MWB won't Run, infects with m.exe

[mlmaynard]

MWB won't run and the installation won't run

It won't browse to microsoft sites, MWB site, Spybot site and AVG site

Computer is used primarily for entering UPS shipments, user indicates that the first symptom appeared after updating to new UPS shipping program. Program would not upload shipments to UPS database.

After running CCleaner it was able to upload to UPS and has been functioning all week

The computer infects my thumb drive with m.exe each time the stick is inserted. AVG finds m.exe and kills it on my machine.

This is my first time here, please let me know if I need to do anything differently.

Following is Combofix log.

ComboFix 09-10-01.05 - Carol Kurburski 10/02/2009 16:00.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.627 [GMT -4:00]

Running from: c:\documents and settings\Carol Kurburski\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\LOG10.tmp

c:\windows\system32\bszip.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))

.

2009-10-02 19:14 . 2009-10-02 19:14 -------- d-----w- c:\windows\LastGood

2009-10-02 13:44 . 2009-10-02 13:44 -------- d-sh--w- c:\documents and settings\Carol Kurburski\PrivacIE

2009-10-02 13:35 . 2009-10-02 13:35 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-10-02 13:34 . 2009-10-02 13:34 -------- d-sh--w- c:\documents and settings\Carol Kurburski\IETldCache

2009-10-02 13:32 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-10-02 13:32 . 2009-10-02 19:14 -------- d-----w- c:\windows\ie8updates

2009-10-02 13:32 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-10-02 13:32 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-10-02 13:29 . 2009-10-02 13:31 -------- dc-h--w- c:\windows\ie8

2009-10-02 13:22 . 2009-10-02 13:22 -------- d-----w- c:\program files\CCleaner

2009-10-01 21:20 . 2009-10-01 21:20 -------- d-----w- c:\windows\system32\scripting

2009-10-01 21:20 . 2009-10-01 21:20 -------- d-----w- c:\windows\system32\en

2009-10-01 21:20 . 2009-10-01 21:20 -------- d-----w- c:\windows\l2schemas

2009-10-01 21:20 . 2009-10-01 21:20 -------- d-----w- c:\windows\system32\bits

2009-10-01 20:41 . 2009-10-02 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-01 20:41 . 2009-10-01 20:41 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-01 19:37 . 2009-10-01 19:37 -------- d-----w- c:\documents and settings\Carol Kurburski\Application Data\Malwarebytes

2009-10-01 19:37 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-01 19:37 . 2009-10-02 19:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-01 19:37 . 2009-10-01 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-01 19:37 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-01 17:07 . 2009-10-01 17:07 37027 ----a-w- c:\windows\atmoUn.exe

2009-10-01 17:07 . 2009-10-01 17:07 -------- d-----w- c:\program files\Viewpoint

2009-10-01 17:07 . 2009-10-01 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-30 14:19 . 2009-09-30 14:19 192528 ----a-w- c:\windows\system32\lastmon.dll

2009-09-30 14:11 . 2009-09-30 14:11 124433 ----a-w- c:\windows\system32\43a10e6f6f505ef782d30eb9fc21aeb4.exe

2009-09-28 13:18 . 2009-09-28 13:18 -------- d-----w- c:\windows\system32\XPSViewer

2009-09-28 13:18 . 2009-09-28 13:18 -------- d-----w- c:\program files\MSBuild

2009-09-28 13:17 . 2009-09-28 13:17 -------- d-----w- c:\program files\Reference Assemblies

2009-09-28 13:17 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-09-28 13:17 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-09-28 13:17 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-09-28 13:17 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-09-28 13:17 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-09-28 13:17 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-09-28 13:17 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-09-28 13:17 . 2009-09-28 13:17 -------- d-----w- C:\973832959da5721149981abede41b377

2009-09-28 13:12 . 2009-09-28 13:12 -------- d-----w- c:\program files\MSXML 6.0

2009-09-28 07:00 . 2009-09-28 07:00 -------- d-----w- C:\0735a66093a4fd0e5ead08f5cbef8d6f

2009-09-28 07:00 . 2009-09-28 07:00 -------- d-----w- C:\d58c0944001ee32495e0de5cb2cc

2009-09-27 07:00 . 2009-09-27 07:00 -------- d-----w- C:\194c58a65864016cfcc3

2009-09-27 07:00 . 2009-09-27 23:00 -------- d-----w- C:\ea2c594275adb03d8de956

2009-09-26 07:00 . 2009-09-26 23:00 -------- d-----w- C:\374deebc06623cc590df5ccc56b2749f

2009-09-09 10:39 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-02 19:13 . 2006-01-03 18:02 -------- d-----w- c:\program files\frsm

2009-10-02 13:49 . 2005-06-20 16:02 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-02 13:42 . 2005-06-20 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-10-02 13:36 . 2005-07-09 16:49 70032 ----a-w- c:\documents and settings\Carol Kurburski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-01 17:11 . 2005-07-22 17:21 -------- d-----w- c:\documents and settings\Carol Kurburski\Application Data\AdobeUM

2009-09-24 17:36 . 2005-06-20 15:47 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-18 17:15 . 2007-10-18 15:07 -------- d-----w- c:\documents and settings\Carol Kurburski\Application Data\U3

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 20:41 . 2009-07-11 20:41 184848 ----a-w- c:\windows\D3F9E9A66D1E815166FF5F3F895FC79.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{506CD401-5203-4B27-BB5A-03C97758FD02}]

2009-09-30 14:19 192528 ----a-w- c:\windows\SYSTEM32\lastmon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="1" [X]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]

"frsm"="c:\program files\frsm\frsm.exe" [2006-01-03 434176]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]

"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]

"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2007-12-13 20480]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2007-12-13 65536]

UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2007-12-12 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edaafdb]

2003-08-14 03:06 280079 ------w- c:\windows\SYSTEM32\edaafdb.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]

S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: kewill.net\webfence

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {2FF70FAD-C1C7-43F0-8B97-0C010656C124} - hxxps://webfence.kewill.net/activex/KFrsmActiveX.CAB

DPF: {8D5267D0-657B-4A38-94C7-6F2888EDFC60} - hxxps://webfence.kewill.net/activex/KPrintActiveX.CAB

DPF: {E7DE4C27-C7D6-4022-8EB7-FC3AFD99B3A2} - hxxps://webfence.kewill.net/activex/KFrsmActiveX.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-02 16:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\803117850a91a1e6f2dfa690d737e1b3.sys 39936 bytes executable

c:\windows\system32\_803117850a91a1e6f2dfa690d737e1b3.sys_.vir 39936 bytes executable

scan completed successfully

hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\803117850a91a1e6f2dfa690d737e1b3]

"ImagePath"="system32\803117850a91a1e6f2dfa690d737e1b3.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)

c:\windows\system32\edaafdb.dll

c:\windows\system32\Wininet.dll

c:\windows\system32\igfxdev.dll

.

Completion time: 2009-10-02 16:05

ComboFix-quarantined-files.txt 2009-10-02 20:05

Pre-Run: 57,485,918,208 bytes free

Post-Run: 57,496,911,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

162 --- E O F --- 2009-10-02 19:15