Click here to get back home

Re: not a valid Win32 application - warning. Can't run antivirus apps

 HomeNewsGroups | Search
Login Password
Register Now! Lost Password?
 microsoft.public.security.virus    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Re: not a valid Win32 application - warning. Can't run antivirus apps Nehmo 11-16-2008
Posted by Nehmo on November 16, 2008, 12:14 am
Please log in for more thread options
> On the Tools menu in Windows Explorer, click Folder Options.
> Click the View tab.
> Under the Hidden files and folders heading select Show hidden files and
> folders.
> Uncheck the Hide protected operating system files (recommended) option
> Click ok.
> Can you see those files now? send me a copy of the MBAM log

I already have "Hide protected operating system files (Recommended)"
with an un-checked box. I also have "Hidden files and Folders" set
with a dotted circle to the option "Show hidden files and folders".

The file isn't there. Yet I continually get DriveSentry popups saying
winfilse.exe is trying to write to either Temporary Internet files ie
content or Cookies. These popups are loged by DriveSentry.

The Malwarebytes (MBAM) log is short enough to just post here. MBAM
deleted Winterms.exe (see near the end of the log). That was the other
file I couldn't find.

The MBAM log:
Malwarebytes' Anti-Malware 1.30
Database version: 1400
Windows 5.1.2600 Service Pack 3

11/15/2008 5:15:53 PM
mbam-log-2008-11-15 (17-15-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179546
Time elapsed: 3 hour(s), 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m (Trojan.Agent) ->
Delete on reboot.

Files Infected:
C:\WINDOWS\system32\drivers\downld1671.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7296.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4656.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4546.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4578.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld0921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6953.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8453.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld0140.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6312.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld1265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld1171.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4640.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7359.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2593.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld9375.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2750.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7609.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld636734.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld704218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld712703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld734921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld741343.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld771890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld777218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld804890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld871015.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld877390.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld880187.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld937937.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld020203.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2484.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5109.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
(Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> Quarantined
and deleted successfully.

--
~~ Nehmo

Posted by Dustin Cook on November 16, 2008, 9:12 pm
Please log in for more thread options
@nlpi070.nbdc.sbc.com:

> Any exe that still does not work like HJT will have to be deleted and
> re-download. I need about 3 more hours to put some finishing touches my
> script to rid you of that rootkit and another 2 to update Remove-it.

WTF? Why should he delete ANY of the exes that aren't working? They aren't
actually the issue. The rootkit is the problem, and I don't care how many
static filenames you add, you won't be killing it without help from another
program; one you likely didn't author and probably wouldn't be able to get
permission from it's author to even use. LOL.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org



Posted by Nehmo on November 16, 2008, 9:39 pm
Please log in for more thread options
> Are you still having problems? Is system restore on or off? Now you need =
to
> use a boot disk to manually remove the files.

System restore is on. I saw no restore points. I successfully created
one.
~~ Nehmo

Posted by Nehmo on November 17, 2008, 1:59 am
Please log in for more thread options
>
> > Are you still having problems? Is system restore on or off? Now you nee=
d to
> > use a boot disk to manually remove the files.
>
> System restore is on. I saw no restore points. I successfully created
> one.

Another thing: rthdcpl.exe is in my startup tab on msconfig, and I
have Realtek High Definition Audio listed in Device Manager, so maybe
this is normal. But the process uses 30,184K in Mem Usage in Task
Manager.That seems like a lot.

Also, the popups from DriveSentry caused by winfilse.exe trying to
write are annoying. I'm not sure if there even *is* a winfilse on this
machine, and the popups demand attention before anything else. I've
had several during the writing of this post.

~~ Nehmo


Posted by Nehmo on November 17, 2008, 4:51 am
Please log in for more thread options
>
>
> > > Are you still having problems? Is system restore on or off? Now you n=
eed to
> > > use a boot disk to manually remove the files.
>
> > System restore is on. I saw no restore points. I successfully created
> > one.
>
> Another thing: rthdcpl.exe is in my startup tab on msconfig, and I
> have Realtek High Definition Audio listed in Device Manager, so maybe
> this is normal. But the process uses 30,184K in Mem Usage in Task
> Manager.That seems like a lot.
>
> Also, the popups from DriveSentry caused by winfilse.exe trying to
> write are annoying. I'm not sure if there even *is* a winfilse on this
> machine, and the popups demand attention before anything else. I've
> had several during the writing of this post.

If anybody is still reading :-) , I have a developement. I just found
the emachines Windows XP Home OS disk. So now I can re-install the OS.
I think I can, anyway. I understand these disks that come with new
computers aren't full OS disks. I'm really not clear on the difference
between a re-install disk like this and one with the full OS. But I
understand they can be used to re-install the OS. It says that on the
label.

First, I'm considering running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix . After
reading about it and all the stuff you need to do to run it, it seems
like it may be powerful.

~~ Nehmo



~~Nehmo


Similar ThreadsPosted
Re: not a valid Win32 application - warning. Can't run antivirus apps November 9, 2008, 9:12 pm
Not a valid win32 application August 27, 2008, 7:04 am
"*.exe is not a win32 valid application" and reboot December 22, 2005, 3:41 am
not a valid win32 aplication November 18, 2007, 12:27 am
Message while opening any application THE application failed to initialize properly(0XC0000142).Click on OK to terminate the application January 16, 2007, 9:04 am
registering an application or otherwise notifying antivirus s/w ? February 7, 2006, 11:28 pm
WARNING SPWARE detected on your computer - Install an antivirus or February 3, 2006, 1:29 pm
Re: Warning David H. Lipman is g a y - Faked Post Warning March 19, 2007, 2:58 pm
Some apps not starting December 18, 2007, 2:11 am
Virus scanning apps that can be started from the DOS prompt? July 5, 2007, 5:00 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Driving a better car - Fuelzilla.com

Cabling site for homeowners and pros alike - Cabling-Design.com

Friends:

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap