I told a friend to run Combofix a short time ago

He called this week and told me he now has a strange behavior after running it

1. In the past ( before combofix) when a USB thumb drive was attached the explorer window always opened for the new drive.
It No longer does this
The drive is added to My Computer when he opens it

2. Autorun does not pop up when he inserts a cd or dvd
Even audio disks don't play unless he double clicks the drive in My Computer

When a music or movie disk is in the drive and he double clicks it the default program does start and plays it

I assume autorun is working because of this
But doesn't auto run also control the explorer window for the new thumb drive ( explorer and media player for the cd's)

At first I was thinking it was just a quirk with his copy of Vista
However it is also doing it to his XP sp3 on another system..


I haven't worked with Combo fix that much
So I don't know where to look first on this little problem.

Any one have a suggestion ?

You need to post the Hijackthis log and the Combofix log so I can see what is going on. Have you check the Autoplay setting of the Optical drive.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:05, on 2008-06-14
Platform: Windows Vista SP1 (WinNT 6.00.1905)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Download\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Documents%20and%20Settings/Rick/My%20Documents/startup%20bookmark.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O13 - Gopher Prefix:
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HDD Temperature (HDDTService) - Unknown owner - C:\Program Files\Palick Soft\HDD Temperature Pro\HDDTsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

--
End of file - 4084 bytes

Logfile of HijackThis v1.99.1
Scan saved at 3:58:19 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Novatix\ExplorerPlus\NXExplo.exe
F:\Download\For XP Use only\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Documents%20and%20Settings/Rick/My%20Documents/startup%20bookmark.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188049002125[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/url]
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: WOJUHSHDJF - Unknown owner - C:\DOCUME~1\Rick\LOCALS~1\Temp\WOJUHSHDJF.exe (file missing)

Vista Log after fixing a few

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:49, on 2008-07-05
Platform: Windows Vista SP1 (WinNT 6.00.1905)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Download\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Documents%20and%20Settings/Rick/My%20Documents/startup%20bookmark.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HDD Temperature (HDDTService) - Unknown owner - C:\Program Files\Palick Soft\HDD Temperature Pro\HDDTsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

--
End of file - 3303 bytes



I have been able to duplicate the effect on my system here
Yes auto run is set to all the normal defaults

Final Hijackthis log after removing missing HDDtemperature service

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 02:00, on 2008-07-05
Platform: Windows Vista SP1 (WinNT 6.00.1905)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Download\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Documents%20and%20Settings/Rick/My%20Documents/startup%20bookmark.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

--
End of file - 3076 bytes

Combo log in Vista..
(NOTE) I duplicated behavior on both Vista and XP partitions :(

ComboFix 08-07-04.3 - Rick 2008-07-05 2:50:54.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2427 [GMT -5:00]
Running from: E:\Download\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Rick\AppData\Local\Microsoft\Windows\Temp orary Internet Files\index.dat

