Posts by gerbil

Jay, I was just checking to see that combofix did its job with Vundo - it seems so. Combofix did throw up the 8 malware files below as once being created... you should check that they no longer exist; if they do not then you are clean. Use hijackthis to remove this entry:
O4 - Global Startup: NoLop.exe ..by performing a scan [no log requ], checking that entry and pressing Fix Checked.

C:\WINDOWS\system32\indfkyky.dll
C:\WINDOWS\system32\gfkbxycw.dll
C:\WINDOWS\system32\avflsjjd.dll
C:\WINDOWS\system32\pgdfgsvc.exe
C:\WINDOWS\system32\pfwaoppg.dll
C:\WINDOWS\system32\vfwktotm.ini
C:\WINDOWS\system32\gtphcpxi.dll
C:\WINDOWS\system32\yxmvxtip.ini

And that is it. Good luck out there.

Jay, you are really getting hit here. Did you run MWBAM before Combofix? Cos if so combofix found again some files MWBAM deleted... It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were NOT DELETED - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.

Glad to be of some use, Dee. Dunno why I put that space in DriveIcons. I just checked my sys and explorer.exe checks for the key DriveIcons. Not Drive Icons. I guess I am just too used to putting spaces between words when I type. Sorry for the time wasted.

Lessee... icons and their labels... I think all they have is the text and the picture pixels themselves.. the rest of the icon image is blank out to its borders, so it is transparent. When you apply drop shadows you are actually addingsomething to the text outlines [a white shadow] which also occludes the background. What I am trying to say is that you must be seeing through your background also ie past your bitmap to the [uncoloured - black] desktop background. ie your background image has holes in it.
Internet explorer keys are also involved in the desktop, as well as the obvious explorer keys... well, it has to be, cos you can load a web site as background image. Desktop settings are HKLM and HKCU, well, if the latter exist they override the HKLM settings. If instead of the windows key you check the internet explorer key you will see your background image there, plus other names related to the display. Is it a bitmap, or is it html? Cos an html image will have holes so you can see through to the black or whatever colour you set for the Colour in Display Properties, Desktop.

Ira, a slight change.. please run this file first:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

Help with Code Tags
(Toggle Plain Text)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /f
start C:\showkey.txt

If that notepad is not empty then please post it.
This file looks like the one I gave you earlier, the difference is that the name is changed to DriveIcons by removing a space....
Grrr.....

Groan.... Way back in post #8 I gave you a similar reg file to delete a key, except that I had a space included in mine. Drive Icons, yours is DriveIcons.
Life, eh? I wish M$ could sort out whether spaces are important in Registry names... they are, but I really dunno why.
CIF Single Chip is for your webcam. I can't tell why it will not update the driver. Uninstall, reinstall.
Sp2 upgrade? Best is to dl from the M$ site the file for "professional" installation. http://www.microsoft.com/downloads/details.aspx?familyid=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
This is the file: WindowsXP-KB835935-SP2-ENU.exe
You will note on that page that they recommend you use the M$updates path which is an automatic installation procedure -fine if you have a fast link. I prefer the to go by the exe path, save the file to disk and then install..
http://technet2.microsoft.com/windowsserver/en/library/c050419b-98a2-4802-b719-629a33a332391033.mspx?mfr=true is the M$ guide for installation, note that on this page they recommend to dl and save the file! :)
So it should be straightforward.... dl and save the file, disconnect from the net, BACKUP, disable or uninstall your AV, close all other apps and run the file WindowsXP-KB835935-SP2-ENU.exe
If it works and your sys is fine, start up your AV, your firewall and immediately get the updates from M$updates.

Ira, this is about my last shot. Please in an explorer window go tools> folder options> view, and uncheck Hide Protected Op Sys Files.
Next do a search for Iconcache.db - they will pop up for each user in C:\Documents & Settings\User \Local Settings\Application Data.
Delete em. All of em. If you feel uncomfortable about that save them to a thumbdrive and then delete them, and from the Recycle bin as well.
Log off then on again. The iconcache.db will be recreated under your user account, and for other users when they log on.
I'm trying this because sometimes the iconcache does not get updated as often as it should. They sys uses this cache instead of hunting for the originals evry time. See what happens.
Thanks for the chatlnk info. I could not tell.
Oh, hide those Protected Op Sys files again. Dangerous to have them out where you can fiddle with them inadvertantly.

Bo? It would be a help if you would reply... or was it that key I gave you in the first place?

