not a valid Win32 application - warning. Can't run antivirus apps
Nehmo
Most things function normally but..
When I try to install BitDefender Total Security 2009 or some other
security (anti-virus, anti-malware) programs I get a warning saying
that the installer can’t write to the folder that’s there for the
virus definitions.
With some programs, like McAffee, I can install, but then when I try
to run, I get the notice that the program is
-not a valid Win32 application-.
I get that with Adaware, SpybotS&D, Windows Defender, Norton, and AVG
free.
Unlike other people with the -not a valid Win32 application- problem,
I can open MS Office programs and browsers.
I ran sfc /scannow . I also did the disk cleanup deleting the temp
files. I also did the error checking on the Tools tab of Properties of
the drive. Nothing changed.
Most online scanners didn’t function. But now I’m using Trend Micro’s
online scanner, and it seems to be running. I’ll see what happens.
~~ Nehmo
Nehmo
Trend Micro online scanner is stuck on 3 min. I need to try something
else. Suggestions?
~~ Nehmo
The Real Truth MVP
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:9b8ccf31-bf06-4260...@s9g2000prm.googlegroups.com...
Nehmo
> Use my Remove-it software, it will remove that malware from your system.
> Choose yes for all options when prompted. Download it herehttp://pcbutts1.com/downloads/tools/tools.htm
>
> --
> The Real Truthhttp://pcbutts1-therealtruth.blogspot.com/
>
>
> news:9b8ccf31-bf06-4260...@s9g2000prm.googlegroups.com...
> On Nov 7, 11:03 am, Nehmo <nehm...@hotmail.com> wrote:
>
>
>
> > Win XP home sp3
>
> > Most things function normally but..
> > When I try to install BitDefender Total Security 2009 or some other
> > security (anti-virus, anti-malware) programs I get a warning saying
> > that the installer can’t write to the folder that’s there for the
> > virus definitions.
>
> > With some programs, like McAffee, I can install, but then when I try
> > to run, I get the notice that the program is
>
> > -not a valid Win32 application-.
>
> > I get that with Adaware, SpybotS&D, Windows Defender, Norton, and AVG
> > free.
>
> > Unlike other people with the -not a valid Win32 application- problem,
> > I can open MS Office programs and browsers.
>
> > I ran sfc /scannow . I also did the disk cleanup deleting the temp
> > files. I also did the error checking on the Tools tab of Properties of
> > the drive. Nothing changed.
>
> > Most online scanners didn’t function. But now I’m using Trend Micro’s
> > online scanner, and it seems to be running. I’ll see what happens.
>
> > ~~ Nehmo
>
> Trend Micro online scanner is stuck on 3 min. I need to try something
> else. Suggestions?
> ~~ Nehmo
OK, I'm going to try Remove it. It seemed like it installed rather
quickly. I don't see how all the definitions could have been
downloaded in 824kb. It will run when I restart, I hope.
I just tried Avast, and it got the not a valid Win322 error when I
tried to run it.\
~Nehmo
~~ Nehmo
Nehmo
I ran Remove it. I then tried to install AVG free. I got this error
Local machine: installation failed
Installation:
Error: Action failed for file avgwdsvc.exe: starting
service....
Error 0x800700c1
I'm going to try to install Win Defender
~~ Nehmo
Nehmo
> > else. Suggestions?
> > ~~ Nehmo
>
> OK, I'm going to try Remove it. It seemed like it installed rather
> quickly. I don't see how all the definitions could have been
> downloaded in 824kb. It will run when I restart, I hope.
> I just tried Avast, and it got the not a valid Win322 error when I
> tried to run it.\
> ~Nehmo
> ~~ Nehmo
mpengine.dll
~~ Nehmo
The Real Truth MVP
Remove-it does not use definitions it uses known file names and locations
that are derived from the definitions itself using multiple AV and Malware
programs along with common sense. That makes it super fast and no false
positives.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:d7029116-5346-4b68...@d10g2000pra.googlegroups.com...
David H. Lipman
| Win Defender installation failed. Couldn't write to
| mpengine.dll
| ~~ Nehmo
My suggestion is this...
Wipe the PC after backing up your PC's data and reinstall the OS from scratch.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
The Real Truth MVP
redownload and install them except Norton.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:cbf2d3e9-5c5d-4e1a...@v22g2000pro.googlegroups.com...
Nehmo
> Uninstall Adaware, SpybotS&D, Windows Defender, Norton, and AVG then
> redownload and install them except Norton.