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-03 14:31 . 2008-07-03 14:31 <DIR> d-------- C:\Users\Rick\AppData\Roaming\HotSync
2008-07-03 14:07 . 2008-07-03 14:12 <DIR> d-------- C:\Users\All Users\DeLorme
2008-07-03 14:07 . 2008-07-03 14:12 <DIR> d-------- C:\ProgramData\DeLorme
2008-07-03 14:06 . 2008-07-03 14:06 <DIR> d---s---- C:\Windows\Cookies
2008-07-03 14:06 . 2008-07-03 14:06 <DIR> d---s---- C:\Users\Rick\Temporary Internet Files
2008-07-03 06:46 . 2008-07-03 06:46 <DIR> d-------- C:\Program Files\CCleaner
2008-06-30 15:34 . 2008-06-30 15:34 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_ 00_00.Wdf
2008-06-29 09:34 . 2008-06-29 09:37 <DIR> d-------- C:\Windows\System32\NtmsData
2008-06-21 22:08 . 2008-06-21 22:08 <DIR> d-------- C:\Users\Rick\AppData\Roaming\vlc
2008-06-21 22:04 . 2008-06-21 22:04 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-21 05:29 . 2008-07-03 23:19 54,156 --ah----- C:\Windows\QTFont.qfn
2008-06-21 05:29 . 2008-06-21 05:29 1,409 --a------ C:\Windows\QTFont.for
2008-06-11 10:20 . 2008-04-22 23:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-11 10:20 . 2008-04-22 23:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-11 10:20 . 2008-04-22 23:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-11 10:20 . 2008-04-22 23:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-11 10:14 . 2008-04-24 21:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-11 10:14 . 2008-04-26 03:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-11 10:14 . 2008-04-24 23:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-11 10:14 . 2008-05-09 20:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-07 23:05 . 2008-06-07 23:05 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-07 23:04 . 2008-06-07 23:04 <DIR> d-------- C:\Windows\carrier
2008-06-07 23:04 . 2008-06-07 23:04 <DIR> d-------- C:\Program Files\HP
2008-06-07 23:03 . 2008-06-07 23:03 <DIR> d-------- C:\Users\All Users\HP
2008-06-07 23:03 . 2008-06-07 23:03 <DIR> d-------- C:\ProgramData\HP
2008-06-07 23:03 . 2007-07-04 22:42 1,275,480 --a------ C:\Windows\hpzshl01.exe
2008-06-07 23:03 . 2007-07-04 22:42 1,132,120 --a------ C:\Windows\hpzmsi01.exe
2008-06-07 23:03 . 2007-07-04 21:49 892,928 --a------ C:\Windows\System32\hpwtiop2.dll
2008-06-07 23:03 . 2007-07-04 21:49 675,840 --a------ C:\Windows\System32\hpwwiax2.dll
2008-06-07 23:03 . 2007-07-04 21:48 364,544 --a------ C:\Windows\System32\hppldcoi.dll
2008-06-07 23:03 . 2007-07-04 21:49 294,912 --a------ C:\Windows\System32\hpovst11.dll
2008-06-07 23:03 . 2008-06-07 23:05 148,290 --a------ C:\Windows\hpwins05.dat
2008-06-07 23:03 . 2007-09-14 11:12 16,059 --a------ C:\Windows\hpwscr05.dat
2008-06-07 23:03 . 2007-09-14 11:10 4,785 --a------ C:\Windows\hpwmdl05.dat
2008-06-07 18:55 . 2007-07-04 22:42 258,048 --a------ C:\Windows\System32\hpzids01.dll
2008-06-07 18:55 . 2007-08-17 21:29 118,272 --a------ C:\Windows\System32\hpz3l4x6.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-03 19:12 --------- d-----w C:\Users\Rick\AppData\Roaming\DeLorme
2008-07-03 19:07 --------- d-----w C:\Program Files\DeLorme
2008-07-01 02:08 --------- d-----w C:\Program Files\sbnews
2008-06-23 10:32 --------- d-----w C:\Program Files\AutoCAD R14
2008-06-11 15:20 --------- d-----w C:\Program Files\Windows Mail
2008-05-15 23:18 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-05-11 05:43 --------- d-----w C:\Users\Rick\AppData\Roaming\Autodesk
2008-05-11 05:43 --------- d-----w C:\Program Files\DWG TrueView 2009
2008-05-11 05:43 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-05-11 05:42 --------- d-----w C:\ProgramData\Autodesk
2008-05-08 02:51 86,016 ----a-w C:\Windows\System32\OpenAL32.dll
2008-05-08 02:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 12:14 174 --sha-w C:\Program Files\desktop.ini
2007-12-08 08:37 532 ----a-w C:\Program Files\INSTALL.LOG
2002-07-26 23:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 18:19 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-06 21:00 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-06 21:00 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-06 21:00 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-237275464-2629973295-3594682860-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{7CB61CCE-40AD-47B1-8B73-BDF336736C86}"= UDP:C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:Render Manager
"{6EC00D7A-C861-4D47-99CF-B22F0604A2F2}"= TCP:C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:Render Manager
