Here is combo fix log:
ComboFix 09-12-21.04 - David Craggs 22/12/2009 9:47.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1579 [GMT 0:00]
Running from: c:\documents and settings\David Craggs\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\David Craggs\Favorites\games.url
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Alcmtr.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sessmgr.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Legacy_UNPR
-------\Service_npf
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.
2009-12-22 00:53 . 2009-12-22 00:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-21 22:40 . 2009-12-21 22:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-21 22:39 . 2009-12-21 22:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-21 22:35 . 2009-12-21 22:35 -------- d-sh--w- c:\documents and settings\David Craggs\IETldCache
2009-12-21 21:50 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 21:50 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 21:50 . 2009-12-21 21:50 -------- d-----w- c:\windows\ie8updates
2009-12-21 21:49 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-21 21:47 . 2009-12-21 21:49 -------- dc-h--w- c:\windows\ie8
2009-12-21 21:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-21 20:36 . 2009-12-21 20:36 -------- d-----w- C:\_OTS
2009-12-20 18:47 . 2009-12-20 18:47 -------- d-----w- c:\program files\MSECACHE
2009-12-20 14:02 . 2009-12-20 14:02 -------- d-----w- c:\program files\ESET
2009-12-20 13:34 . 2009-12-20 13:34 -------- d-----w- C:\_OTM
2009-12-20 13:32 . 2009-12-20 13:32 -------- d-----w- c:\program files\ERUNT
2009-12-20 12:21 . 2009-12-20 12:21 -------- d-----w- C:\rsit
2009-12-20 11:15 . 2009-12-20 11:15 -------- d-----w- c:\documents and settings\David Craggs\Application Data\Malwarebytes
2009-12-20 11:15 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 11:15 . 2009-12-20 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 11:15 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 11:15 . 2009-12-20 11:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 13:43 . 2009-12-19 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-19 13:43 . 2009-12-19 13:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-15 06:03 . 2009-12-15 06:03 -------- d-----w- c:\program files\Trend Micro
2009-12-15 05:29 . 2009-12-15 05:29 0 ----a-w- c:\windows\Vzevineputehob.bin
2009-12-15 05:29 . 2009-12-15 14:46 120 ----a-w- c:\windows\Adobaf.dat
2009-12-15 03:16 . 2009-12-15 03:16 104 ----a-w- c:\documents and settings\David Craggs\409993625.BAT
2009-11-22 16:39 . 2009-11-22 16:39 -------- d-----w- c:\documents and settings\David Craggs\Application Data\Nvu
2009-11-22 16:39 . 2009-11-22 16:39 -------- d-----w- c:\program files\Nvu
2009-11-22 16:38 . 2009-11-22 16:38 -------- d-----w- c:\documents and settings\David Craggs\Local Settings\Application Data\WMTools Downloaded Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 15:02 . 2009-12-18 15:02 1 ----a-w- c:\documents and settings\David Craggs\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-17 09:47 . 2008-02-21 22:42 -------- d-----w- c:\program files\McAfee
2009-12-15 17:47 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-15 03:15 . 2009-12-15 03:15 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-12-12 18:59 . 2009-06-15 14:35 -------- d-----w- c:\documents and settings\David Craggs\Application Data\Spotify
2009-12-06 06:08 . 2008-02-21 22:18 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2009-12-01 20:31 . 2008-02-21 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 00:01 . 2009-09-16 00:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 10:32 . 2009-11-16 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2009-11-16 07:22 . 2008-02-21 23:20 34640 ----a-w- c:\documents and settings\David Craggs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-15 19:25 . 2009-11-15 19:25 -------- d-----w- c:\documents and settings\David Craggs\Application Data\OpenOffice.org
2009-11-15 19:14 . 2009-11-15 19:14 -------- d-----w- c:\program files\JRE
2009-11-15 19:14 . 2009-11-15 19:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-15 19:14 . 2008-12-01 20:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-15 19:14 . 2008-05-08 10:18 -------- d-----w- c:\program files\Java
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-14 20:23 . 2009-10-14 20:23 135 ----a-w- c:\documents and settings\David Craggs\Local Settings\Application Data\fusioncache.dat
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-05 10:32 . 2009-10-05 10:32 30464 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-04 08:10 . 2009-10-04 08:10 152576 ----a-w- c:\documents and settings\David Craggs\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\David Craggs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"Steam"="d:\steam\steam.exe" [2009-11-12 1217808]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\David Craggs\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-04-06 17:22 1843200 ------r- c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54GSv2SVC"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"d:\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"d:\\Microsoft Games\\Age of Empires III\\age3.exe"=
"d:\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\EA Games\\Red Alert 3\\Data\\ra3_1.6.game"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\gamemd.exe"=
"d:\\EA Games\\Red Alert 3\\Data\\ra3_1.10.game"=
"c:\\Documents and Settings\\David Craggs\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"d:\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Renegade\\Game.exe"=
"d:\\Spotify\\spotify.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"d:\\Steam\\SteamApps\\common\\eve online\\eve.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [15/09/2009 17:41 93320]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [04/03/2009 14:52 202016]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [19/12/2007 17:53 37376]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?]
S4 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [01/07/2008 15:48 41025]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) =
hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\David Craggs\Application Data\Mozilla\Firefox\Profiles\19pq91zp.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\David Craggs\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - e:\divx\DivXConverterUninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - e:\divx\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - e:\divx\DivXPlayerUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - e:\divx\DivXConverterUninstall.exe
AddRemove-{B7050CBDB2504B34BC2A9CA0A692CC29} - e:\divx\DivXWebPlayerUninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-12-22 09:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBAC12662]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8fcf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-854245398-1770027372-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:6e,21,f5,3e,13,2c,cc,2b,05,90,04,c8,a5,73,c5,55,7b,a9,55,12,44,
de,41,61,57,8b,74,4b,82,f8,51,a0,4b,89,83,51,1b,9c,e0,0b,80,aa,e3,86,a9,ca,\
"rkeysecu"=hex:6c,40,94,d9,3b,b6,cf,97,f7,e2,6e,8c,dd,1a,45,d1
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(596)
c:\windows\system32\WININET.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\mmfinfo.dll
c:\windows\system32\mkunicode.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2009-12-22 09:58:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-22 09:58
Pre-Run: 15,846,215,680 bytes free
Post-Run: 15,796,834,304 bytes free
- - End Of File - - 2E77EFCCCEEC1C221F77553DFD0380A3
============================================================================================
P.S. the McAfee warnings about trojan's being saved in temp file being blocked every 5 mins have stopped, (just for a bit of extra information).