Dee, VideoEgg possibly supplanted some of your Audio sys files, like perhaps the driver. Antimalware removed files. eg this codec was deleted as infected: avcodec.dll - you may wish to dl a fresh copy.
Go to Device Management, Sound and Video.., and check that the Audio is working, that you have a driver loaded, not the legacy drivers but something like Realtek AC97.
For example, rclick Audio Codecs and check properties.. there may be a dozen or so codecs listed there. If is shown as not working then use the Update driver button. Or use the troubleshooter.
=let's clear all your system restore points because some have been infected.... go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
And I still don't have a fix for your red cross...

No.. you seem to have a trojan downloader, and it is working.
Livly, what is the name of this folder.. C:\DOCUME~1\LIVLYS~1.DEL
It is C:\Documents and Settings\Livlys...what? My Swedish aint so good. Anyway, the stuff in it is rubbish, so let's get rid of it.
Every time you restart your system the trojan renames itself. It was dxvwnean.dll starting under this key:
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s
It is now C:\WINDOWS\system32\oyhhojsk.dll starting under this key:
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
So use hijackthis to fix these entries...
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BaseAbout] C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [ActiveOwnsCampEach] C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll",run (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [0c4bb52f] rundll32.exe "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll",b (User 'Liv Lystad')

Delete these files:
C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe
C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll
C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll
C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe
C:\WINDOWS\system32\oyhhojsk.dll

...and, I suspect, delete this folder also:
C:\DOCUME~1\LIVLYS~1.DEL\

I think that some of that stuff is a LOP infection still present, but I can't be sure, so download NoLop from the link on this page; follow the instructions given. Post the report C:\NoLop.log.
http://www.thespykiller.co.uk/index.php?action=tpmod;dl=item16
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and …

Discounting the cookie detections and pests in quarantine, Dee, [delete C:\Qoobox and SDFix...] we are left with these:
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\classes\protocols\name-space handler\res
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\protocols\name-space handler\res
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{833EE25F-3A47-41DF-B27D-017FE19594C7}\RP1162\A0325215.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{833EE25F-3A47-41DF-B27D-017FE19594C7}\RP1162\A0325207.sys
02906063 Bck/VB.ABN Virus/Trojan No 0 Yes No D:\jmusic\jmusic\SopCast v2.0.4.zip[Setup.exe]
02906063 Bck/VB.ABN Virus/Trojan No 0 Yes No D:\jmusic\jmusic\Sopcast Online TV - Vista capable.zip[Setup.exe]

So. Delete:
D:\jmusic\jmusic\SopCast v2.0.4.zip[Setup.exe]
D:\jmusic\jmusic\Sopcast Online TV - Vista capable.zip[Setup.exe]

==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].

Do not use System Restore if at all avoidable because there is a pest in there and we don't want it let out again. When your sys is safer we will clean your restore points.

Did you get more RAM than in your old machine? Cos windows looks at what you have and then assigns memory to each process so that while keeping a good reserve page faults are minimised. So withmore RAM, there will be fewer read/writes to page memory because processes are given more memory to play in.
And your LCD screen should be as sharp as... on a white space on your screen you should be able to just make out individual pixels... so that's how sharp it can be. It has to be a video card issue. I think.

Ira, I don't know what purpose that file C:\Documents and Settings\Irving Glemaud\chatlnk.exe serves. Please rename it to..
C:\Documents and Settings\Irving Glemaud\chatlnk.exe.susp
..and see what happens.

AVG should have solved your popup problem, you had a LOP infection.
Now, that missing file warning... that is the file we deleted. Did you also fix this hijackthis entry as I mentioned - it is the one that is calling that file..

O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

Run hijackthis again and check for its presence, FIX it if it exists.
If it is not there and you are still getting the warning then please post the scan log.

Ok, that run found and deleted two of those files, the others are not present now. Your sys looks clean now. And still the red cross?
For a final check could you do this please:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner. Repeat in other user's accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

No, your files will not be overwritten, you may have to reinstall your apps, though.

The grey outline when dragging a window - this option you have selected is less meory intensive than dragging the windows contents. The checkbox is here: go Start, run, paste in...
control sysdm.cpl,,3 -and choose Performance Settings.

Okay, they do die, sometimes at the most interesting times....

:)... it is probably still there, but now with no label at all in a file table, so it is not worth trying to get it back. Anyway an exe has no right to be in Application Data. Can be, but should not be. try submitting this one...
C:\Documents and Settings\Irving Glemaud\chatlnk.exe

Sounds interesting... could you hop into your Recycle Bin and restore that services.exe file, then...
Virus Scan:
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination.
Btw, you could have just checked its properties instead of trying to run it. Interesting that it came up as an illegal operation though, an exe should just run, or try to.