"{F7390E44-1DC1-48D2-A05E-2D19CABA3740}"= UDP:C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:Studio
"{D6ECD062-D58B-4DB5-9D79-5BB54AF32CD2}"= TCP:C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:Studio
"{FEA8C680-43FC-4528-9A4E-8872B9B88672}"= UDP:C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:PMSRegisterFile
"{879767EE-73BF-4913-A7E0-73B4ED563386}"= TCP:C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:PMSRegisterFile
"{EE598160-9629-4F22-9773-5DF1592FC73E}"= UDP:C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:umi
"{71E85200-6EF5-42E5-8C7B-3DDB4EC4383F}"= TCP:C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:umi
"TCP Query User{DEACA309-46C3-4D9C-9EAA-E6414C07BA8A}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{812EE89D-7F5B-4591-9589-D703CD8AEFC2}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{085449D6-A91B-4DAB-A6D5-7BFCE2969F07}C:\\program files\\wordperfect mail\\programs\\bin\\wpmail.exe"= UDP:C:\program files\wordperfect mail\programs\bin\wpmail.exe:WordPerfect MAIL for Windows
"UDP Query User{4F8A8B1B-AEDF-45B7-9441-8B094C81CA6D}C:\\program files\\wordperfect mail\\programs\\bin\\wpmail.exe"= TCP:C:\program files\wordperfect mail\programs\bin\wpmail.exe:WordPerfect MAIL for Windows
"{387E1421-FF75-4714-B494-AB4629EDE78C}"= UDP:990:LocalSubnet:LocalSubnet|IF={EAC7FB68-AA09-454F-8104-7C5545FC0848}|%SystemRoot%\system32\svchost.exe|Sv c=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe, -4001
"{6F4C90F2-54FD-426B-8D47-3555401D0CFD}"= UDP:990:LocalSubnet:LocalSubnet|IF={EAC7FB68-AA09-454F-8104-7C5545FC0848}|%SystemRoot%\system32\svchost.exe|Sv c=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe, -4001
"{9118A275-22FB-4FE8-85C8-A1F8D6CF179A}"= UDP:990:LocalSubnet:LocalSubnet|IF={EAC7FB68-AA09-454F-8104-7C5545FC0848}|%SystemRoot%\system32\svchost.exe|Sv c=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe, -4001
"{5FBE3101-29FA-4D72-9494-85272DBF251A}"= Disabled:UDP:C:\Users\Rick\AppData\Local\Temp\7zS5 669.tmp\setup\HPZnui01.exe:hpznui01.exe
"{8D129C38-4BB3-409E-976E-69129C7193AE}"= Disabled:TCP:C:\Users\Rick\AppData\Local\Temp\7zS5 669.tmp\setup\HPZnui01.exe:hpznui01.exe
"{FFEA99AC-9965-48F4-B412-4559951D2D25}"= Disabled:UDP:C:\Users\Rick\AppData\Local\Temp\7zS5 669.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{95B735E0-7033-4C81-BA70-6DACA744E97B}"= Disabled:TCP:C:\Users\Rick\AppData\Local\Temp\7zS5 669.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{296E29BB-AC00-4672-A262-FEE28EF20321}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{4173EEAF-8A8A-4A68-84A8-4964BAB95F64}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{F2C95190-1195-4B5C-9319-8C088DC41644}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{6DAA309F-1538-405D-B53E-734BEA2BA390}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswF sBlk.sys [2008-05-15 18:16]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\as wMonFlt.sys [2008-05-15 18:18]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2008-01-19 02:33]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 02:33]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 02:33]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 10:51]
S3 DVC150B;Dazzle DVC 150B;C:\Windows\system32\Drivers\dvc150b.SYS [2005-03-03 19:47]
S4 EMV;EMV;C:\Users\Rick\AppData\Local\Temp\EMV.exe []
S4 HDDTService;HDD Temperature;C:\Program Files\Palick Soft\HDD Temperature Pro\HDDTsvc.exe []
S4 SPXMJ;SPXMJ;C:\Users\Rick\AppData\Local\Temp\SPXMJ .exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08

*Newly Created Service* - CATCHME
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 02:52:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-07-05 2:53:33
ComboFix-quarantined-files.txt 2008-07-05 07:53:31

Pre-Run: 127,403,364,352 bytes free
Post-Run: 127,323,164,672 bytes free

143 --- E O F --- 2008-07-04 15:09:55

After running Both combofix and hijackthis

I removed the missing file process and the services with missing files
I can't find any reason why the autorun or auto open are not working

In Vista I check the autorun settings.
They are all at the defaults and set to run when disk or drive is inserted or connected

yet when I connect a thumb drive it doesn't do anything.
Iam able to access it in the windows explorer
Inserting a disk in the dvd-cd drives also does not activate the autorun

After you plug in a thumb drive once, the drive should do nothing except for appear in My Computer.

O would reset the autorun settings to off for the Optical drive, re-boot and set it back to autorun and see what happens.