Hi Shaba,
The file C:\WINDOWS\system32\drivers\Chl83.sys, came back clean.
The logs are as follows:
ComboFix 08-08-12.01 - Mike & Sharon 2008-08-14 9:15:35.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.746 [GMT -3:00]
Running from: C:\Documents and Settings\Mike & Sharon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike & Sharon\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\services.exe
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\dgdutafs
C:\Documents and Settings\All Users\Application Data\dgdutafs\fmtajwpc.exe
C:\Program Files\ednppsf
C:\Program Files\ednppsf\GenActMsg.dll
C:\WINDOWS\services.exe
H:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NTSYSVERS
-------\Legacy_RUNBATCH
-------\Service_ntsysvers
-------\Service_runbatch
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.
2008-08-13 15:37 . 2008-08-13 15:37 577,024 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-08-13 15:33 . 2008-08-13 15:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-13 11:47 . 2008-08-13 16:29 <DIR> d-------- C:\SDFix
2008-08-13 09:48 . 2008-08-13 09:48 <DIR> d-------- C:\Program Files\Avira
2008-08-13 09:48 . 2008-08-13 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-10 16:29 . 2008-08-10 16:29 <DIR> d-------- C:\Program Files\Flux
2008-08-02 21:06 . 2008-08-02 21:18 716 --a------ C:\scope
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 18:19 25,472 ----a-w C:\WINDOWS\system32\drivers\Chl83.sys
2008-08-07 00:09 --------- d-----w C:\Program Files\Plextor
2008-06-25 18:18 --------- d-----w C:\Program Files\EPSON Print CD
2008-06-17 15:40 --------- d-----w C:\Program Files\iZotope
2008-04-20 00:25 101,192 ----a-w C:\Documents and Settings\Mike & Sharon\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-08-13_16.52.52.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 23:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StrDb"="C:\WINDOWS\system32\rgnybank.exe" [2008-08-12 12:46 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 12:40 155648]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"EW Message Server"="msg32.exe" [2003-02-26 20:03 45056 C:\WINDOWS\SYSTEM32\Msg32.exe]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\SYSTEM32\DeltTray.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= NUVision.ax
"vidc.dvsd"= dvc.dll
"msacm.dvacm"= dvacm.acm
"VIDC.YMPG"= ympgcdc.dll
"msacm.ympgacm"= ympgacm.acm
"Midi1"= gmidi.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mike & Sharon^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Mike & Sharon\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-10-12 18:13 7086080 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-02 12:40 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svchost"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 BTMgr;Bluelet Device Manager Service;C:\WINDOWS\system32\Drivers\BTMgr.sys [2002-06-12 14:43]
R2 JamLabInstallerService;JamLab Installer;C:\Program Files\M-Audio\JamLab\JamLabInst.exe [2006-01-09 17:39]
R3 EWAVE;EWAVE;C:\WINDOWS\system32\drivers\ew.sys [2003-02-26 20:04]
R3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys [2003-02-26 20:13]
R3 GBGSIF;FX-MAX virtual GSIF driver;C:\WINDOWS\system32\Drivers\GBGSIF.sys [2005-03-07 00:21]
R3 hypaudio;hypaudio;C:\WINDOWS\system32\DRIVERS\hypaudio.sys [2006-05-30 16:20]
R3 hypkern;hypkern;C:\WINDOWS\system32\drivers\hypkern.sys [2006-05-30 16:20]
R3 MAWGSIF;MOTU PCI GSIF Driver;C:\WINDOWS\system32\drivers\MAWGSIF.sys [2004-07-21 16:05]
R3 MotuAW;MotuAW;C:\WINDOWS\system32\drivers\MotuAW.sys [2004-07-21 16:03]
R3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys [2003-02-26 20:06]
R3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2002-11-25 03:46]
S3 82827bba-7380-4b11-bfe5-ff053dc5ed6c;82827bba-7380-4b11-bfe5-ff053dc5ed6c;D:\CDS300\cds300.dll []
S3 Btusb;Bluetooth USB;C:\WINDOWS\system32\Drivers\Btusb.sys [2001-12-10 15:16]
S3 FILEMON;FILEMON;C:\Documents and Settings\Mike & Sharon\Desktop\sammon\FILEMON.SYS []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 16:18]
S3 gsif324;GSIF Driver for MOTU 324;C:\WINDOWS\system32\drivers\gsif324.sys []
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;C:\MAGIX\Samplitude_V8_professional\mxasio.sys [2002-04-16 12:10]
S3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausbjl.sys [2006-02-01 10:25]
S3 MAWWAVE;MOTU PCI Wave Driver;C:\WINDOWS\system32\drivers\MAWWAVE.sys []
S3 NUVision;NUVision Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-09-20 07:58]
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys []
S3 w324drvr;w324drvr;C:\WINDOWS\system32\drivers\w324drvr.sys []
*Newly Created Service* - EWAVE
.
- - - - ORPHANS REMOVED - - - -
SSODL-GenActMsg-{2EF26493-ECFD-4DD1-ABDF-03A50288E9C3} - C:\Program Files\ednppsf\GenActMsg.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-14 09:22:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-14 9:30:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 12:30:16
ComboFix2.txt 2008-08-13 19:53:20
Pre-Run: 7,502,643,200 bytes free
Post-Run: 7,433,355,264 bytes free
143
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:34 AM, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msg32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rgnybank.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dellnet.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Fire-Trust SiteHound - {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [StrDb] C:\WINDOWS\system32\rgnybank.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4647 bytes
Thanks again...you're the best!!
snauss