BleepingComputer.com: WoW account hacked; probably keylogger; trying to ensure system is safe.

(I followed the steps in the "Preparation Guide for use before posting about your potential Malware problem". I was unable to use 'RootRepeal' as it says it is not compatible with 64bit OS. I also do not see anywhere to attach a file to my post, perhaps because I am new to the forum. I can post the 'Attach.txt' if needed. Logs are at the bottom of post, after my long-winded explanation).

Recently (Saturday) my World of Warcraft account was accessed by someone else and my characters devasted. Since I absolutely without exception do not share my account information with anyone else, I am left with the conclusion that this was most likely accomplished by a keylogger on my system. However, I am pretty zealous about computer security (within the bounds of my knowledge) and I am not sure how my system was compromised (I run Avast AV in full active mode, update and run Malwarebytes regularly; browse Internet using Firefox w/ NoScript and Adblock). Matters are further complicated by the fact that I have been unable to detect any malicious programs, etc. on my system since the hack. The only evidence I have is that my WoW account is in shambles. I was able to recover access to my account by using my laptop, but the damage is already done. However, I would very much like to ensure that my system is truly clean and would very much appreciate any advice/suggestions as to what steps to take and/or tools to use in the future to protect myself.

Steps I have followed so far upon discovering my account had been compromised:

1. Immediately checked Task Manager for unfamiliar processes. I have been in the habit of checking my running processes for years, so that when something new appears it usually jumps out at me. I noticed a process called 'wow.exe' running and immediately killed it (the game was not running at the time).

2. Deleted the last two things I downloaded for WoW (an addon called 'Jamba' and a program called 'Octopus' (similar to Synergy)). Even though I had scanned these after downloading and found them both free of anything, I deleted them out of precaution (read: panic).

2. Opened Malwarebytes and ran Full Scan. 0 infections.

3. Ran Avast full scan of all HDD's in 'thorough mode' with 'scan archives' ticked. 0 results.

4. Following a friend's suggestion I downloaded AVG, disabled Avast, then ran a full scan with AVG. 0 results.

5. Uninstalled AVG, and ran a scan using ESET Online Scanner. 0 results.

6. Rebooted in 'Safe Mode' and repeated steps 2 and 3. Also, installed Spybot S&D and ran full scan. All three programs returned 0 results.

At this point I was completely frazzled. Finding nothing was 10 times worse than if I had seen a bunch of trojans popping up. I didn't know if there was something especially clever still hiding on my system or if it stole my information and self-deleted, or what. In desperation, I resorted to 'old reliable': re-install Windows fresh. I booted from the CD (Windows 7 RC, btw) and deleted the partition on my C: drive, then proceeded through the process of installing Windows 7. After reading through this site, in hindsight I suppose it would have been better to submit my logs to this forum before wiping and reloading Windows, but I was at a loss.

Since re-installing Windows 7, I have done the following:

1. Installed ESET NOD32 Antivirus; updated.

2. Installed Comodo Firewall. This was suggested to me by a friend and seems like a great tool for security. However, I am finding the learning curve rather steep and hope that I am using it properly.

3. Installed Malwarebytes; updated.

4. Quick and Full scans with Malwarebytes. 1 Result was found:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
I Googled this and found a post on the Malwarebytes forum saying this was a false positive so I clicked 'Ignore'.

5. Full and Smart scans with NOD32. 0 results.


However, I am still uneasy as to the status of my computer's security. I have never been infected, hacked (until now) so I always thought my security precautions were adequate.


Any help, advice, suggestions is greatly appreciated. Many thanks in advance for your help.

