Re: not a valid Win32 application - warning. Can't run antivirus apps

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Quoted text here. Click to load it

I already have "Hide protected operating system files (Recommended)"
with an un-checked box. I also have "Hidden files and Folders" set
with a dotted circle to the option "Show hidden files and folders".

The file isn't there. Yet I continually get DriveSentry popups saying
winfilse.exe is trying to write to either Temporary Internet files ie
content or Cookies. These popups are loged by DriveSentry.

The Malwarebytes (MBAM) log is short enough to just post here. MBAM
deleted Winterms.exe (see near the end of the log). That was the other
file I couldn't find.

The MBAM log:
Malwarebytes' Anti-Malware 1.30
Database version: 1400
Windows 5.1.2600 Service Pack 3

11/15/2008 5:15:53 PM
mbam-log-2008-11-15 (17-15-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179546
Time elapsed: 3 hour(s), 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m (Trojan.Agent) ->
Delete on reboot.

Files Infected:
C:\WINDOWS\system32\drivers\downld1671.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7296.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4656.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4546.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4578.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld0921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6953.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8453.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld0140.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6312.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld1265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld1171.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4640.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7359.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2593.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld9375.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2750.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7609.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld636734.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld704218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld712703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld734921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld741343.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld771890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld777218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld804890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld871015.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld877390.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld880187.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld937937.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld020203.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2484.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5109.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
(Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> Quarantined
and deleted successfully.

--
~~ Nehmo

Re: not a valid Win32 application - warning. Can't run antivirus apps

@nlpi070.nbdc.sbc.com:

Quoted text here. Click to load it

WTF? Why should he delete ANY of the exes that aren't working? They aren't
actually the issue. The rootkit is the problem, and I don't care how many
static filenames you add, you won't be killing it without help from another
program; one you likely didn't author and probably wouldn't be able to get
permission from it's author to even use. LOL.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

System restore is on. I saw no restore points. I successfully created
one.
 ~~ Nehmo

Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

Another thing: rthdcpl.exe is in my startup tab on msconfig, and I
have Realtek High Definition Audio listed in Device Manager, so maybe
this is normal. But the process uses 30,184K in Mem Usage in Task
Manager.That seems like a lot.

Also, the popups from DriveSentry caused by winfilse.exe trying to
write are annoying. I'm not sure if there even *is* a winfilse on this
machine, and the popups demand attention before anything else. I've
had several during the writing of this post.

~~ Nehmo


Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

If anybody is still reading :-) , I have a developement. I just found
the emachines Windows XP Home OS disk. So now I can re-install the OS.
I think I can, anyway. I understand these disks that come with new
computers aren't full OS disks. I'm really not clear on the difference
between a re-install disk like this and one with the full OS. But I
understand they can be used to re-install the OS. It says that on the
label.

First, I'm considering running  ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix . After
reading about it and all the stuff you need to do to run it, it seems
like it may be powerful.

~~ Nehmo



~~Nehmo


Re: not a valid Win32 application - warning. Can't run antivirus apps

On 11/17/2008 01:51 AM, Nehmo sent:

Snip, snip...

Quoted text here. Click to load it

If the CD is the recovery CD that was sold with the system, it can help
you return the system's hard disk drive to the condition it was when it
first left eMachines.  The problem arises that your system would then
lack /every/ patch, update, and service pack that was ever released
after that.  If you contemplate its use, do so without connecting the
system to the Internet in any manner.  After using the CD, obtain all
service packs, patches, updates and upgrades, from trusted media.

Also, all your security templates, security settings, and anti-malware
applications would need to be installed/re-installed from trusted media.

Only then, allow the system in question to "see" the Internet.

Pete
--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: not a valid Win32 application - warning. Can't run antivirus apps

Quoted text here. Click to load it

It sure seems like a pain to re-install XP. I don't have much in the
way of anti-malware except Malwarebytes, and I used the default
settings on that. But still, I'd have to re-install everything. I'm
going to try ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-c =
ombofix
. It's easier if you have a re-install disk. I have to install the
Recovery Console.
~~ Nehmo

Re: not a valid Win32 application - warning. Can't run antivirus apps

On 11/17/2008 01:25 PM, Nehmo sent:
Quoted text here. Click to load it

I believe many of us will still follow this thread.  Please let us know
how things are going for you.

Good luck and best wishes to you.

--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: not a valid Win32 application - warning. Can't run antivirus apps


Quoted text here. Click to load it

I've been reading this thread for awhile now before I posted initially.
Based on your posts, it sounds to me like you should be visiting a forum
for help with malware; Before you go off running tools and not being sure
of what they do. You could make things worse for yourself. Just my 2
cents.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Site Timeline