Spoof Paypal e.mail. Am I infected??

Tatty_

Can anybody help with this?

Last night my OH rec'd an e.mail from, who he thought was from Paypal. It said 'Your access has been limited' and it had been placed in his Hotmail Junk folder. When he clicked on 'show content' to determine whether it was safe or not, there was only a blank screen with a little grey box, which if you hovered on showed a static IP address with some other info containing 'error....co.th' rather than .co.uk. He did not click on any link.

When I saw this I though it looked well dodgy, so he closed Hotmail and went to Paypal. Everything looked normal, with no mention of any access being limited. He decided to forward the email to PP as they request on their website and I decided to run Malwarebytes just in case.

The Quickscan came back ok and I didn't think anymore of it until I was about to log off myself. (I have had a new lappy for 2mths as my previous one had to go back. It came with 1yr Mcafee preinstalled and I have been happy with that, supplemented with Malwarebytes). For the first time ever Mcafee jumps up with a warning that something is attempting a registry change and asking for my permission. When I clicked on details, it said this.....systemguard: windows protocols, Program:google toolbar manager, Location:c\prog files\google\googletoolbar\component\googletoolbarmanager_BDA1448D3D255554.exe

Well, I panicked thinking of the e.mail:eek: I disallowed the change, updated Malwarebytes again and ran a full scan which took 1hr 40m but came back clear. Do you think that everything is ok or could I still be infected?

BTW PP responded last night with a standard email just saying that the e.mail forwarded was a phishing attempt and thankyou for passing it on. I don't know whether they just send this to everyone who forwards one of these or if they had really looked at it

£$&*"($£&(

You just received a random phishing email which lot's of people get whether or not they have an account - nothing to with infections. And I'm sure you get a standard response or they would have to employ large numbers of additional staff.

Tatty_

Ok, but hotmail says that when you show blocked content it could be harmful to your computer, and it was downloading something but then showed a blank screen

If the registry change hadn't come up, I would probably be ok. But this has never happened before and to happen the same night is a pretty big conincidence?

If the registry message comes up again (which it prob will as I didn't tick 'remember my answer'), should I allow it? I had thoughts of something being downloaded by the e.mail earlier and then trying to change a registry key. I'm sorry if I've got a vivid imagination but I just don't understand these techie things :-(

aliEnRIK

I dont think the 2 are related but the google exe file does look very dodgy

Id suggest updating and running a FULL scan with malwarebytes and post a hijack log

Tatty_

Thanks aliEnRIK,
Here's a copy of the Hijack log. I updated and ran a full Malwarebytes scan this morning. It didn't find anything.

K x



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:19:05, on 24/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2090106
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2090106
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O4 - Global Startup: Update Agent.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O18 - Filter: x-sdch - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0211191240514338) (0211191240514338mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\021119~1.EXE
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8678 bytes

aliEnRIK

What did mcafee do with the google file?

TICK these in hijack then FIX them ~
O4 - Global Startup: Update Agent.lnk = ?
O18 - Filter: x-sdch - (no CLSID) - (no file)

Please run COMBOFIX
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe')

Tatty_

A McAfee warning popped up and I had to agree or decline the change. I declined it, so I don't know what it did with it after that.

I clicked fix on those 2 items in Hijack and it asked me to ok it, after I said yes the page went blank and it took me back to the scan page. It didn't confirm that they had been deleted. Is that right?

I'll run Combofix now.

k

aliEnRIK

Thats fine ~ no worries

Tatty_

Copy of ComboFix

K


ComboFix 09-04-24.01 - Karrie 24/04/2009 15:35.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3061.1726 [GMT 1:00]
Running from: c:\users\Karrie\Downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-15 14:35 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 14:35 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-15 14:35 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-07 22:56 . 2009-04-07 22:56

---

d

---

w c:\users\Karrie\AppData\Roaming\Malwarebytes
2009-04-07 22:56 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-07 22:56 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 22:56 . 2009-04-07 22:56

---

d

---

w c:\users\All Users\Malwarebytes
2009-04-07 22:56 . 2009-04-07 22:56

---

d

---

w c:\programdata\Malwarebytes
2009-04-01 00:17 . 2009-04-01 00:21

---

d

---

w c:\users\Karrie\AppData\Local\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 13:18 . 2009-04-24 13:18

---

d

---

w c:\program files\Trend Micro
2009-04-23 19:18 . 2009-01-06 13:21

---

d

---

w c:\program files\McAfee
2009-04-15 14:40 . 2006-11-02 11:18

---

d

---

w c:\program files\Windows Mail
2009-04-07 22:56 . 2009-04-07 22:56

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 11:06 . 2009-03-20 22:44 5972 ----a-w c:\users\Karrie\AppData\Local\d3d9caps.dat
2009-03-25 10:06 . 2009-01-06 13:22 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2009-01-06 13:22 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:06 . 2009-01-06 13:22 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2009-01-06 13:22 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:05 . 2009-01-06 13:22 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-18 12:14 . 2009-01-06 13:21