>
> --
I've uninstalled all the antivirus programs. But I can't seem to
install one and get it to work. I get the not valid Win32 message.
I've been trying to get any kind of virus scan. I just tried Kasparski
online scan. It failed with this message:
Update has failed. Program has failed to start. Close the Kaspersky
Online Scanner 7.0 window and open it again to install the program.
You must be online to update the Kaspersky Online Scanner 7 database.
With the latest database updates, you can find new viruses and other
threats. Please go online to use Kaspersky Online Scanner 7. [ERROR:
Scan has failed to start. [0x80004005]]
I can't reinstall windows because I don't have the install disk.
~~ Nehmo
David H. Lipman
| I've uninstalled all the antivirus programs. But I can't seem to
| install one and get it to work. I get the not valid Win32 message.
| I've been trying to get any kind of virus scan. I just tried Kasparski
| online scan. It failed with this message:
| Update has failed. Program has failed to start. Close the Kaspersky
| Online Scanner 7.0 window and open it again to install the program.
| You must be online to update the Kaspersky Online Scanner 7 database.
| With the latest database updates, you can find new viruses and other
| threats. Please go online to use Kaspersky Online Scanner 7. [ERROR:
| Scan has failed to start. [0x80004005]]
| I can't reinstall windows because I don't have the install disk.
| ~~ Nehmo
None are going to work.
Butts' plagiarized and patchworked utility, which has limited functionality and doesn't
target the malware you have, won't work.
Just about *EVERY* EXE file you try will fail.
Your system is too far gone, throw in the towel.
Wipe the PC after backing up your PC's data and reinstall the OS from scratch.
Believe me, if there was something I could throw your way -- I would.
The Real Truth MVP
when complete, will generate a log file. That log file will be saved in the
same directory you ran the program from, using the email link and the bottom
of my page send me a copy of that log file.
http://pcbutts1.com/downloads/tools/tools.htm
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:618276d3-d7d2-43cb...@n1g2000prb.googlegroups.com...
The Real Truth MVP
variant of the VBS/Redlof-A
http://www.sophos.com/security/analyses/viruses-and-spyware/vbsredlofa.html
follow the instructions on that page for removal and let me know if the
registry keys are there. Also as much as I hate to say it but David Lipman's
Multi-avi tool may be able to help you.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:618276d3-d7d2-43cb...@n1g2000prb.googlegroups.com...
Nehmo
> Run my diagnostic tool called whatslivern. That file after a few seconds,
> when complete, will generate a log file. That log file will be saved in the
> same directory you ran the program from, using the email link and the bottom
Instead of emailing it, I posted the logfile generated by
runningnow.vbs (which was unpacked from runningnow.exe) below. The
program seemed to to have ran as it should.
After being, so far, unable to install (I still get the same errors
noted in my earlier posts) any other anti-malware scanning app, I was
able to install DriveSentry http://www.drivesentry.com/ .
When it scanned, it found two malware items, named something Beagle,
which I then deleted.
DriveSentry is also repeatedly displaying a popup that gives the
option to block winfilse.exe , which DriveSentry says lives in
system32\drivers folder, from writing. I chose to "Keep Blocking".
DriveSentry, however, did not flag winfilse.exe when DriveSentry
scanned. I also can't find winfilse.exe in that folder or anywhere on
my drive.
I'm beginning to wonder about DriveSentry.
The computer is functioning normally except it seems slow and the cpu
usage goes up to 100% a lot. I also, as noted in my earlier posts,
can't run some apps (I'm getting the not a valid Win32 app error), and
I can't completely install many anti-malware apps (something is
preventing writing of the definitions).
More on this later. I thank everybody who is helping.
---------------begin logfile
"running now.vbs", revision 70, http://www.pcbutts1.com/downloads/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Google Update" = ""C:\Documents and Settings\Owner\Local Settings
\Application Data\Google\Update\GoogleUpdate.exe" /c" [null data]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy
\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel
Corporation"]
"CHotkey" = "zHotkey.exe" [empty string]
"ShowWnd" = "ShowWnd.exe" [null data]
"ModPS2" = "ModPS2Key.exe" ["Chicony"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE"
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader
8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD
\PDVDServ.exe"" ["Cyberlink Corp."]
"LanguageShortcut" = ""C:\Program Files\CyberLink\PowerDVD\Language
\Language.exe"" [null data]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop
Search\GoogleDesktop.exe" /startup" ["Google"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers
\w32x86\3\hpztsb04.exe" ["HP"]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -
atboottime" ["Apple Inc."]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office
\Office12\GrooveMonitor.exe"" [MS]
"Run StartupMonitor" = "StartupMonitor.exe" [null data]
"PWRISOVM.EXE" = "C:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO
Computing, Inc."]