LOG:


DDS (Ver_09-10-26.01) - NTFSX64
Run by iamnotagun at 0:33:58.98 on Wed 11/04/2009
Internet Explorer: 8.0.7100.0
Microsoft Windows 7 Ultimate 6.1.7100.0.1252.1.1033.18.4094.1985 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames.exe
C:\Windows\system32\notepad.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Users\iamnotagun\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Skype] "c:\program files (x86)\skype\phone\Skype.exe" /nosplash /minimized
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files (x86)\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrotray.exe"
StartupFolder: c:\users\iamnot~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files (x86)\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\nostro~1.lnk - c:\windows\installer\{548c7b77-8b04-427e-acd0-d0e6e6e59bcf}\NewShortcut2_548C7B778B04427EACD0D0E6E6E59BCF.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab
TCP: {7FAB77C7-D461-4597-83DA-E72D3EC7C1D1} = 156.154.70.22,156.154.71.22
TCP: {F8D3C2F1-AE8D-4671-A585-508961356589} = 156.154.70.22,156.154.71.22
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\syswow64\guard32.dll
mRun-x64: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun-x64: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun-x64: [RivaTunerStartupDaemon] "c:\program files (x86)\rivatuner\RivaTunerWrapper.exe" /S
mRun-x64: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun-x64: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
AppInit_DLLs-X64: c:\windows\system32\guard64.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\iamnot~1\appdata\roaming\mozilla\firefox\profiles\bljkk3zh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files (x86)\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-11-1 117064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-11-1 33128]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\x86\ekrn.exe [2009-9-29 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-9-29 123200]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2009-11-3 35328]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]
R3 RivaTuner64;RivaTuner64;c:\program files (x86)\rivatuner\RivaTuner64.sys [2009-8-22 19952]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-8-20 239616]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2009-11-1 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1417240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\common files\macrovision shared\flexnet publisher\FNPLicensingService64.exe [2009-11-2 1038088]
S3 getPlusHelper;getPlusHelper;c:\windows\system32\svchost.exe -k getPlusHelper [2009-4-21 27648]