---

d

---

w c:\programdata\McAfee
2009-03-17 03:38 . 2009-04-15 14:32 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 14:32 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 14:32 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-07 19:21 . 2009-01-06 13:26

---

d

---

w c:\programdata\Dell
2009-03-04 18:06 . 2009-03-04 18:06 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-04 18:06 . 2009-03-04 18:05

---

d

---

w c:\programdata\Birdstep Technology
2009-03-04 18:05 . 2009-03-04 18:05

---

d

---

w c:\users\Karrie\AppData\Roaming\Birdstep Technology
2009-03-04 18:04 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-03-04 18:04 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-03-04 18:04 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-03-04 18:04 . 2009-03-04 18:04

---

d

---

w c:\program files\Huawei Modems
2009-03-04 18:04 . 2009-03-04 18:04 69361 ----a-w c:\windows\Huawei ModemsUninstall.exe
2009-03-04 18:04 . 2009-03-04 18:04

---

d

---

w c:\program files\3
2009-03-04 18:04 . 2009-01-06 13:08

---

d--h--w c:\program files\InstallShield Installation Information
2009-03-04 18:03 . 2009-01-06 13:08

---

d

---

w c:\program files\Common Files\InstallShield
2009-03-04 17:20 . 2009-03-04 17:20

---

d

---

w c:\users\Karrie\AppData\Roaming\Dell
2009-03-04 17:20 . 2009-03-04 17:20 65800 ----a-w c:\users\Karrie\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-04 17:16 . 2009-03-04 17:16

---

d-sh--w c:\programdata\Templates
2009-03-04 17:16 . 2009-03-04 17:16

---

d-sh--w c:\programdata\Start Menu
2009-03-04 17:16 . 2009-03-04 17:16

---

d-sh--w c:\programdata\Favorites
2009-03-04 17:16 . 2009-03-04 17:16

---

d-sh--w c:\programdata\Documents
2009-03-04 17:16 . 2009-03-04 17:16

---

d-sh--w c:\programdata\Desktop
2009-03-04 17:16 . 2009-03-04 17:16

---

d-sh--w c:\programdata\Application Data
2009-03-03 04:46 . 2009-04-15 14:32 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 14:32 3547632 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-15 14:31 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-15 14:32 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 14:32 551424 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 14:32 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 14:31 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 14:32 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 14:32 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:37 . 2009-04-15 14:32 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 14:32 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 14:32 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-15 14:31 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-02-13 08:49 . 2009-04-15 14:32 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 08:49 . 2009-04-15 14:32 1255936 ----a-w c:\windows\System32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 00:17 2033152 ----a-w c:\windows\System32\win32k.sys
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-01-06 21:34 . 2009-01-06 21:32 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-06 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-27 3563520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-06 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2008-11-03 1745648]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]

c:\users\Karrie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-1-6 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-06 13:29 10536 ----a-w c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9A0C3247-63D0-4C23-9767-0368D97EBC6A}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{A99A5633-5015-4764-97B3-5DB8C3735B34}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{CA2C7854-4813-42CB-A889-2F2DEF600164}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{49C4CB37-6121-4B46-B129-6DAD1607E18D}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{C4499389-7908-4CD7-AAD0-0AD31F384534}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 0211191240514338mcinstcleanup;McAfee Application Installer Cleanup (0211191240514338); [x]
R3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-06 30192]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-03-06 111616]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58ce7067-0cba-11de-8bff-0023ae097506}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58ce7068-0cba-11de-8bff-0023ae097506}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{762cd610-0dab-11de-9db3-0023ae097506}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{762cd612-0dab-11de-9db3-0023ae097506}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c13fb38a-08df-11de-ba71-00234d945f0f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c13fb3a2-08df-11de-ba71-00234d945f0f}]
\shell\AutoRun\command - G:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-18 10:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-18 10:53]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2090106
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
FF - ProfilePath - c:\users\Karrie\AppData\Roaming\Mozilla\Firefox\Profiles\tlgcdonb.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 15:38
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-04-24 15:39
ComboFix-quarantined-files.txt 2009-04-24 14:39

Pre-Run: 200,753,586,176 bytes free
Post-Run: 200,266,039,296 bytes free

189 --- E O F --- 2009-04-15 14:40

Tatty_

Oh btw, my M (mcafee) in my system tray (is it system tray, bottom right?) has disappeared How do I get it back?

When I was looking for it lol, I found a log of the requested registry change re the google file:

Rule Type: Registry

Process: C:\Program Files\Google\Google Taskbar\Component\GoogleToolbarManager_BDA1448D3D255554.exe

Process Description: Google Toolbar Manager

Process publisher: Google Inc

Process version: 6, 1, 1518, 856
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\x-
sdch\CLSID'HKEY_LOCAL_MACHINE\CLSID\{B1759355-3EEC-4C 1E-BOF1-B719FE26E377}\InProcServer32C:\Program Files\Google\GoogleToolbar\Component\fastsearch_A8904FB862BD9564.dll

This looks legit, doesn't it?

Tatty_

It's the notification area, and I've got my M back! lol:j

K x