A couple things could have happened. One of the scanners could have taken care of it without you noticing etc. You may want to check your av logs and see. Also, some av applications can become corrupted or even have their definitions list modified or blocked by certain malware which could be another although unlikely, possible explanation.

That's the reason why i advised trying a totally new and separate application that has great detection. If you don't want to try Kaspersky specifically because you have to shut down Zone Alarm, then you may want to try Panda's ActiveScan or TrendMicro's Housecall. Its all up to you.

Have you followed those steps to remove the registry start up entries?

You're not hallucinating, I'm almost positive you've found the culprit.

I followed the steps to open up my registry settings... but the line I'm supposed to delete was not present in any of the folders.

There is a similar registry entry - nvcpl.dll - but I'm pretty sure this is a legitimate entry for my graphics card.

The only other entry I came across that I didn't recognize was dwtrig20.exe but when I google it I don't get any results about it being bad. And the file was created/last modified March 13, 2007.


Is it possible that someone was monitoring my keystrokes in realtime and did.... something? .... when they realized I'd found their virus?

The Panda ActiveScan has found two infected files in my Documents and Settings folder. It will be a while yet before it finishes and tells me what they are, though.

Its definitely possible although i doubt it. While it could do this, the chances are relatively slim that that whole scenario would occur. Keep us updated on the Panda scan. I'll be interested to see if it finds anything besides simple tracking cookies. If it does, you may want to post a fresh hijackthis log as well so we can take a look if anything is still lingering or has regenerated.

The first two files it found were just cookies.

It identified a third file that it claims is a virus: digstream.exe

I'm not sure if this is actually a problem though because it was created May 29, 2007 (last year, not this year) which was when my computer was reformatted due to a massive failure in the boot sector. So it was created when everything was getting reloaded.

It says it's copyrighted by Disney and when I google it, I get several results saying it's something from ESPN (Disney owns ESPN).

Panda just says it's general malware and lists it as being less dangerous than those cookies it found.

that digstream is more than likely safe. If you'd like other opinions on it though you can upload it to www.virustotal.com


After you saw the virus in question in your task manager, did you run any scans and fix anything?

Also, have you read through what it can do? It said it performs backdoor actions and self terminates itself, I have no doubt that it could allow someone to steal your passwords.

No, I did nothing. I was glancing through the various results on google to make sure it was safe to go ahead and end the process. Before I actually did anything, it was gone.

I read through the stuff and I've changed passwords on my important stuff with my laptop again and changed them all to a different email account.

At this point I think it would be quicker and better for my peace of mind to simply backup anything I want to save and then just reformat.

I wouldn't have any problem with that if you have the ablity to reformat. It seems like a nasty piece of malware, and I'm not really sure why we can't find it on your system. If you're certain you saw it in your task manager, then it dissapeared and you didn't delete it or remove it with a scanner, it's obviously avoiding detection somehow.

A reformat is probably a good idea. You also should probably check out all the specifics on that virus to try to figure out how you got infected, and how to avoid future infections.

OK, I'm pretty sure something bad is happening and it's not just me being forgetful.

I was logged into stars on my desktop when I first suspected a problem, so I left my computer on overnight to block out any remote logins. Just now I closed that down and tried to login from my laptop in order to change the password. I tried the two most likely passwords each twice and failed all four times. Rather than waste more time guessing, I reset the password (to my clean email account) and logged in right away.

I am nearly 100% sure that the passwords I was trying should have been correct for either the email or the stars account, and possibly both. I had logged into each of them several times after changing the passwords.

Are you saying you don't remember your passwords or what? You might want to write them down so you can remember them.

Are you still going to reformat?

Are you sure your laptop is clean?

Are you sure it's not stars blocking your login because it's from a different computer?

I'm saying I think someone reset my stars' password. I was a little bit uncertain about the email password because several days had gone by without using it, but I just logged into stars yesterday afternoon on the first try.

The problem was never that I might have forgotten a password, the problem was I created multiple new passwords for stuff last week and sometimes got mixed up about which one went with which account. And this was really only an issue with my two email accounts and my stars account because I changed them all at the same time. So when I'm trying multiple passwords that I'm sure I used for those three things and they all fail, something has to be wrong.

I started scanning my laptop earlier and SuperAntiSpyware found only ad cookies. MBAM should be done soon and it has found nothing yet. Up until the past two weeks the only time I'd used my laptop at all lately was just for 2p2/irc/email while I was out of town for a week... so I'd be really surprised if it somehow got infected during that time. I was on some public networks though so maybe that could have done it? But nothing is showing up...

ok, MBAM found something on my laptop, but I THINK it's a false positive.

Some time ago I bought a game called Casino, Inc. It is published by Konami and googling it brings up no mentions of any malware associated with it or anything so I don't really see how it could be a problem... but anyway I've had a random urge to play it on occasion. I installed it on my laptop on May 29, 2007 and played it a couple days and then did nothing until June 20 of this year. I tried to install it on my desktop but it failed to run, so I gave up and played it for a few minutes on the laptop before getting sick of it.

On each computer, MBAM has identified CmdLineExt02.dll as a trojan agent and from looking at its creation and last modified dates, I've realized it comes from Casino Inc.

Also, one of the scanners (I forget which one) has flagged some other stuff from Casino Inc... but for the description, it just said something about Golden Palace Casino so I didn't even bother mentioning it because the combination of a) a reputable publisher b) nothing in google c) not accurately labeled as any sort of threat ... made me think there was pretty much no chance of it actually being a real problem.

I actually uninstalled the game from my desktop earlier today since it didn't work anyway and was just cluttering up my error reports.

Right now I'm waiting to hear from hotmail and stars security to see what they can tell me.

OK, I am sorry for leading everyone on a wild goose chase. I've made a fool of myself. Stars tells me that there was no other password reset other than the one I just did, and while lying awake in bed I suddenly remembered what my email password was (I had the letters right but was using the wrong numbers). And now that I've figured that out, I remember what my Stars password must have been as well (which was the next thing in line that I would have tried, but I panicked and just reset it instead of trying anything else).

This still does not explain what I saw in my task manager. And on that front, I've rebooted my computer and nvsvc32.exe is running in my task manager. This is confusing because I don't remember it being there before, yet it's actually legitimate (it's what nvsc32.exe tries to imitate). nvsvc32.exe is something for the nvidia graphics card driver, which is what I have.

I will be quite annoyed that it turns out that what happened was that I mistyped it into google, and then ended the process, and then 20 seconds later forgot that I had ended it, and went back to do it again. I ended the process just now to see what would happen, and my graphics still work fine. So, as improbable as it seems, I'm afraid the most likely explanation for what has transpired has been just been my own idiocy.

Thank you for all your time that you've spent on this.

I think that is your best route here. Try to narrow down the issue. Stars support should help you out here and let you know who has logged in and when your password has been changed. Its probably a good idea to uninstall that software even though it is likly a false positive. At this point, with all of your multiple scans and our manual checks, it seems very unlikely that you are still infected. With that said, a reformat can't hurt. However, if the problem lies elsewhere, you will still be having issues. Keep us updated on what stars and hotmail says, because i doubt you still have malware, especially some that is hiding and still giving an attacker control. Maybe they know the majority of your personal information already and are using it to gain access to your accounts? Or maybe you are just having some password issues... I guess we'll see when stars support gets back to you.

Get 1password or password safe if you have so much trouble remembering passwords, or just get a notebook and use that.

Unanswered question: did someone attempt to/or actually login to his pstars account from Poland?