=============== Created Last 30 ================

2009-11-04 03:09:07 0 d-----w- c:\users\iamnot~1\appdata\roaming\Subversion
2009-11-03 21:12:21 0 d-----w- c:\program files\TortoiseSVN
2009-11-03 21:12:21 0 d-----w- c:\program files\common files\TortoiseOverlays
2009-11-03 20:44:07 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-11-03 20:42:58 0 d-----r- c:\program files (x86)\Skype
2009-11-03 20:42:44 0 d-----w- c:\programdata\Skype
2009-11-03 12:29:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2009-11-03 08:54:28 0 d-----w- c:\windows\WindowsMobile
2009-11-03 08:35:40 0 d-----w- c:\users\iamnot~1\appdata\roaming\Belkin
2009-11-03 08:34:57 35328 ----a-w- c:\windows\system32\drivers\bcgame.sys
2009-11-03 08:34:56 0 d-----w- c:\program files (x86)\Nostromo
2009-11-03 05:16:20 0 d-----w- c:\programdata\Blizzard Entertainment
2009-11-03 04:19:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-03 03:46:07 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-11-03 03:46:05 0 d-----w- c:\program files (x86)\MagicDisc
2009-11-03 03:19:47 0 d-----w- c:\programdata\FLEXnet
2009-11-03 03:04:49 0 d-----w- c:\programdata\NOS
2009-11-03 02:30:08 0 d-----w- c:\program files (x86)\common files\Blizzard Entertainment
2009-11-03 02:29:16 0 d-----w- c:\programdata\Blizzard
2009-11-03 02:02:49 0 d-----w- c:\users\iamnot~1\appdata\roaming\EditPlus 3
2009-11-03 02:02:49 0 d-----w- c:\program files (x86)\EditPlus 3
2009-11-03 01:02:05 0 d-----w- c:\program files\Adobe
2009-11-03 01:00:11 0 d-----w- c:\programdata\ALM
2009-11-03 00:55:16 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-11-03 00:29:43 0 d-----w- c:\windows\syswow64\spool
2009-11-03 00:28:59 0 d-----w- c:\programdata\Adobe
2009-11-03 00:27:40 0 d-----w- c:\program files\common files\Macrovision Shared
2009-11-03 00:27:39 0 d-----w- c:\program files\common files\Adobe
2009-11-03 00:25:38 0 d-----w- c:\program files (x86)\common files\Macrovision Shared
2009-11-02 23:26:53 0 d-----w- c:\program files\Zune
2009-11-02 23:26:29 0 d-----w- c:\windows\PCHEALTH
2009-11-02 21:49:41 0 d-----w- c:\program files (x86)\SyncBack
2009-11-02 21:45:18 0 d-----w- c:\program files (x86)\CCleaner
2009-11-02 21:11:53 5954560 ----a-w- c:\windows\syswow64\mshtml.dll
2009-11-02 20:49:03 0 d-----w- c:\program files (x86)\RivaTuner
2009-11-02 20:47:08 0 d-----w- c:\program files\7-Zip
2009-11-02 10:08:30 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
2009-11-02 10:08:30 1080 ----a-w- c:\windows\system32\settings.sfm
2009-11-02 10:07:48 407040 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-11-02 10:07:44 231936 ----a-w- c:\windows\system32\ListSvc.dll
2009-11-02 10:07:35 358400 ----a-w- c:\windows\system32\wmpdxm.dll
2009-11-02 10:07:35 299520 ----a-w- c:\windows\syswow64\wmpdxm.dll
2009-11-02 10:07:19 10974208 ----a-w- c:\windows\syswow64\ieframe.dll
2009-11-02 10:04:11 716800 ----a-w- c:\windows\syswow64\jscript.dll
2009-11-02 10:04:04 2053120 ----a-w- c:\windows\syswow64\iertutil.dll
2009-11-02 09:59:23 0 d-----w- c:\programdata\ESET
2009-11-02 09:59:23 0 d-----w- c:\program files\ESET
2009-11-02 08:17:55 0 d-----w- c:\windows\Panther
2009-11-02 06:20:53 0 d-----w- c:\windows\syswow64\Macromed
2009-11-02 06:14:12 0 d-----w- c:\users\iamnot~1\appdata\roaming\Malwarebytes
2009-11-02 06:13:41 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 06:13:41 0 d-----w- c:\programdata\Malwarebytes
2009-11-02 06:13:41 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2009-11-02 04:00:53 0 d-----w- c:\program files (x86)\VLC
2009-11-02 03:44:20 788 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000004-00001102-00000005-00311102}.rfx
2009-11-02 03:44:20 61448 ----a-w- c:\windows\system32\BMXStateBkp-{00000004-00000000-00000004-00001102-00000005-00311102}.rfx
2009-11-02 03:44:20 61448 ----a-w- c:\windows\system32\BMXState-{00000004-00000000-00000004-00001102-00000005-00311102}.rfx
2009-11-02 03:43:50 7062 ----a-w- c:\windows\syswow64\audiopid.vxd
2009-11-02 03:43:21 0 d-----w- c:\program files (x86)\common files\Creative
2009-11-02 03:43:20 0 d--h--w- c:\program files (x86)\Creative Installation Information
2009-11-02 03:43:08 0 d-----w- c:\program files (x86)\common files\Creative Labs Shared
2009-11-02 03:43:01 0 d-----w- c:\program files\Creative
2009-11-02 03:42:57 0 d-----w- c:\program files (x86)\Creative
2009-11-02 03:42:03 0 d-----w- c:\programdata\Creative
2009-11-02 03:42:00 107008 ----a-w- c:\windows\system32\cttele64.dll
2009-11-02 03:42:00 102400 ----a-w- c:\windows\syswow64\cttele32.dll
2009-11-02 03:40:21 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-02 03:40:21 444952 ----a-w- c:\windows\syswow64\wrap_oal.dll
2009-11-02 03:40:21 121880 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-02 03:40:21 0 d-----w- c:\program files (x86)\OpenAL
2009-11-02 03:40:19 89088 ----a-w- c:\windows\system32\CmdRtr64.DLL
2009-11-02 03:40:19 73728 ----a-w- c:\windows\syswow64\CmdRtr.DLL
2009-11-02 03:40:19 190976 ----a-w- c:\windows\system32\APOMgr64.DLL
2009-11-02 03:40:19 148480 ----a-w- c:\windows\syswow64\APOMngr.DLL
2009-11-02 03:40:19 109080 ----a-w- c:\windows\syswow64\OpenAL32.dll
