DNA\btdna.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Faith\Desktop\HiJackThis.exe
C:\Users\Faith\Desktop\HiJackThis(2).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [controlskype] C:\Program Files\controlskype\CSKYPE.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 12\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Users\Faith\AppData\Roaming\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with ABBYY &Lingvo... - res://C:\Program Files\ABBYY Lingvo 12\Lingvo.exe/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8698 bytes

 

[faithjs]

Incidentally, btdna.exe is apparently a spyware, though that's tied to bittorrent... wonder if that's a problem?

 

[GameMaster]

Hello!
First of all, please delete and unninstall the previous version of HijackThis. You must not have two versions in the same time.
Yes, you have 3 spywares that are constantly appearing in your log.
Two of them are completely unknown.
Now, you know what I said. Reformat your hard drive, otherwise we are not blamed for anything that happens to your privacy.
Now if you won't here is what you have to do. And be sure this is not easy, oh no.

• Please download F-Secure Blacklight (fsbl.exe) from here
• Save into C:\ with a name of fsbl.exe
• Go to Start > Run
• Copy and paste the contents of the below codebox into the run box
  

  C:\fsbl.exe /expert

• Click OK
• This will launch BlackLight
• Select I accept the agreement
• Click Next
• Click Scan
• Wait for the scan to finish
• Click on Next>
• Click Exit
• A logfile will have been created in the C:\ drive
• It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
• Use notepad to open that log
• Post the contents of that log as a reply to this topic.

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer. Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware
Geeks to Go

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


Download CCleaner from here to clean temp files from your computer.

• Double click on the ccsetup.exe file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location.
• Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
• Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
• If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
• Click on the "Options" icon at the left side of the window, then click on "Advanced."
  deselect "Only delete files in Windows Temp folders older than 48 hours."
• Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items. Click on Issues and make sure Registry Integrity is UNchecked!
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
• After CCleaner has completed its process, click Exit.

So if you decided to fix the viruses, in the next post I want BlackLight's report, ComboFix report and fresh HijackThis log.

 

[faithjs]

Here is the Blacklight log:

01/16/08 21:56:17 [Info]: BlackLight Engine 1.0.67 initialized
01/16/08 21:56:17 [Info]: OS: 6.0 build 6000 ()
01/16/08 21:56:25 [Note]: 7019 4
01/16/08 21:56:25 [Note]: 7005 0
01/16/08 21:56:39 [Note]: 7006 0
01/16/08 21:56:39 [Note]: 7027 0
01/16/08 21:56:41 [Note]: 7026 0
01/16/08 21:56:41 [Note]: 7026 0
01/16/08 21:57:12 [Note]: FSRAW library version 1.7.1024
01/16/08 22:08:30 [Note]: 7007 0


(This popped up while running combofix: 'Freeware application REG.EXE has stopped working.')


This is the Combofix log:

ComboFix 08-01-17.3 - Faith 2008-01-16 22:21:33.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.367 [GMT -5:00]
Running from: C:\Users\Faith\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 22:16 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-16 21:42 . 2008-01-16 21:43 916,072 --a------ C:\fsbl.exe
2008-01-15 16:32 . 2008-01-15 16:32 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-01-15 16:32 . 2008-01-15 16:32 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-01-15 16:26 . 2008-01-15 16:26 <DIR> d-------- C:\Users\Faith\AppData\Roaming\SUPERAntiSpyware.com
2008-01-15 16:26 . 2008-01-15 16:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-15 15:45 . 2008-01-15 15:45 <DIR> d-------- C:\Users\Faith\Program Files
2008-01-14 16:19 . 2007-01-18 07:00 3,968 --a------ C:\Windows\System32\drivers\AvgArCln.sys
2008-01-14 15:37 . 2008-01-16 21:19 <DIR> d-------- C:\Users\Faith\AppData\Roaming\AVG7
2008-01-14 15:37 . 2008-01-14 15:37 <DIR> d-------- C:\Users\All Users\Grisoft
2008-01-14 15:37 . 2008-01-14 15:40 <DIR> d-------- C:\Users\All Users\avg7
2008-01-14 15:37 . 2008-01-14 15:37 <DIR> d-------- C:\ProgramData\Grisoft
2008-01-14 15:37 . 2008-01-14 15:40 <DIR> d-------- C:\ProgramData\avg7
2008-01-14 15:37 . 2008-01-14 15:37 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-01-14 14:49 . 2008-01-14 16:22 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-01-14 14:49 . 2008-01-14 16:22 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-01-14 14:28 . 2008-01-14 14:28 <DIR> d-------- C:\Users\Faith\AppData\Roaming\Lavasoft
2008-01-14 14:27 . 2008-01-14 14:27 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-14 14:26 . 2008-01-15 16:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 14:22 . 2008-01-14 14:22 <DIR> d-------- C:\Program Files\Panicware
2008-01-11 17:43 . 2008-01-15 02:08 <DIR> d-------- C:\Users\Faith\AppData\Roaming\BitTorrent
2008-01-11 17:41 . 2008-01-16 22:28 <DIR> d-------- C:\Users\Faith\AppData\Roaming\DNA
2008-01-11 17:41 . 2008-01-11 17:41 <DIR> d-------- C:\Program Files\DNA
2008-01-11 17:41 . 2008-01-11 17:43 <DIR> d-------- C:\Program Files\BitTorrent
2008-01-11 03:07 . 2008-01-11 03:07 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-11 03:07 . 2008-01-11 03:07 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-11 03:07 . 2008-01-11 03:07 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-11 03:07 . 2008-01-11 03:07 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-11 03:07 . 2008-01-11 03:07 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-11 03:04 . 2008-01-11 03:04 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-11 03:04 . 2008-01-11 03:04 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-11 03:04 . 2008-01-11 03:04 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-11 03:04 . 2008-01-11 03:04 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-11 03:04 . 2008-01-11 03:04 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-11 03:04 . 2008-01-11 03:04 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-11 03:04 . 2008-01-11 03:04 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-11 03:04 . 2008-01-11 03:04 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-11 03:04 . 2008-01-11 03:04 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-11 03:03 . 2008-01-11 03:03 11,776 --a------ C:\Windows\System32\sbunattend.exe
2007-12-24 00:06 . 2008-01-13 20:17 <DIR> d-------- C:\Users\Faith\AppData\Roaming\Smilebox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 20:36 --------- d-----w C:\ProgramData\Symantec
2008-01-14 20:36 --------- d-----w C:\Program Files\Symantec
2008-01-14 20:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-14 07:07 --------- d-----w C:\ProgramData\Roxio
2008-01-14 01:00 --------- d-----w C:\Users\Faith\AppData\Roaming\Skype
2008-01-11 08:27 --------- d-----w C:\Program Files\Windows Mail
2008-01-11 08:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-11 08:04 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-11 08:04 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-11 08:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-11 08:03 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-13 08:12 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-13 08:11 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 08:10 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 08:10 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 08:08 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 08:08 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 08:08 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 08:08 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 08:07 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 08:07 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 08:07 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 08:07 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 08:04 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 08:04 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-02 17:14 --------- d-----w C:\Program Files\Microsoft Works
2007-12-02 17:13 --------- d-----w C:\Program Files\MSBuild
2007-12-02 17:10 --------- d-----w C:\Program Files\Microsoft.NET
2007-11-21 00:24 --------- d-----w C:\Users\Faith\AppData\Roaming\DivX
2007-11-20 05:50 --------- d-----w C:\Program Files\DivX
2007-11-20 05:37 --------- d-----w C:\Program Files\AC3Filter
2007-11-18 08:04 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-17 05:36 --------- d-----w C:\Program Files\Xvid
2007-11-15 08:09 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 08:08 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 08:08 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 08:08 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 08:08 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 08:08 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 08:08 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 08:08 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 08:08 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 08:08 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-07 09:45 4,855,110 ----a-w C:\V11.1.1.0_VT_DRIVERS.zip
2007-10-20 00:56 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2007-10-20 00:54 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\Windows\System32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\Windows\System32\DivX.dll
2007-10-18 09:06 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2007-10-18 09:02 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2007-09-01 18:54 174 --sha-w C:\Program Files\desktop.ini
2007-09-05 07:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-05 07:29 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-05 07:29 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe" [2007-05-03 08:44 1116728]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:35 125440]
"SmileboxTray"="C:\Users\Faith\AppData\Roaming\Smilebox\SmileboxTray.exe" [2008-01-08 21:40 201352]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-01-11 17:41 290112]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2005-02-03 19:41 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 05:55 815104]
"controlskype"="C:\Program Files\controlskype\CSKYPE.EXE" [2006-08-31 10:28 249856]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-05 20:02 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-05 20:05 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-05 20:02 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 06:40 232184]
"toolbar_eula_launcher"="C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-02-20 11:20 28672]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-17 02:11 98304]
"Lingvo Launcher"="C:\Program Files\ABBYY Lingvo 12\Lvagent.exe" [2006-12-13 16:09 258048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-14 16:09 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 16:09 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-14 15:37 9216 C:\Windows\System32\avgwlntf.dll

R1 MyPort;MyPort;C:\Windows\system32\drivers\MyPort.sys [2006-05-29 05:07]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-05 21:29]
R3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-10-30 12:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f4faed-a02e-11dc-a6f1-cfdc09647c9c}]
\shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9581abf-6254-11dc-b28d-001636eb6874}]
\shell\AutoRun\command - .\MigWiz\migsetup.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 03:30:04 C:\Windows\Tasks\Recovery DVD Creator.job"
- C:\Program Files\Packard Bell\SetupMyPc\MCDCheck.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 22:29:01
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 22:31:25
.
2008-01-15 20:59:39 --- E O F ---


This is the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:41 PM, on 1/16/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\controlskype\CSKYPE.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\ABBYY Lingvo 12\LvAgent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Faith\AppData\Roaming\Smilebox\SmileboxTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Faith\Program Files\DNA\btdna.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Users\Faith\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [controlskype] C:\Program Files\controlskype\CSKYPE.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 12\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Users\Faith\AppData\Roaming\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\SURECL~1\PopUpStopperProfessional.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with ABBYY &Lingvo... - res://C:\Program Files\ABBYY Lingvo 12\Lingvo.exe/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8344 bytes

 

[faithjs]

Out of curiosity, which were the 2 unknown spyware you pointed out?