"lxcrmon.exe" = ""C:\Program Files\Lexmark 2400 Series
\lxcrmon.exe"" [null data]
"EzPrint" = ""C:\Program Files\Lexmark 2400 Series
\ezprint.exe"" ["Lexmark International Inc."]
"LXCRCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS
\W32X86\3\LXCRtime.dll,_RunDLLEntry@16" [MS]
"CanonSolutionMenu" = "C:\Program Files\Canon\SolutionMenu
\CNSLMAIN.exe /logon" ["CANON INC."]
"CanonMyPrinter" = "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /
logon" ["CANON INC."]
"DriveSentry" = "C:\Program Files\DriveSentry
\DriveSentry.exe" ["DriveSentry Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com
IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Program Files\AVG
\AVG8\avgssie.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\Program Files
\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files
\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
{A057A204-BACC-4D26-9990-79A187E2698E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\AVG
\AVG8\AVGTOO~1.DLL" [file not found]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google
\googletoolbar1.dll" ["Google Inc."]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "Browser Address
Error Redirector"
-> {HKLM...CLSID} = "CBrowserHelperObject Object"
\InProcServer32\(Default) = "c:\windows
\system32\BAE.dll" ["Gateway Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL
Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not
found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS
\system32\hticons.dll" ["Hilgraeve, Inc."]
---------------end logfile
~~ Nehmo
Nehmo
a-squared also failed to install. Or maybe it failed to run. I got the
not a valid Win32 App error.
I don't run Outlook Express. (I used to use Outlook. Now I just use
online hotmail.) I don't have the registry keys described.
~~ Nehmo
David H. Lipman
| a-squared also failed to install. Or maybe it failed to run. I got the
| not a valid Win32 App error.
| I don't run Outlook Express. (I used to use Outlook. Now I just use
| online hotmail.) I don't have the registry keys described.
| ~~ Nehmo
And you will keep getting "not a valid Win32 App error".
Wipe and reinstall the OS !
Larry Sabo
>From: "Nehmo" <neh...@hotmail.com>
>
>
>| a-squared also failed to install. Or maybe it failed to run. I got the
>| not a valid Win32 App error.
>
>| I don't run Outlook Express. (I used to use Outlook. Now I just use
>| online hotmail.) I don't have the registry keys described.
>| ~~ Nehmo
>
>And you will keep getting "not a valid Win32 App error".
>
>Wipe and reinstall the OS !
If I were as desperate and determined as he seems to be, I'd remove
the drive, scan it for viruses on another PC, reinstall it in the
original PC and try a repair install. For the repair install, I'd need
to create a Windows CD using the procedure at...
http://www.howtohaven.com/system/createwindowssetupdisk.shtml
Lots of work and I think your suggestion makes more sense, unless he
has invaluable programs for which he is missing the install
media/files.
Larry
David H. Lipman
| If I were as desperate and determined as he seems to be, I'd remove
| the drive, scan it for viruses on another PC, reinstall it in the
| original PC and try a repair install. For the repair install, I'd need
| to create a Windows CD using the procedure at...
| http://www.howtohaven.com/system/createwindowssetupdisk.shtml
| Lots of work and I think your suggestion makes more sense, unless he
| has invaluable programs for which he is missing the install
| media/files.
| Larry
There are benefits and problems to this approach.
The first is that when you scan the hard drive through a surrogate PC, it will find files
on the affected hard disk but will scan the Registry of the surrogate PC and thus will not
correct the Registry of the OS of the affected hard drive. In this case I'd say the the
Registry was significantly modified.
The second is more generalized.
When you scan the hard disk through a surrogate PC, the anti malware scanner may remove a
required DLL or EXE file that may be required to load and thus when the drive is inserted
back into its home PC, the OS may boot into a BSoD condition. One such example where this
may happen is with a SubSys trojan which loads via...
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows
and inserts itself into the DLL load chain. Thus the OS would generate a NT Stop Error.
STOP: c0000135 {Unable To Locate Component}
This application has failed to start because XXXXXX was not found.
Larry Sabo
Thanks for that David.
Larry
Nehmo
wrote:
> From: "Nehmo" <nehm...@hotmail.com>
>
> | a-squared also failed to install. Or maybe it failed to run. I got the
> | not a valid Win32 App error.
>
> | I don't run Outlook Express. (I used to use Outlook. Now I just use
> | online hotmail.) I don't have the registry keys described.