2009-11-02 03:40:16 159 ---ha-r- c:\windows\ctfile.rfc
2009-11-02 03:38:47 12288 ----a-w- c:\windows\system32\INRES.DLL
2009-11-02 03:38:47 11776 ----a-w- c:\windows\syswow64\INRES.DLL
2009-11-02 03:38:47 0 d-----w- c:\windows\syswow64\Data
2009-11-02 03:38:47 0 d-----w- c:\windows\system32\Data
2009-11-02 03:38:11 22691984 ----a-w- c:\windows\syswow64\AppSetup.exe
2009-11-02 03:36:32 0 d-----w- c:\program files (x86)\NVIDIA Corporation
2009-11-02 03:36:06 0 d-----w- c:\programdata\NVIDIA
2009-11-02 03:35:45 0 d-----w- c:\windows\syswow64\AGEIA
2009-11-02 03:35:29 0 d-sh--w- c:\windows\Installer
2009-11-02 03:35:27 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard
2009-11-02 03:35:05 541800 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-02 03:33:30 0 d-----w- C:\NVIDIA
2009-11-02 03:03:12 33128 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-02 03:03:12 241688 ----a-w- c:\windows\system32\guard64.dll
2009-11-02 03:03:12 179792 ----a-w- c:\windows\syswow64\guard32.dll
2009-11-02 03:03:12 117064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-02 03:03:12 0 d-----w- c:\programdata\Comodo
2009-11-02 03:02:52 0 d-----w- c:\program files\COMODO
2009-11-02 02:42:31 238960 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-09-29 18:06:16 123200 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-09-29 18:03:00 136584 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-09-29 17:56:36 144824 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-09-27 23:24:22 3778664 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 23:23:00 4546152 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 23:23:00 3746920 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 23:23:00 289896 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 23:23:00 1647720 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 23:23:00 1646696 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 23:22:00 991848 ----a-w- c:\windows\system32\nvsvc64.dll
2009-09-27 23:22:00 82536 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 23:22:00 5426792 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 23:22:00 5208168 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 23:22:00 383592 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 23:22:00 244840 ----a-w- c:\windows\system32\nvshext.dll
2009-09-27 23:22:00 16666728 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-04 18:18:40 470256 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-08-14 18:36:18 70936 ----a-w- c:\windows\syswow64\PhysXLoader.dll
2009-04-22 09:52:01 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-04-22 09:52:01 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-04-22 09:52:01 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-04-22 09:52:01 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-04-22 09:08:55 174 --sha-w- c:\program files\desktop.ini
2009-04-22 09:08:55 174 --sha-w- c:\program files (x86)\desktop.ini
2009-04-22 05:05:25 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-04-22 05:05:25 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-04-22 05:05:24 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-04-22 05:05:24 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-27 04:24:11 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-04-22 09:27:16 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-04-22 09:09:34 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-22 09:09:34 32768 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-22 09:09:34 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-22 05:38:46 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_be69c16d5d28757a\WinMail.exe
2009-04-22 05:19:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe

============= FINISH: 0:35:24.70 ===============

Update:

I ran HJT a few minutes ago and noticed something strange. At the top of the log (under "Running Processes") it shows the line "C:\Program Files (x86)\Mozilla Firefox\firefox.exe". The odd thing is Firefox was definitely NOT running at the time. I exited HJT and checked by Task Manager and Process Explorer to verify, then reran HJT just to double check. The entry is still there. Is this a bad indication?

PS) I didn't post the HJT log as I didn't want to break forum etiquette. Can do so if requested.

Thanks.

If all you can run is the DDS scan then go ahead and post it with an explanation that it is all that you could get to work

You have a DDS [which shouldn't be posted here either] there is no need for a HJT log

Try this scan and include it in your HJT post


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

• This tool will create a diagnostic report
  
• Double-click on Win32kDiag.exe to run and let it finish.
  
• When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  
• A file called Win32kDiag.txt should be created on your Desktop.
  
• Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

Thank you for the reply.

I re-posted in the HJT forum and added the Win32kDiag log.

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic269714.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom