0

mmm... that autorun file is a leftover from your MAfee; because you are running Avast now it is safe to delete it.
I am still searching for a solution to the cross - it does not seem to derive from a reg entry [although that red cross is one of the icons built into shell32.dll]... it must be a malware file still on your machine that is calling it. Could you pls delete your copy of Combofix and dl and run a fresh copy?
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

0

REWORKED POST:
mmm... that autorun file is a leftover from your MAfee; because you are running Avast now it is safe to delete it.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt

If that notepad is not empty then the red cross problem may be solved [you may have to restart...]. Otherwise could you then do that Combofix run?

0

Well, the notepad came up empty so I ran Combofix:

ComboFix 08-04-10.4 - Irving Glemaud 2008-04-10 17:56:00.6 - NTFSx86
Running from: C:\Documents and Settings\Irving Glemaud\My Documents\New Folder\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-08 16:39 . 2008-04-08 17:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-06 17:47 . 2008-04-06 17:47 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-03 18:49 . 2008-04-03 20:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-02 18:35 . 2008-04-02 18:42 <DIR> d-------- C:\Program Files\Panda Security
2008-03-31 21:59 . 2008-03-31 21:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-31 21:59 . 2008-03-31 22:01 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-31 21:59 . 2008-03-31 22:01 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-31 21:59 . 2008-03-31 22:01 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-31 21:43 . 2008-03-31 21:44 <DIR> d-------- C:\Program Files\Unlocker
2008-03-31 21:43 . 2008-03-31 21:43 <DIR> d----c--- C:\Documents and Settings\Irving Glemaud\Application Data\Desktopicon
2008-03-31 17:55 . 2008-03-31 17:55 <DIR> d----c--- C:\VundoFix Backups
2008-03-30 20:30 . 2008-04-07 18:21 984 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fwdrv.err
2008-03-26 22:23 . 2008-03-26 22:23 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-26 22:04 . 2008-03-26 22:04 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-26 22:04 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-03-26 22:04 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-03-26 22:04 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-03-26 22:04 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-03-26 22:04 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-03-26 22:04 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-03-26 22:04 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-03-26 22:04 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-03-21 14:57 . 2008-04-09 18:01 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-21 14:56 . 2008-03-21 14:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-21 14:56 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2008-03-21 14:30 . 2008-03-21 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-19 18:30 . 2008-03-25 15:30 <DIR> d----c--- C:\Documents and Settings\Irving Glemaud\.housecall6.6
2008-03-18 17:07 . 2002-08-29 07:00 152,844 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\framdit.ttf
2008-03-18 17:07 . 2002-08-29 07:00 135,984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\framd.ttf
2008-03-18 17:07 . 2002-08-29 07:00 12,288 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\script.fon
2008-03-18 17:07 . 2002-08-29 07:00 8,704 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\modern.fon
2008-03-18 17:05 . 2008-03-23 14:43 <DIR> d-------- C:\WINDOWS\Font
2008-03-10 22:57 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2008-03-10 22:57 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\SYSTEM32\COMCT332.OCX
2008-03-10 22:57 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\SYSTEM32\ssa3d30.ocx
2008-03-10 22:57 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2008-03-10 22:57 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\SYSTEM32\Odbcjet.hlp
2008-03-10 22:57 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2008-03-10 22:57 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\SYSTEM32\Odbcjet.cnt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 23:17 --------- d-----w C:\Program Files\LimeWire
2008-04-06 21:47 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 23:20 --------- d-----w C:\Program Files\QuickTime
2008-03-28 00:58 --------- d-----w C:\Program Files\Winamp
2008-03-28 00:58 --------- d-----w C:\Program Files\DellSupport
2008-03-28 00:58 --------- d-----w C:\Program Files\Dell Photo AIO Printer 924
2008-03-27 23:26 --------- d-----w C:\Program Files\Java
2008-03-27 01:06 --------- d-----w C:\Program Files\Dl_cats
2008-03-24 22:51 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-03-24 22:51 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-03-19 22:17 --------- d-----w C:\Program Files\Sony Setup
2008-03-19 22:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-13 21:28 28,672 ----a-w C:\WINDOWS\SYSTEM32\DSentry.exe
2008-03-13 21:28 126,976 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-03-13 21:27 155,648 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-02-12 20:01 --------- d-----w C:\Documents and Settings\Irving Glemaud\Application Data\LimeWire
2008-02-12 19:57 32,768 -c--a-w C:\Documents and Settings\Irving Glemaud\services.exe
2008-01-19 23:45 147,456 ----a-w C:\WINDOWS\SYSTEM32\vbzip10.dll
2005-12-19 01:04 557,056 -c--a-w C:\Documents and Settings\Irving Glemaud\chatlnk.exe
2006-06-22 00:51 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-03-10 18:23 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2008-01-28 19:35 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-24 18:51 15360]
"Aim6"="" []
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 17:34 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"WService"="WService.EXE" [2002-09-07 06:23 28672 C:\WINDOWS\SYSTEM32\WService.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DLCCCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 14:38 69632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-01-06 14:02:05 36953]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133661202\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133661202\\ee\\aim6.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\SYSTEM32\\dlcccoms.exe"=
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dlccPSWX.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S1 Tablet2kk;Tablet2kk;C:\WINDOWS\system32\drivers\Tablet2kk.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ba0458d-8340-11dc-88f5-00038a000015}]
\Shell\AutoRun\command - setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 22:50:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 18:03:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 18:07:47
ComboFix-quarantined-files.txt 2008-04-10 22:07:29
ComboFix2.txt 2008-03-31 01:31:28
Pre-Run: 26,068,983,808 bytes free
Post-Run: 26,064,150,528 bytes free
.
2008-04-08 21:07:54 --- E O F ---

