not a valid Win32 application - warning. Can't run antivirus apps - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: not a valid Win32 application - warning. Can't run antivirus apps

wrote:
Quoted text here. Click to load it

There are two types of error messages. One, when I try to install many
programs; and the other, when I try to run many programs. There isn't
any "error code" as such.

The installation error says that the installation failed. Something
failed to write to some file, and I should verify if I have permission
to write to that folder. I've been trying to install anti-virus
programs recently. Most of the time the failure is the failure to
write the definitions.

The run failure is "such and such is not a valid Win32 application".

I've Googled http://xrl.us/notwin32app But I haven't found anybody in
the same exact situation. Most other people with this error can't open
anything. I can open the browsers, and I can open MS Office apps. I
can open lots of programs, actually. It appears the only programs I
can't open are the anti-malware programs. But I did successfully
install and run DriveSentry. I don't know if the program is any good,
though.

Quoted text here. Click to load it

I think I don't have the Windows install CD. I'd have to look around.
And yes, that method (reinstall Windows) would solve the problem, but
we wouldn't know what happened. And it would be an inelegant solution.
There's a philosophical surrender to that route.

I still have some options. I could get more help by posting in the web-
based anti-malware forums. I'll do that right away. I could also go to
a restore point with System restore. And I could try to find some
malware scanner that works.

Quoted text here. Click to load it

I'd have to make a duel boot machine before I switched, and now is not
the time to experiment making one of those. I need to solve the
immediate problem.

Quoted text here. Click to load it


Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it

Not to be too harsh, but a lot of people have spent time trying to
help you, and you haven't even tried System Restore yet? If you were
an advanced user, I could understand trying to suss out the underlying
problem, but it seems like a lot of wasted effort, in my view. I'd
just run System Restore and be done with it. Hoever, I doubt very much
thay system restore will work directly.

Larry

Re: not a valid Win32 application - warning. Can't run antivirus apps



Quoted text here. Click to load it

I would be tempted to first try to run an AV from CD.
Ultimate BootCD from http://www.ultimatebootcd.com - Has F-Prot, McAfee,
Avast and AVG that you can run without booting a dodgy OS...


Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

I'm not sure if you are saying system restore will work or not. What
do you mean by not working "directly".
I said one reason I don't feel happy re-installing windows is that it
would be giving up. But actually, I don't have an install disk, so
that's not an immediate option.
I've never used system restore, and so I don't have any confidence in
it. I suppose I should learn about it now.
~~ Nehmo

Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it

Sometimes System Restore will fail (see
http://bertk.mvps.org/html/srfail.html ) and it must be done manually.
One method is described in the following link (although I haven't
tried it myself and it is rather complex. I would recommend trying all
the fixes suggested in the previous link first)...

    http://www.aade.com/XPhint/XPrecovery.htm

It requires that you are able to boot to the Command Console. Because
you lack a Windows CD, you can download a boot CD from
http://www.bootdisk.com/ and use it instead.

If you had or could borrow a UBCD4Win CD, you could use it to restore
the registry to an earlier date without having to go through the
complex procedure mentioned above. However, restoring just the
registry and not the compromised/missing DLLs won't fix the problem.
Only System Restore and SFC can restore the original DLLs. See the
previous reply on how to run SFC; it requires a Windows CD, but you
could legally use a borrowed one, I believe.

The AUMHA site  http://aumha.net/viewforum.php?f=54 mentioned in the
above link is also very helpful, but requires a lot of digging and
often just points back to http://bertk.mvps.org/html/srfail.html in
the advice given. Be sure to create a Restore Point before trying
System Restore.

Good luck.

Larry

Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

I opened System Restore. The only restore point is one created on the
9th, after the onset of the problem. When I opened it previously,
there were other points. I must have, or something must have, deleted
the other points. I don't recall doing anything to delete restore
points, however. I did twice do a Disk Cleanup, but that doesn't (I
just looked) delete restore points.

And don't worry about being "harsh".  Say anything you want to say as
long as it tends toward a solution.
~~ Nehmo

Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it

OK, thanks for the feedback. I would suggest going to another
computer, downloading and running the Antivir Rescue System from...
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
...which burns a bootable CD you can use to scan and remove viruses
from your PC.

If it fails to start up after that, I'd borrow a Windows CD and do a
reapir install and change the Product Number to your own after the
repair, if it asks for one while using the borrowed CD, as often is
the case.

If the repair install fails, as it might, given how badly bruised your
system seems, I'd do a fresh install without formatting the drive,
just re-installing Windows into the current Windows directory. You
will have to re-install all your programs and restore it from backup.

I assume you have backed up your data already?

Good luck!

Larry

Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

This is the only key similar to the one above:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
\LoadAppInit_DLLs


The other keys aren't there.

Quoted text here. Click to load it

I haven't tried that anti-malware app yet (since the problem). I'll
see if it installs.


~~ Nehmo


Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it



| This is the only key similar to the one above:

| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
| \LoadAppInit_DLLs


| The other keys aren't there.

Quoted text here. Click to load it



| I haven't tried that anti-malware app yet (since the problem). I'll
| see if it installs.

attrib -h -r -s "%systemroot%\system32\TDSSxfum.dll"
DEL /F /Q "%systemroot%\system32\TDSSxfum.dll"

attrib -h -r -s "%systemroot%\Temp\*.*"
DEL /F /Q "%systemroot%\Temp\*.*"

attrib -h -r -s "%systemroot%\system32\TDSSlxwp.dll"
DEL /F /Q "%systemroot%\system32\TDSSlxwp.dll"


attrib -h -r -s "%systemroot%\system32\TDSSkkbi.log"
DEL /F /Q "%systemroot%\system32\TDSSkkbi.log"

attrib -h -r -s "%systemroot%\system32\drivers\TDSSpqlt.sys "
DEL /F /Q "%systemroot%\system32\drivers\TDSSpqlt.sys "

attrib -h -r -s "%systemroot%\system32\TDSSlxwp.dll"
DEL /F /Q "%systemroot%\system32\TDSSlxwp.dll"

TSServ is a RootKit and even if you had it, that simple batch file will not
remove it !