> | ~~ Nehmo
>
> And you will keep getting "not a valid Win32 App error".
>
> Wipe and reinstall the OS !
discounting your advice. Re-installing Windows would be the option a
few steps away, if I had the install CD. I don’t. I’d have to get a
new copy.
As I see it now. I next need to try a few more virus scans – either
online scans or ones conducted locally if I can somehow install an
anti-virus program.
Perhaps I should try booting in safe mode and then trying to install
or run one of the anti-virus programs or scans.
One program (not actually a scanner) I haven’t tried yet is
hijackthis. I’ll then post the results in one of the Hijackthis
groups. Do any of you have a suggestion for where to do that?
If I can’t do a successful scan, I’ll try a system restore. I’ve never
done that, but I should have enough skill.
I’ll also try cross-posting to some other groups to get a wider
audience. For those of you just now seeing this thread, you can see
the details of my problem earlier in the thread
http://groups.google.com/group/alt.comp.anti-virus/browse_thread/thread/99745fdc2c56bfd6
In brief:
Windows XP Home SP3
Most things run OK, MS Office, the browsers, Paint Shop Pro, but they
are slow and the CPU usage is high.
I can’t seem to install or run any anti-malware program, including
AdAware, AVG free, Windows Defender, Spybot S&D. I get the error
message “not a valid Win32 application” or I get a problem trying to
write something during the installation process.
I did manage to install DriveSentry. But that’s not a real scanner as
I see it. It did do a scan and deleted a couple of things, but no
improvement.
Please help me.
~~ Nehmo
David H. Lipman
| Please help me.
| ~~ Nehmo
Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
It will install as; "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
If the file does not run, go to; "C:\Program Files\Trend Micro\HijackThis\"
Rename HijackThis.exe to HJT.com
Create a log and then post the contents of the HJT log in your post in the below expert
forum...
{ Please - Do NOT post the HJT Log here ! }
NOTE: Registration is REQUIRED in any of the below before posting a log
http://www.thespykiller.co.uk/index.php?board=3.0
Post that I directed you there.
Nehmo
>
> It will install as; "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
> If the file does not run, go to; "C:\Program Files\Trend Micro\HijackThis\"
> Rename HijackThis.exe to HJT.com
>
> Create a log and then post the contents of the HJT log in your post in the below expert
> forum...
>
> { Please - Do NOT post the HJT Log here ! }
>
> NOTE: Registration is REQUIRED in any of the below before posting a log
>
> http://www.thespykiller.co.uk/index.php?board=3.0
>
> Post that I directed you there.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp
HijackThis won't run, even after I rename it. I get the same error:
not a valid Win32 application.
Something is declaring all these programs as invalid for Win32. I'm
going to try to boot in safe mode, and then run. I've never done this
before. I don't think it will be a problem.
~~ Nehmo
Buffalo
Nehmo wrote:
> On Nov 9, 6:06 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
> wrote:
>> From: "Nehmo" <nehm...@hotmail.com>
>>
>>> a-squared also failed to install. Or maybe it failed to run. I got
>>> the not a valid Win32 App error.
>>
>>> I don't run Outlook Express. (I used to use Outlook. Now I just use
>>> online hotmail.) I don't have the registry keys described.
>>> ~~ Nehmo
>>
>> And you will keep getting "not a valid Win32 App error".
>>
>> Wipe and reinstall the OS !
> You, David, know more about Windows than I, so please don’t think I’m
> discounting your advice. Re-installing Windows would be the option a
> few steps away, if I had the install CD. I don’t. I’d have to get a
> new copy.
Nehmo, go into the Registry and copy down the ID code or Registration number
(forget what it's called) that you will need if you decide to 'borrow' an
XP cd and reinstall. You can Google to see how to find it in WinXP.
I don't have XP so I am just guessing here.
[snip]
Nehmo
Using MSconfig, on the general tab, I used diagnostic startup to
eliminate possible interference. HijackThis (renamed) still wouldn't
run.
~~ Nehmo
David W. Hodgins
> Using MSconfig, on the general tab, I used diagnostic startup to
> eliminate possible interference. HijackThis (renamed) still wouldn't
> run.
You earlier posted the actual error code. A google search on that error
code, limited to m$ sites will give you the commands needed to correct it.
In my opinion, you need to format/reinstall, with a valid m$ install cd.
