Here's my issue: I received an email at 11:32pm last night one of my game accounts had the password changed. At 11:33pm, I got a second email stating the email had been changed. This would make some worried about cracking, but my passwords, with my history, are such that most crackers don't even support all of the characters used in my passwords. This makes me immediately suspect an infection.
Since OTS seemed to be the litmus test here, decided to give it a go... quite happy with myself for including MD5's after finding these lines...
In Driver Services - Safe List:
64bit-(1394ohci) [55ZAD][1394 ÒΉ€Ĭ Ćômρĺιåйт Ηо§ţ Сőηтřōŀľзг !!! !!! !] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\1394ohci.sys -> [2009/05/08 02:15:17 | 00,227,840 | ---- | M | MD5 = E721E5299941F477C8E1CFF4C6888BEC] (Microsoft Corporation)
64bit-(AcpiPmi) [3bzGy][ǺĊΡĨ Ρōώёѓ Мėτėř Ďґîνèґ !!! !!] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\acpipmi.sys -> [2009/05/08 01:23:42 | 00,012,288 | ---- | M | MD5 = 58CA773E1FEFB0A0B861D693A0C1AB77] (Microsoft Corporation)
64bit-(AmdPPM) [RVdHv][ΆΜĐ Ρŕǿč℮ѕśöг Đґįνёŗ !!! !] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\amdppm.sys -> [2009/05/08 01:15:43 | 00,060,928 | ---- | M | MD5 = 3A03F58575A245FA1DC2330EA594D211] (Microsoft Corporation)
64bit-(b06bdrv) [OjgyY][βѓöąðçοm Ņ℮ťХťŗěмё ÍΊ VВĎ !!! !!!] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\bxvbda.sys -> [2009/03/13 21:53:23 | 00,468,480 | ---- | M | MD5 = 3E5B191307609F7514148C6832BB0842] (Broadcom Corporation)
64bit-(b57nd60a) [5RuQo][Ъŗőăďčοm ∏ěτΧţяέm℮ Ĝīĝάъίť Ěţħēяňєτ - ŅĎĬЅ 6.0 !!! !!! !!! !] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\b57nd60a.sys -> [2009/03/06 00:10:45 | 00,270,848 | ---- | M | MD5 = 8D0E71D842F3E4C58FBFC8E1DFA4ACE1] (Broadcom Corporation)
64bit-(CmBatt) [JOL8J][Microsoft ÀĊРΪ Сόлŧґőĺ Мĕτћοď ЬãŧťéѓУ Ðѓινèґ !!! !!! !!! ] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\CmBatt.sys -> [2009/05/08 01:28:13 | 00,017,664 | ---- | M | MD5 = 8A10D53AC69C5B16095F6D19A22532EC] (Microsoft Corporation)
64bit-(ebdrv) [0eHuo][Вŗòãð¢ôm ИзŧΧτяéмέ Ìİ 10 ĢίġĖ VЪÐ !!! !!! !] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\evbda.sys -> [2009/02/03 22:05:46 | 03,286,016 | ---- | M | MD5 = DC5D737F51BE844D8C82C695EB17372F] (Broadcom Corporation)
64bit-(HidBatt) [cs02b][ΉĨÐ ŨÞŚ Ьąτťэřŷ Đŕìνėř !!! !!] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\HidBatt.sys -> [2009/05/08 01:28:16 | 00,026,624 | ---- | M | MD5 = 8D24DE30D2F0D356B303D5BC7E531BCD] (Microsoft Corporation)
64bit-(MTConfig) [nag6I][Мīćřбšбƒτ Ìŋрμτ Ćοиƒïġűŗąтϊбπ Đґίνεґ !!! !!! !!] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\MTConfig.sys -> [2009/05/08 02:08:36 | 00,015,360 | ---- | M | MD5 = B8317FE40FD000404CCCA952500E7B6A] (Microsoft Corporation)
64bit-(UmPass) [pEQ7u][Μįċѓòśθƒт ŪМΡаśś Ðяĭνеѓ !!! !!] [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\umpass.sys -> [2009/05/08 02:14:58 | 00,009,728 | ---- | M | MD5 = 49385D7EEB222EF770768B4BECA58CAC] (Microsoft Corporation)
If anyone has the same build, from a reputable source, would you be kind enough to check and post the MD5 hash of these files?
Other than these, everything else looks perfectly normal and acceptable with nothing showing odd names, locations, or timestamps and all of my recently modified and new files are as they should be. No funky services or processes running visibly. Nothing new installed that I didn't build myself. My only new programs in the last 2 weeks were Blender and Filezilla, both built from snapshot source, libraries for building obtained from official repo's.
Edit: No, my display name is not in 'leetspeak'. It is a person from history. It is also spelled correctly.
Edited by Þornbjörg, 12 October 2009 - 03:46 AM.