From inspecting the action on my machine I only have one other key that may be involved.... another poster, bojadada says he was given a reg key solution but he is being coy about it....
Here goes.. save this as showkey.bat.... as all files... I have added a pause command so that you can see what the cmd window is about.

reg query "HKCU\SOFTWARE\Classes\Applications\Explorer.exe\Drives\C" /s >C:\showkey.txt
start C:\showkey.txt
pause

What is this file?:
C:\Documents and Settings\Irving Glemaud\services.exe
A google search showed that the key which you checked earlier but which is not on your machine is one actually used in some attacks, but obviously not in all. I asked bojadada to check it on his pc but I think he somehow misran the file as he did not get a notepad popping.....

Hello, Jay, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

Good, now delete these 2 files:
C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE
C:\WINDOWS\system32\dxvwnean.dll
.
Clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]

Scan:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

No.o.ooo... there is not.

So now you have a D: as well as a c:....
Did you make the D: with Partition Magic? Anyway, the format command you want is..
format c: /sys -this will mark the partition as active.
I always thought the f in fdisk didn really stand for format.

"Does anyone know if i can make my windows genuine by somehow entering this validation key"... Yep. Dl RockXP4.exe or XPPID.exe, push in your legit activation key and then go to Windows Update site - it will activate the key. Maybe. If the legit key is for a different type of OS [OEM, full retail, vol licensing..] then you must do a Repair Installation with the cd.

I bet he gave up reading this thread anyway... sigh...

mmm, I guess I'd try fdisk /mbr again, followed by format c: /sys..
Thinking about it a bit more, because you got Partition Magice to recognise the drive and that partition why not use it to create a new, active partition and then see if Windows Setup can recognise that. Then tell Setup to remove all partitions and create a new partition...?

If you were in one directory, say E:\Program Files and wanted to jump to D:\Scratch Pad you would have to use the /d switch in a command like..
cd /d d:\scratch pad otherwise the cmd would be ignored.

Sounds like after you ran the fdisk command your format c: /s command did not run properly? 'Course, it may be hd slamming time too...

True, dima. Ah well, now he also knows how to change drive and directory at the same time as well.

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::

File::
C:\WINDOWS\system32\8616203188.sys
C:\WINDOWS\system32\B085F86352.sys
C:\WINDOWS\system32\iswsahqf.dll
C:\WINDOWS\System32\drivers\hgjihjde.sys 
C:\DOCUME~1\Dee\LOCALS~1\Temp\jatmlano.sys

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Quick format just skips the disc surface scan.. it does everything else the full format does.

LKG is set when you last shut down your system properly ie Windows shut down correctly.So if you had kept your machine running for 2 years then....
Use Sys Restore. Your files are still there, it's just that your sys is too "young" to know about them.

Do your hard drives show up in the Dell part... BIOS? Cos it is looking like you need to go shopping for a hd..

Dima has given you the way to start Explorer in the drive of your choice.
If you want to explore the drive from the command line then you do this....
Start, run, type cmd, and enter.
Okay, you are now in a [black] command window, the prompt will be C:\Docs and Setts\User>
To go to another drive eg E:\, you just type...
cd /d e:\ [to change drives you must use the /d switch]
If you then type ..
cd /d c: you will end up back in the D and S\User spot... cd /d c:\ will put you into c: root.
Type... dir |more to get a directory or file list in the drive of your choice.
Type ... dir /? to get a helping hand... or /? with any command...

There is no need to use Fdisk. When you install Windows, Setup will present you with a quite adequate partition manager. Use it to create the system partition of the size you wish [the whole disk if you so wish, although tht is not necessarily the best thing...]. Afterward use Windows disk management console to build any other partitions you wish.
There is no need to use Partition Magic in this process. Setup will do a [quick] format of the partition and build the MBR and file tables, which is what was done when you formatted with Fdisk.
OS missing? Yep, when you insert the cd it finds a MBR but no OS, hence that message. Force Setup to use your already created partition or let it make a fresh one.

Using your XP cd just accept the Repair option with Recovery Console; when in there the command you want is...
bootconfig
This will search for all OSes and list them for you... you select the default and it will then build a boot.ini file for you.

Could you paste that reg file here, please, bo? I would like to know it..

Hello, Hifi.
Rename these files:
C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat > C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat.old
C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat > C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat.old

=C:\WINDOWS\SYSTEM32\3d3dcc52 - did you use the search function when trying to find this? That way you would see hidden folders... if you can't find it, don't worry about it.

=Deleting C:\Program Files\SNLBar\... Sorry , I was a bit brief on the instruction for this one; go CP, Add/Remove pgms and remove it from there, then you will be able to delete the folder.
You may have to delete the file in it first.
=Delete this file, you may have to do it from safe mode...
C:\WINDOWS\SYSTEM32\wvurqol.dll
-now please run Vundofix again; CHECK the log, if it cannot delete any files it finds rerun it until it does the job.

