Hi Dan, did not find
yfmkwrbh.dll here is the Combofix log
ComboFix 08-04-03.5 - Nick 2008-04-07 20:36:48.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT 1:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\system32\Tools\Restart.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\cfivihuj
C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\system32\Tools\Restart.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.
2008-04-06 09:56 . 2008-04-06 09:57 <DIR> d-------- C:\Program Files\Panda Security
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Malwarebytes
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-04 22:44 . 2008-04-04 22:44 <DIR> d-------- C:\Program Files\CCleaner
2008-04-03 21:19 . 2008-04-03 21:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:54 . 2008-04-04 21:58 1,246 ---hs---- C:\WINDOWS\system32\rootoapd.ini
2008-03-18 18:49 . 2008-03-18 18:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-07 15:03 . 2008-03-07 15:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 15:03 . 2008-03-07 15:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 14:40 . 2008-03-07 14:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 14:40 . 2008-03-07 14:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 14:39 . 2008-03-07 14:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 14:39 . 2008-03-07 14:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 14:39 . 2008-03-07 14:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 14:39 . 2008-03-07 14:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 14:39 . 2008-03-07 14:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 14:39 . 2008-03-07 14:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 14:39 . 2008-03-07 14:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 19:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-07 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-07 16:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 17:00 --------- d-----w C:\Program Files\Minilyrics
2008-04-01 16:59 --------- d-----w C:\Program Files\Microsoft Games
2008-03-10 21:24 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-06 21:32 706 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 21:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 21:32 10,537 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-04 21:00 --------- d-----w C:\Program Files\Kontiki
2008-02-17 16:59 --------- d-----w C:\Program Files\Channel4
2008-02-17 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2007-03-20 07:43 0 -c--a-w C:\Documents and Settings\Tom\Application Data\wklnhst.dat
2007-03-18 19:59 0 -c--a-w C:\Documents and Settings\Nick\Application Data\wklnhst.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\nick\favorites\shop ----
2008-04-03 17:07 2023 --a--c--- c:\documents and settings\nick\favorites\shop\eBay UK.url
2008-03-24 13:27 242 --a--c--- c:\documents and settings\nick\favorites\shop\M and M.url
2008-03-22 21:34 389 --a------ c:\documents and settings\nick\favorites\shop\Halfords.url
2008-03-19 23:59 291 --a--c--- c:\documents and settings\nick\favorites\shop\Lidl Online.url
2008-02-29 16:24 236 --a--c--- c:\documents and settings\nick\favorites\shop\B&Q Online.url
2008-02-24 10:27 434 --a--c--- c:\documents and settings\nick\favorites\shop\Tesco.com.url
2008-02-18 19:09 1809 --a--c--- c:\documents and settings\nick\favorites\shop\ALDI UK.url
2008-02-10 13:16 275 --a--c--- c:\documents and settings\nick\favorites\shop\Dabs.com.url
2008-02-02 14:13 371 --a------ c:\documents and settings\nick\favorites\shop\Dixons.url
2007-08-27 15:26 238 --a--c--- c:\documents and settings\nick\favorites\shop\Play.com (UK).url
2007-08-26 08:41 183 --a--c--- c:\documents and settings\nick\favorites\shop\Co-op.co.uk.url
2007-08-26 08:39 498 --a--c--- c:\documents and settings\nick\favorites\shop\eBay Express.url
2007-07-06 17:22 243 --a--c--- c:\documents and settings\nick\favorites\shop\Firebox.com.url
2007-07-05 20:08 238 --a--c--- c:\documents and settings\nick\favorites\shop\Additions Direc.url
2007-05-14 19:16 114 --a--c--- c:\documents and settings\nick\favorites\shop\Askdirect.co.uk.url
2007-03-25 13:14 267 --a--c--- c:\documents and settings\nick\favorites\shop\Woolworths.url
2007-03-24 16:22 199 --a--c--- c:\documents and settings\nick\favorites\shop\7dayshop.com - Online Store.url
2007-03-13 17:56 345 --a--c--- c:\documents and settings\nick\favorites\shop\Ebuyer.com.url
2007-03-12 19:36 237 --a--c--- c:\documents and settings\nick\favorites\shop\Komplett.co.uk.url
2007-03-12 16:42 189 --a--c--- c:\documents and settings\nick\favorites\shop\Toys R Us.url
2007-03-12 16:34 238 --a--c--- c:\documents and settings\nick\favorites\shop\pcworld.co.uk.url
2007-03-12 16:29 211 --a--c--- c:\documents and settings\nick\favorites\shop\MFI.co.uk.url
2007-03-12 00:11 249 --a--c--- c:\documents and settings\nick\favorites\shop\Shopping.com.url
2007-02-15 16:44 414 --a--c--- c:\documents and settings\nick\favorites\shop\Amazon.co.uk.url
2004-02-26 22:25 183 --a--c--- c:\documents and settings\nick\favorites\shop\eXpansys.com.url
2004-02-10 22:31 178 --a--c--- c:\documents and settings\nick\favorites\shop\Choice Stationery Supplies Limited Online Catalogue.url
