Bankerfox.a, win32/nuqel.e, and other issues

Ah, that's alright. I didn't have very high hopes in the first place, and I would never trust my computer again even if it was fixed. I asked my computer programming teacher about reformatting, and he told me for Dell and HP laptops that Windows XP is actually stored on a hidden partition on the laptop itself, so I can reformat without the disc.

And so I'm doing your entire next step on the healthy computer?

And where's the link to the new version of Combofix?

No, leave the healthy computer alone. Run the script from the infected one, and have the flash drive plugged in at the same time.

Yes, XP has a hidden formatting like button on it, it's called Factory Restore.
Once we remove the flash drive infection, the stick should be fine, but the machine will still be junk.

Link:
http://www.techsupportforum.com/sectools/sUBs/ComboFix/Combo-Fix.exe

Alright, it's running right now. So once it's finished, the stick will not get infected from transfering the log file back to the healthy computer? And if Trend detected the autorun, does that mean it has infected the healthy computer, or was it just on the stick?

It was just the stick.
The other machine should be fine, but we'll check once were done here.

ComboFix 09-01-10.01 - Kevin Kaminski 2009-02-04 20:03:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.129 [GMT -5:00]
Running from: c:\documents and settings\Kevin Kaminski\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kevin Kaminski\Desktop\CFscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\documents and settings\Kevin Kaminski\vopxq.exe
c:\windows\sysguard.exe
c:\windows\system32\_hs78k4rgf4d.dll
c:\windows\system32\37.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\epzinkyu.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\Winko72.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\secupdat.dat
c:\windows\system32\WinCtrl32.dll
c:\windows\Tasks\tezxinug.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\02032009_215117\2097053319
c:\_otmoveit\MovedFiles\02032009_215117\autorun.inf
c:\_otmoveit\MovedFiles\02032009_215117\btuplu.exe
c:\_otmoveit\MovedFiles\02032009_215117\bukcdll.exe
c:\_otmoveit\MovedFiles\02032009_215117\dnwqxus.exe
c:\_otmoveit\MovedFiles\02032009_215117\docume~1\kevink~1\LOCALS~1\Temp\inC.tmp
c:\_otmoveit\MovedFiles\02032009_215117\docume~1\kevink~1\LOCALS~1\Temp\tmp22.tmp
c:\_otmoveit\MovedFiles\02032009_215117\docume~1\kevink~1\LOCALS~1\Temp\tmp23.tmp
c:\_otmoveit\MovedFiles\02032009_215117\iwvrf.exe
c:\_otmoveit\MovedFiles\02032009_215117\jlpooc.exe
c:\_otmoveit\MovedFiles\02032009_215117\mlevsfdk.exe
c:\_otmoveit\MovedFiles\02032009_215117\program files\src.zip
c:\_otmoveit\MovedFiles\02032009_215117\program files\system\smss.exe
c:\_otmoveit\MovedFiles\02032009_215117\program files\system\smss.exe.assembly
c:\_otmoveit\MovedFiles\02032009_215117\pyvtw.exe
c:\_otmoveit\MovedFiles\02032009_215117\windows\mqcd.dbt
c:\_otmoveit\MovedFiles\02032009_215117\windows\pp1.exe
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\azton.mt
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\dedwf.lp
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\do8d.sr
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\drivers\0.exe
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\drivers\nfr.sys
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\eaaivdtc.ini
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\htbnrm
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\jvtkml.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\kukezifu.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\mmmlujlu.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\ncatng.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\qzhr1.ant
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\re3d.pf
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\rer.wa
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\TDSSlonv.dat
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\twain32\local.ds
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\twain32\user.ds
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\WinCtrl32.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\temp\576718.tmp
c:\_otmoveit\MovedFiles\02032009_215117\windows\ynh.dx
c:\_otmoveit\MovedFiles\02032009_215321.log
c:\_otmoveit\MovedFiles\02032009_215321.res
c:\_otmoveit\MovedFiles\02032009_215321\autorun.inf
c:\windows\sysguard.exe
c:\windows\system32\_hs78k4rgf4d.dll
c:\windows\system32\37.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\epzinkyu.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\Winko72.sys
c:\windows\system32\secupdat.dat
c:\windows\Tasks\tezxinug.job