0

From inspecting the action on my machine I only have one other key that may be involved.... another poster, bojadada says he was given a reg key solution but he is being coy about it....
Here goes.. save this as showkey.bat.... as all files... I have added a pause command so that you can see what the cmd window is about.

reg query "HKCU\SOFTWARE\Classes\Applications\Explorer.exe\Drives\C" /s >C:\showkey.txt
start C:\showkey.txt
pause

What is this file?:
C:\Documents and Settings\Irving Glemaud\services.exe
A google search showed that the key which you checked earlier but which is not on your machine is one actually used in some attacks, but obviously not in all. I asked bojadada to check it on his pc but I think he somehow misran the file as he did not get a notepad popping.....

0

I'm losing it, the notepad came up blank, I tried to run services.exe but it said something about an illegal operation so I deleted it...now that I just checked, Windows pops up with a missing icon window when I tried to run Tweak UI, maybe that was it...

0

Sounds interesting... could you hop into your Recycle Bin and restore that services.exe file, then...
Virus Scan:
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination.
Btw, you could have just checked its properties instead of trying to run it. Interesting that it came up as an illegal operation though, an exe should just run, or try to.

0

Ummm unfortunately in a viricidal rage, I went further and deleted that file in the recycle bin, never to be seen again. So I guess the last step is out the window huh?

0

:)... it is probably still there, but now with no label at all in a file table, so it is not worth trying to get it back. Anyway an exe has no right to be in Application Data. Can be, but should not be. try submitting this one...
C:\Documents and Settings\Irving Glemaud\chatlnk.exe

0

Ira, I don't know what purpose that file C:\Documents and Settings\Irving Glemaud\chatlnk.exe serves. Please rename it to..
C:\Documents and Settings\Irving Glemaud\chatlnk.exe.susp
..and see what happens.

0

gerbil, it seems chatlnk.exe is a screen sharing program on my computer from a few years ago because I needed some technical support with my internet connection. I changed the name and nothing seemed to happen though,.

0

Ira, this is about my last shot. Please in an explorer window go tools> folder options> view, and uncheck Hide Protected Op Sys Files.
Next do a search for Iconcache.db - they will pop up for each user in C:\Documents & Settings\User \Local Settings\Application Data.
Delete em. All of em. If you feel uncomfortable about that save them to a thumbdrive and then delete them, and from the Recycle bin as well.
Log off then on again. The iconcache.db will be recreated under your user account, and for other users when they log on.
I'm trying this because sometimes the iconcache does not get updated as often as it should. They sys uses this cache instead of hunting for the originals evry time. See what happens.
Thanks for the chatlnk info. I could not tell.
Oh, hide those Protected Op Sys files again. Dangerous to have them out where you can fiddle with them inadvertantly.

0

Ira, a slight change.. please run this file first:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

Help with Code Tags
(Toggle Plain Text)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /f
start C:\showkey.txt

If that notepad is not empty then please post it.
This file looks like the one I gave you earlier, the difference is that the name is changed to DriveIcons by removing a space....
Grrr.....

0

Well what do ya know? The notepad didn't come up blank, AND the C Drive icon is back to normal, but that pesky digital camera is still there. Here's the notepad entreaties, now off to do what the previous post said:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon
<NO NAME> REG_SZ %SystemRoot%\system32\shell32.dll,131

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.