Reinstall?? No need to go to that trouble. You have a few problems in there, though. Let's work on them.
=Check the properties of these two files - if they are unsigned I suggest you delete them:
C:\WINDOWS\system32\8616203188.sys
C:\WINDOWS\system32\B085F86352.sys
-they have hashed filenames and that is suspicious... **what did you find for them??

=Delete these files:
C:\WINDOWS\system32\iswsahqf.dll
C:\WINDOWS\System32\drivers\hgjihjde.sys
C:\DOCUME~1\Dee\LOCALS~1\Temp\jatmlano.sys
=Delete this folder:
C:\Documents and Settings\Dee\Application Data\McAfee
=If you did not find that these two files have legit owners then rename them:
C:\WINDOWS\system32\8616203188.sys > C:\WINDOWS\system32\8616203188.sys.old
C:\WINDOWS\system32\B085F86352.sys > C:\WINDOWS\system32\B085F86352.sys.old

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xcttgs.sys]

==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Fix this one also:
O2 - BHO: SeekNewLive Bar - {0CB66BA8-5E1F-4963-93D1-E1D6B78F0212} - C:\Program Files\SNLBar\SNLBar.dll
... and delete this folder:
C:\Program Files\SNLBar\

Vundofix did not find anything?

=C:\FOUND.000 - these are remnants from running chkdsk - you must have had a crash, chkdsk found file scraps and put them here. You can delete this folder.
=Delete:
C:\WINDOWS\SB7CC85B5.tmp
=Check the properties of these files for the owner:
C:\WINDOWS\{9988128B-8E72-4FD5-98BE-596DD071BF0D}.dat
C:\WINDOWS\SYSTEM\{05618E73-52D1-4FFC-B2E3-A87226F7462F}.dat
C:\WINDOWS\SYSTEM32\E2A317C6E3.sys
=What is in this folder?:
C:\WINDOWS\SYSTEM32\3d3dcc52

=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O20 - Winlogon Notify: ddccyvu - ddccyvu.dll (file missing)

While doing this, you should also fix those three O15 entries - there is no need to have any sites as Trusted, if they are safe they will pass all your IE security protocols anyway; they may as well be subject to the same checks as any other site.

Dee, could you also do this please:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt

If that notepad is not empty then the red cross problem may be solved [you may have to restart...].

REWORKED POST:
mmm... that autorun file is a leftover from your MAfee; because you are running Avast now it is safe to delete it.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt

If that notepad is not empty then the red cross problem may be solved [you may have to restart...]. Otherwise could you then do that Combofix run?

Bo, one more thing, you could do this before you try the combofix run - I did not get a satisfactory result from my first request to run this batch file, it may not have been applied correctly [and the one you ran successfully was different], so please try it again:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt

mmm... that autorun file is a leftover from your MAfee; because you are running Avast now it is safe to delete it.
I am still searching for a solution to the cross - it does not seem to derive from a reg entry [although that red cross is one of the icons built into shell32.dll]... it must be a malware file still on your machine that is calling it. Could you pls delete your copy of Combofix and dl and run a fresh copy?
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Dee, I am still fishing for a solution to this one.... it seems to be the result of a vundo infection. That batch file was to check one possible source of the problem, turns out not to be it, so the notepad was blank [you just did not have that key]. Sometimes you have to be a guineapig, malwares get improved to stay in the game.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post a fresh hijackthis scan alos, please, Dee.

Bo, I still think that you should run Combofix again...
"Could you dlete your copy of combofix and dl a fresh copy and run it?
http://download.bleepingcomputer.com/sUBs/ComboFix.exe"....
That cross has to be mandated from somewhere... it does not seem to be from a registry entry nor a .inf file on the drive so there must be a malware file still remaining on your machine. Combofix may find it now, it is being updated all the time.

Okay, it's not in there. Bo, I am going to have to give up on this one for a while - I am not helping you... This is the result of a vundo infection, it seems, and you are clean of that now. There is a temporary fix to remove the cross that I spotted on one site...
Paste this text in a notepad, save it as C:\autorun.inf

ICON=C:\Windows\system32\shell32.dll,8

Stop and restart explorer.exe [or restart your sys].
Should work, but it does not fix the actual problem...

Search for the whole string:
shell23.dll,240
-if it is not found a box will pop saying that. That searchline represents the icon in shell32 - I am wondering since you do not have an autorun.inf file [which would override a reg key] if that red cross is being specified by some reistry key other than those we checked earlier. If you do find it please export that key and post it [change the "exportname".reg file extension to .txt first, then dclick the file to open it in a notepad][..or you simply drag the "exportname".reg file into a notepad]