It won't remove the peer program, the NT Service and it certainly won't remove
the
Registry entries which are protected via access permissions.

The TDSserv has several variants as well and the files listed in the above
deletion list
as totally incomplete.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: not a valid Win32 application - warning. Can't run antivirus apps



The Real Truth MVP wrote:
Quoted text here. Click to load it
Yeah David,
What have you got to say for yourself?



Re: not a valid Win32 application - warning. Can't run antivirus apps




| The Real Truth MVP wrote:
Quoted text here. Click to load it


| Yeah David,
| What have you got to say for yourself?


I stick by my orginal response.  I am not one for indicating a wipe and reload
too easily.
However I do understand what is going on and what he has is too far involved.
In this
situation a wipe and reload is the best solution.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: not a valid Win32 application - warning. Can't run antivirus apps



David H. Lipman wrote:
Quoted text here. Click to load it

I was just being facetious.
I think you always give excellent advice.



Re: not a valid Win32 application - warning. Can't run antivirus apps




| David H. Lipman wrote:



Quoted text here. Click to load it





| I was just being facetious.
| I think you always give excellent advice.


Thank you -- my apologies.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it

Oh, and it's a rootkit. Short of direct disk access, if it's resident,
this batch file isn't going to see it.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

As I previously said, the keys aren't present, so there was nothing to
delete. But now there is significant progress. I was able to install
and run Malwarebytes_Anti-Malware. It found 300-some bad files. I then
ran Drive Sentry which found 4 more. I'm running Malwarebytes again.
But...yes, but I still can't install and run Hijack This or some other
programs. I still get the not a valid Win32 error.
~~ Nehmo

Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

There's a peculiarity that might mean something: I'm running Drive
Sentry http://www.drivesentry.com/ . The program is supposed to alert
the user to writes to the hard drive. Then the user can approve or
disapprove. I continually get (separate) warnings that winfilse.exe
(this is the correct spelling; it's not winfiles) and wintems.exe are
trying to write, and Drive Sentry suggests a rule that I should
disapprove. I do disapprove. But later I get the same warnings. Drive
Sentry, in its log section, says that winfilse.exe is in c:\windows
\system32\drivers . But when I look there using Explorer, I don't see
it.

Right now there's nothing in Drive Sentry's log about winterms.exe . I
think the log only goes so far back.

Another peculiarity: Using Firefox, I can't open messages in Hotmail.
But if I use IE, I can.

I also found this thread: http://forums.majorgeeks.com/showthread.php?t=3D1 =
72675
. R4nd  seems as though he or she has a similar problem. R4nd has the
two executables I mentioned above, he or she gets the not a valid
Win32 error, he or she seems only to scan with Malwarebytes. But R4nd
doesn't say anything beyond the first post. I don't know if
bjgarrick's solution was successful.

I'm currently in the midst of a after-update scan with Malwarebytes.

Scan finished. 44 more items. Need to reboot to delete.

~~ Nehmo








~~ Nehmo


Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it

Sir,

please ignore that idiot Pcbutts. You have a TDSS variant rootkit.Agent
present on your computer. His advice is not going to do you much good,
aside from recommending MalwareBytes. :-)

You may wish to come to the malwarebytes.org website forums, you can get
expert assistance from professionals there. Who won't bork your system,
and who do understand what they are dealing with.

Quoted text here. Click to load it

And you won't, as long as it's resident. It's hiding, intentionally.

Quoted text here. Click to load it

I have been working for the last 2 days practically nonstop on TDSS
definition data, so please let me know how it goes for you.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

I haven't been reading this NG long enough to take a stand on personal
fights, and I'd prefer to permanetly stay outside of those. However, I
must say that "idiot" doesn't seem applicable. (But modifying the
HOSTS file was disconcerting.) Now, back to my story.

Why are you and others convinced that I have a "TDSS variant rootkit"?
Is there something that indicates that?


Agent
Quoted text here. Click to load it

Yes, so far, that's the only anti-malware application that installed
and ran. (DriveSentry also installed and ran, but I'm not sure if its
scan really does anything.) This is similar to the problem posted in
MajorGeeks http://forums.majorgeeks.com/showthread.php?t=3D172675 .
Why are most scanners blocked? How would some malware do that?
Something must trigger this "not a valid Win32 application" warning,
and this trigger is missing from MalwareBytes.

~~ Nehmo

Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it


The symptoms you describe match that of atleast 2 TDSS variants that have
come across my desk in the past 3 days. One of those two disables
MalwareBytes from being installed or run as well.

Quoted text here. Click to load it

The best way to stay alive on a system is to prevent the host from
removing you. That includes blocking access to websites, and disabling
whatever software you have that could prevent and/or detect it.


Quoted text here. Click to load it

The rootkit, most likely. I couldn't say with absolute certainty this is
what you do have without logs from a few apps, but I'd be willing to bet
it's a good wajer.

--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it

I was referring to your Nov 7th post which contained ...
"Local machine: installation failed
    Installation:
        Error: Action failed for file avgwdsvc.exe: starting
service....
            Error 0x800700c1"

Running a google search on 0x800700c1 leads to
http://www.techsupportforum.com/microsoft-support/windows-xp-support/85118-microsoft-update-error-number-0x800700c1.html

Take note of the regsvr32 and sfc commands in the second item.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Site Timeline