W32/Pate.b.worm When you are free please help me :)

Morning team,

First off i must say that your site is great and instrunctions are easy to follow.

Ok so im currently running window XP Pro and i have been infected with W32/Pate.b.worm, this worm is effecting me by not allowing to run MSN messanger, and ATITOOL , Iexplorer seems to run slightly slower, and my window media player can not run many of the AVI and MPG files that it use to run. and if they do run on WM11 or on DIVX the movie seems to skip from time to time.

Im running a IntelR core 2cpu 2.80GHZ, 2gig of ram, so i know this CP can handle running a movie.

(Malware/virus may have come from downloading some radio software from utorrent)

When you guys are free and are able to look over my logs that would be fantastic,

View attachment SUPERAntiSpyware Scan Log - 05-05-2008 - 19-22-46.log

View attachment mbam-log-5-5-2008 (20-02-45).txt

View attachment CFlog.txt

 

and my MGzip file


View attachment MGlogs.zip

 

Hi sm00th69,
Welcome to Major Geeks!

Just a quick glance at your logs shows a log of malware has been removed and alot remains which needs to be removed. Your computer was not set into normal startup mode as required, so please go to Start / Run type in msconfig and click on ok. In the window that opens up be sure that normal system start is checked and then click on accept and okay. After you do this, your system will need to reboot and then please rerun the C:\MGTools\GetLogs.bat by double clicking on it and attach a new set of logs that has this new information in it. When you attach the logs, please use our Manage Attachments button a little ways down below the reply window and look for MGlogs.zip directly under C:\ As soon as we get this, one of us will make up a set of instructions for you and post it back to you. This takes time so thanks for being patient.

abri

 

Hi sm00th69,

Adding to the request in my last post, I have a few questions.

Can you tell me anything about following folder and files? The dates are unusual.

2100-01-01 10:13 . 2008-03-07 18:37 (DIR) d--hs---- C:\Boot
2100-01-01 10:13 . 2008-03-07 17:36 443,912 -rahs---- C:\bootmgr
2100-01-01 10:13 . 2099-05-20 14:56 8,192 -ra-s---- C:\BOOTSECT.BAK
2099-12-31 13:50 . 2100-01-01 10:45 355 -rahsc--- C:\Boot.ini.saved


Also, what is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\bb

The instructions for removing the malware from your computer are mostly finished. I would prefer being able to take a look at your MGlogs run after switching your computer into normal startup before I post them to you.

Please let me know about the above folders and files and attach the log I requested.

Thanks.
abri

 

View attachment MGlogs.zip


THank you for your replies abri, I have followed your next instructions, and have attached the Zip file.

Those folders you ask me that are in the C: drive, I have no idea what they are or where they have come from, they have been created in the last month. (also the date on those folders are random)
No idea on that BB folder.

F.Y.I,After uploading my logs on this forum last night i have purchased and installed Norton 360 V2.0, please advice if i need to remove this software to carry on with other instructions.

Thank you once again.


sm00th69

 

Hi sm00th69,

For your future attachments, please use the Manage Attachments button below the reply window to upload your attachments to us.

What is in the following folders? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\Boot
C:\bb


Now please do the following:


1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure: sqmnoopt12.sqm

2) Go to add/remove programs and uninstall the below:

- Java(TM) SE Runtime Environment 6 Update 1

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Now run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {86A57094-E62C-4522-9591-F3C045E5197F} - C:\WINDOWS\system32\khfFYSME.dll (file missing)
O2 - BHO: (no name) - {8C2064C1-65C3-43DE-9CE9-A45F8D232090} - C:\WINDOWS\system32\ddcdcyvt.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [38eddbbe] rundll32.exe "C:\WINDOWS\system32\bpmonitb.dll",b
O4 - HKLM\..\Run: [BM3bdee822] Rundll32.exe "C:\WINDOWS\system32\ybmrhcjp.dll",s
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O20 - Winlogon Notify: njgeqsyo - njgeqsyo.dll (file missing)
O20 - Winlogon Notify: xvjbhkfa - xvjbhkfa.dll (file missing)
O20 - Winlogon Notify: __c00B7C6A - __c00B7C6A.dat (file missing)
O20 - Winlogon Notify: __c00DB51C - __c00DB51C.dat (file missing)

Optionally remove the following if you do not need for them to load at startup:

O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


After you click fix, just close hijackthis.


7) Download and install Erunt. Use it to create a backup of your registry.

8) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

9) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

10) Now run CCleaner at the default setting with the Windows tab as the top one.

11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Gday Abri,

Once again thank you for your time to post your instructions,

All went well, my reports have been attached to this post as requested. View attachment avenger.txt

View attachment MGlogs.zip

Computer boots up faster (ofcourse)
Most of my Tv series and movies play as normal again (thank you),
some still dont stream, (have i uninstall some codecs?)

My ATTITOL which runs when my PC boots to give maximum perfomance on my graphic card, pops up with an error message, C:/Program files/ATTITOOL/ATTITOOL.exe
R6002 Floating point not loaded
(should i re install this software?)


Once again thank you for your time, please let me know what the final reports state.




Sm00th69

 

last but not least , I dont know what those folders are the BB ect, should i just delete them??

 

I need to know what is in them before I can ask you to delete them. Please open the following folders and look inside of them. Tell me if there are any files in them and if so, which files: Don't open any of the files, just the folders.

C:\Boot
C:\bb