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 18:46 . 2008-04-13 19:11 96,256 --a------ c:\windows\system32\ati2cqa.dll
2009-02-04 18:46 . 2009-02-04 18:46 32,768 --ah----- c:\documents and settings\Kevin Kaminski\vopxq.exe
2009-02-03 16:44 . 2009-02-03 16:44 d-------- c:\windows\system32\CatRoot2-Old
2009-02-02 22:27 . 2009-02-02 22:27 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-02 22:26 . 2009-02-02 22:26 d-------- c:\program files\SUPERAntiSpyware
2009-02-02 22:26 . 2009-02-02 22:26 d-------- c:\documents and settings\Kevin Kaminski\Application Data\SUPERAntiSpyware.com
2009-02-02 22:25 . 2009-02-02 22:25 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-02 22:07 . 2009-02-02 22:07 d-------- c:\program files\Trend Micro
2009-02-02 21:01 . 2009-02-02 21:01 d-------- c:\program files\Prevx
2009-02-02 21:01 . 2009-02-02 21:01 d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-02 21:01 . 2009-02-02 21:01 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-02 21:01 . 2009-02-02 21:01 67 --a------ c:\windows\wininit.ini
2009-02-02 17:15 . 2009-02-02 17:15 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-02 16:31 . 2009-02-02 16:31 75,264 --a------ c:\windows\system32\drivers\gaopdxraehxued.sys
2009-02-02 16:31 . 2009-02-04 19:12 4 --a------ c:\windows\system32\gaopdxcounter
2009-02-01 20:49 . 2008-04-13 19:12 43,520 --a------ c:\windows\system32\stu2.exe
2009-01-28 18:54 . 2009-01-28 18:54 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-28 18:54 . 2009-01-28 18:54 1,409 --a------ c:\windows\QTFont.for
2009-01-26 16:57 . 2009-01-26 16:57 d-------- c:\documents and settings\Kevin Kaminski\Application Data\Malwarebytes
2009-01-26 16:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 16:56 . 2009-02-02 22:09 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 16:56 . 2009-01-26 16:56 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 16:56 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 17:38 . 2009-01-20 17:38 d-------- c:\program files\about_files
2009-01-20 17:18 . 2009-01-20 17:47 d-------- c:\documents and settings\Kevin Kaminski\workspace
2009-01-20 17:15 . 2009-01-20 17:17 d-------- c:\program files\eclipse
2009-01-18 16:08 . 2009-01-18 16:08 d-------- c:\program files\BitZipper
2009-01-18 16:08 . 2009-01-18 16:08 d-------- c:\documents and settings\Kevin Kaminski\Application Data\BitZipper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 01:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-02 22:45 806 -c--a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-02-02 22:45 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-02 22:45 10,635 -c--a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-02 22:45 --------- d-----w c:\program files\Symantec
2009-01-23 02:31 139,152 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-19 19:49 --------- d-----w c:\documents and settings\Kevin Kaminski\Application Data\PLT Scheme
2008-12-08 21:49 --------- d-----w c:\program files\Synthesia
2008-12-08 21:49 --------- d-----w c:\documents and settings\Kevin Kaminski\Application Data\Synthesia
2008-12-06 21:59 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 21:58 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-06 21:57 --------- d-----w c:\program files\TabPlayer
2008-12-06 21:55 --------- d-----w c:\program files\Real
2008-12-06 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-06 21:42 --------- d-----w c:\program files\Punch! Super Home
2008-12-06 21:40 --------- d-----w c:\program files\EA GAMES
2008-12-06 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-12-06 19:03 --------- d-----w c:\program files\WorldOfGooDemo
2008-09-06 22:19 22,328 -c--a-w c:\documents and settings\Kevin Kaminski\Application Data\PnkBstrK.sys
2008-06-18 13:54 7,959 ----a-w c:\program files\about.html
2008-06-18 13:54 589 ----a-w c:\program files\.classpath
2008-06-18 13:54 373 ----a-w c:\program files\.project
2008-06-18 13:54 2,073,870 ----a-w c:\program files\swt-debug.jar
2008-06-18 13:54 1,488,516 ----a-w c:\program files\swt.jar
2000-09-18 22:07 2,285,568 ----a-w c:\program files\Power Tab Editor.exe
2008-05-18 22:36 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.
c:\windows\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2007-03-08 15:36:28 c:\windows\$NtServicePackUninstall$\user32.dll
577,024 2004-08-04 08:00:00 c:\windows\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 c:\windows\ServicePackFiles\i386\user32.dll
578,560 2009-02-02 22:15:51 c:\windows\system32\user32.DLL
578,560 2009-02-02 22:15:51 c:\windows\system32\dllcache\user32.dll


((((((((((((((((((((((((((((( snapshot@2009-02-04_19.16.11.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-05 00:12:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-05 01:05:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-05 00:12:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-05 01:05:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-05 00:12:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 01:05:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-01-14 86016]
"PhanTim30"="c:\program files\PhanTim3\PhanTim3.exe" [2004-06-14 1229312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 118874]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 708698]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 254014]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 192512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 274432]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 69632]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 262144]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 139264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-12 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\documents and settings\Kevin Kaminski\vopxq.exe \s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Kaminski^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 32768 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1712640 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2005-05-12 06:02 118784 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-05-12 05:33 57452 c:\program files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 20:41 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\Program Files\\Prevx\\prevx.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-02 21512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-08-26 99376]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-04-16 894216]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-02 4107832]
R4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-04-16 689416]
S0 epzinkyu;epzinkyu;c:\windows\system32\Drivers\epzinkyu.sys --> c:\windows\system32\Drivers\epzinkyu.sys [?]
S0 Winko72;Winko72;c:\windows\system32\Drivers\Winko72.sys --> c:\windows\system32\Drivers\Winko72.sys [?]
S1 nfr.sys;nfr.sys;\??\c:\windows\system32\drivers\nfr.sys --> c:\windows\system32\drivers\nfr.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\GameSpot\DownloadManager_Win32.exe --> c:\program files\GameSpot\DownloadManager_Win32.exe [?]
S4 Logical Disk Manager (NDIS);Logical Disk Manager (NDIS);c:\program files\system\smss.exe --> c:\program files\system\smss.exe [?]
S4 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-04 22784]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dad.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 01:38]