2004-01-16 12:20 202 --a--c--- c:\documents and settings\nick\favorites\shop\24-7 Electrical.url
2004-01-08 16:57 146 --a--c--- c:\documents and settings\nick\favorites\shop\Posternow.org.url
2003-11-30 21:18 285 --a--c--- c:\documents and settings\nick\favorites\shop\AllPosters.com.url
2003-10-30 15:35 354 --a--c--- c:\documents and settings\nick\favorites\shop\Currys.co.uk.url
2003-10-27 16:48 234 --a--c--- c:\documents and settings\nick\favorites\shop\Littlewoods Index.url
2003-10-15 14:18 148 --a--c--- c:\documents and settings\nick\favorites\shop\Compare prices online - UK delivery.url
2003-10-03 18:14 260 --a--c--- c:\documents and settings\nick\favorites\shop\Argos.co.uk.url
2003-07-04 17:40 608 --a--c--- c:\documents and settings\nick\favorites\shop\Simply Scuba - The UK's biggest online dive store!.url
2003-07-01 15:55 226 --a--c--- c:\documents and settings\nick\favorites\shop\Johnlewis.com.url
2003-07-01 15:02 256 --a--c--- c:\documents and settings\nick\favorites\shop\Comet.co.uk.url
2003-06-16 21:55 198 --a--c--- c:\documents and settings\nick\favorites\shop\Disney prints.url
2003-05-23 22:51 120 --a--c--- c:\documents and settings\nick\favorites\shop\Ikea.co.uk.url
2003-04-26 00:06 378 --a--c--- c:\documents and settings\nick\favorites\shop\Crucial.com.url
2003-03-24 17:45 146 --a--c--- c:\documents and settings\nick\favorites\shop\Robertsons-online.co.uk.url
2003-02-18 21:22 128 --a--c--- c:\documents and settings\nick\favorites\shop\Dealtime.co.uk.url
2003-02-09 18:00 150 --a--c--- c:\documents and settings\nick\favorites\shop\Thepriceguide.co.uk.url
2003-01-21 19:21 219 --a--c--- c:\documents and settings\nick\favorites\shop\Digitalfirst.co.uk.url
2003-01-12 23:20 278 --a--c--- c:\documents and settings\nick\favorites\shop\Sainsburys.com.url
2003-01-05 22:58 230 --a--c--- c:\documents and settings\nick\favorites\shop\Artrepublic.com.url
2003-01-03 18:20 224 --a--c--- c:\documents and settings\nick\favorites\shop\QXL.com.url
2002-12-03 17:55 126 --a--c--- c:\documents and settings\nick\favorites\shop\UKplaystation.com.url
2002-11-30 14:34 116 --a--c--- c:\documents and settings\nick\favorites\shop\Loot.com.url
2002-11-05 00:20 464 --a--c--- c:\documents and settings\nick\favorites\shop\My eBay.co.uk.url
2002-09-26 20:24 377 --a--c--- c:\documents and settings\nick\favorites\shop\Unbeatable.co.uk.url
2002-07-21 18:11 70 --a--c--- c:\documents and settings\nick\favorites\shop\Photoglossy.com.url
2002-07-21 18:11 58 --a--c--- c:\documents and settings\nick\favorites\shop\Checkaprice.com.url
2002-07-21 18:11 55 --a--c--- c:\documents and settings\nick\favorites\shop\Jessops.com.url
2002-07-21 18:11 45 --a--c--- c:\documents and settings\nick\favorites\shop\Kelkoo.com.url
2002-07-21 18:11 43 --a--c--- c:\documents and settings\nick\favorites\shop\MX2.org.url
((((((((((((((((((((((((((((( snapshot@2008-04-04_23.02.04.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 17:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 12:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-04-07 19:31:52 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_650.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 18:56 1032376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 03:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 21:05 344064]
"TGX2_VFD"="C:\WINDOWS\system32\TGVFDMsgservice.exe" [2004-12-01 14:12 233472]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 14:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"BtcMaestro"="C:\Program Files\KMaestro\KMaestro.exe" [2004-05-07 15:26 237568]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 08:11 771704]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 08:19 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 18:56 1032376]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]
C:\Documents and Settings\Amy\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]
C:\Documents and Settings\Mum\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]
C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FreeventsSchedule.lnk - C:\Freevents\FreeventsSchedule.exe [2006-04-25 14:57:54 16384]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-04-28 10:53:02 593920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
R1 CXAVSAUD;Conexant 2388x Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2005-10-25 02:56]
R3 CXAVSTS;Conexant 2388x AVStream TS Capture;C:\WINDOWS\system32\drivers\cxavsts.sys [2005-10-25 02:56]
R3 CXBDATUNE;Conexant BDA DVB Tuner/Demod;C:\WINDOWS\system32\drivers\cxBDAtun.sys [2005-10-25 02:56]
S3 TGX263;TriGem X2 Device Driver;C:\WINDOWS\system32\Drivers\TGX263.sys [2004-11-03 15:16]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-09 16:04:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 19:29:16 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Nick.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-04-07 20:38:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-07 20:38:57
ComboFix-quarantined-files.txt 2008-04-07 19:38:54
ComboFix2.txt 2008-04-07 16:01:28
ComboFix3.txt 2008-04-06 10:08:02
ComboFix4.txt 2008-04-06 08:51:50
ComboFix5.txt 2008-04-05 11:23:36
Pre-Run: 142,951,567,360 bytes free
Post-Run: 142,936,338,432 bytes free
.
2008-03-11 22:10:58 --- E O F ---