2009-02-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.verizon.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 20:06:40
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?7?9??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxjvnqiidl.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-529307107-3761115793-1089377387-1006\Software\id\Doom95\Config\¬ (* *]
"mouse_sensitivity"=dword:00000009
"sfx_volume"=dword:00000008
"music_volume"=dword:00000003
"show_messages"=dword:00000001
"key_right"=dword:0000004d
"key_left"=dword:0000004b
"key_up"=dword:00000048
"key_down"=dword:00000050
"key_strafeleft"=dword:00000033
"key_straferight"=dword:00000034
"key_fire"=dword:0000001d
"key_use"=dword:00000039
"key_strafe"=dword:00000038
"key_speed"=dword:00000036
"use_mouse"=dword:00000000
"full_screen"=dword:00000000
"full_keyboard"=dword:00000000
"mouseb_fire"=dword:00000000
"mouseb_strafe"=dword:00000001
"mouseb_forward"=dword:00000002
"use_joystick"=dword:00000000
"joyb_fire"=dword:00000000
"joyb_strafe"=dword:00000001
"joyb_use"=dword:00000003
"joyb_speed"=dword:00000002
"joy_id"=dword:00000000
"joy_axis_map"="yx "
"joy_feedback_DLL"=""
"joy_move_threshold"=dword:00000800
"joy_move_sensitivity"=dword:00000250
"joy_turn_threshold"=dword:00001000
"joy_turn_sensitivity"=dword:00000020
"joyb_fist_saw"=dword:ffffffff
"joyb_pistol"=dword:ffffffff
"joyb_shotgun"=dword:ffffffff
"joyb_chaingun"=dword:ffffffff
"joyb_missile"=dword:ffffffff
"joyb_plasma"=dword:ffffffff
"joyb_bfg"=dword:ffffffff
"joyb_inc"=dword:ffffffff
"joyb_dec"=dword:ffffffff
"screenblocks"=dword:00000008
"detaillevel"=dword:00000000
"snd_channels"=dword:00000003
"usegamma"=dword:00000000
"chatmacro0"="No"
"chatmacro1"="I'm ready to kick butt!"
"chatmacro2"="I'm OK."
"chatmacro3"="I'm not looking too good!"
"chatmacro4"="Help!"
"chatmacro5"="You suck!"
"chatmacro6"="Next time, scumbag..."
"chatmacro7"="Come here!"
"chatmacro8"="I'll take care of it."
"chatmacro9"="Yes"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxjvnqiidl.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(376)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Hp\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-04 20:11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 01:10:27
ComboFix2.txt 2009-02-05 00:20:05

Pre-Run: 34,054,430,720 bytes free
Post-Run: 34,052,333,568 bytes free

363 --- E O F --- 2008-07-08 22:03:01

Should I go ahead and reformat now?

Not yet, need to make sure you stick is clean.

Was the stick plugged in when you ran CF?

1. Open My Computer.
   
2. Go to Tools > Folder Options.
   
3. Select the View tab.
   
4. Scroll down to Hidden files and folders.
   
5. Select Show hidden files and folders.
   
6. Uncheck (untick) Hide extensions of known file types.
   
7. Uncheck (untick) Hide protected operating system files (Recommended).
   
8. Click Yes when prompted.
   
9. Click OK.
   
10. Close My Computer.

Now open you E drive (the stick) by right clicking the drive > Explore
Now hidden files are shown, is there an autorun.inf there?

Indeed, it is.

And yes, I left the stick in while running the program.

Is it a folder icon or a file?
If it's a folder, it's the dummy F_D made, if it's a file, delete it.

Let me know if it won't delete it.

It it tinted a lighter color and is a folder.

Ah.
Inside the folder, there should be a "this folder was created by flash disinfecter"

if there is, memory stick is clean.
The machine can be formatted now.

[edit]
Going to bed now.
Once the machine is formatted, install an AV ASAP.

Yeah, that's in the folder.

Edit: Alright, so it turns out my laptop wasn't installed with a recovery program. I'm going to try and find an XP CD and install it tomorrow. Do you want any scans of the clean OS or anything?

No. But once you do get that clean install over with, run F_D again, turn off autorun on your machine.

Should I download Service Pack 2 or 3? Automatic Updates is prompting me to download 3, and I had tried to download 2 previously, but it said it "did not find the expected version" and didn't install.

Download SP3.

Alright, I got SP3 installed, Trend Micro Internet Security installed, and Opera installed. I'm also going to download the Malwarebytes later.

I want to thank you greatly for your timely help and effort. It's amazing that this site is free because it's the best tech support I have come across. I don't know how you guys do it. I will definitely recommend this site and use it again in the future if I have any problems. Thanks again.

-PENGUINKK

Hello.
I do it because I can, it's my way of fighting back. I was in your shoes once ya know.

Please read below to keep yourself safe.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.