If you don't have an install cd, you would be much better off switching
to linux. It's become much simpler to install then it used to be, and
if you're willing to invest some time learning the differences, it's
actually easier to use.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
xiao
display 'Win322 error ' after you run the app, probable cause of the
virus will infect the app when the system prepare to run it by hook
some API. After insert the virus data, it's destroy the original file.
so, you'd better submit the sample's to antivirus vendor online which
file show error dialog, then wait for them reply, after the vendor
can REPAIR the samples, remove the drive, scan it for viruses on
another PC, reinstall it in the original PC unless the antivirus
software detect a lot of viruses.
here are some vendores email address:
webm...@symantec.com
sam...@nod32.com
sam...@sophos.com
newv...@kaspersky.com
virus_r...@avertlabs.com
Nehmo
> I think your computer is infected by a unknow infect-virus, all apps
> display 'Win322 error ' after you run the app, probable cause of the
> virus will infect the app when the system prepare to run it by hook
> some API. After insert the virus data, it's destroy the original file.
> so, you'd better submit the sample's to antivirus vendor online
You're saying I should just submit one of the programs that won't run?
I think the programs are still intact. I just tried to run
MS malicious software removal tool which didn't even finish
extracting. Extraction failed such&such is not a valid Win 32
application.
> file show error dialog, then wait for them reply, after the vendor
> can REPAIR the samples, remove the drive, scan it for viruses on
> another PC, reinstall it in the original PC unless the antivirus
> software detect a lot of viruses.
> here are some vendores email address:
>
> webmas...@symantec.com
> sam...@nod32.com
> samp...@sophos.com
> newvi...@kaspersky.com
> virus_resea...@avertlabs.com
Posting is getting very slow. The response time from keyboard to
cursor is long. I should be able to find what's eating up the
resources or cpu activity.
~~ Nehmo
Nehmo
wrote:
> On Mon, 10 Nov 2008 00:54:03 -0500, Nehmo <nehm...@hotmail.com> wrote:
> > Using MSconfig, on the general tab, I used diagnostic startup to
> > eliminate possible interference. HijackThis (renamed) still wouldn't
> > run.
>
> You earlier posted the actual error code. A google search on that error
> code, limited to m$ sites will give you the commands needed to correct it.
There are two types of error messages. One, when I try to install many
programs; and the other, when I try to run many programs. There isn't
any "error code" as such.
The installation error says that the installation failed. Something
failed to write to some file, and I should verify if I have permission
to write to that folder. I've been trying to install anti-virus
programs recently. Most of the time the failure is the failure to
write the definitions.
The run failure is "such and such is not a valid Win32 application".
I've Googled http://xrl.us/notwin32app But I haven't found anybody in
the same exact situation. Most other people with this error can't open
anything. I can open the browsers, and I can open MS Office apps. I
can open lots of programs, actually. It appears the only programs I
can't open are the anti-malware programs. But I did successfully
install and run DriveSentry. I don't know if the program is any good,
though.
> In my opinion, you need to format/reinstall, with a valid m$ install cd.
>
> If you don't have an install cd,
I think I don't have the Windows install CD. I'd have to look around.
And yes, that method (reinstall Windows) would solve the problem, but
we wouldn't know what happened. And it would be an inelegant solution.
There's a philosophical surrender to that route.
I still have some options. I could get more help by posting in the web-
based anti-malware forums. I'll do that right away. I could also go to
a restore point with System restore. And I could try to find some
malware scanner that works.
> you would be much better off switching
> to linux.
I'd have to make a duel boot machine before I switched, and now is not
the time to experiment making one of those. I need to solve the
immediate problem.
Larry Sabo
>I could also go to
>a restore point with System restore.
Not to be too harsh, but a lot of people have spent time trying to
help you, and you haven't even tried System Restore yet? If you were
an advanced user, I could understand trying to suss out the underlying
problem, but it seems like a lot of wasted effort, in my view. I'd
just run System Restore and be done with it. Hoever, I doubt very much
thay system restore will work directly.
Larry
Juan Kerr
"Larry Sabo" <larry...@hotmail.com> wrote in message
news:bgnlh45pj1s3kis51...@4ax.com...
I would be tempted to first try to run an AV from CD.
Ultimate BootCD from http://www.ultimatebootcd.com - Has F-Prot, McAfee,
Avast and AVG that you can run without booting a dodgy OS...
David W. Hodgins
> There are two types of error messages. One, when I try to install many
> programs; and the other, when I try to run many programs. There isn't
> any "error code" as such.
I was referring to your Nov 7th post which contained ...
"Local machine: installation failed
Installation:
Error: Action failed for file avgwdsvc.exe: starting
service....
Error 0x800700c1"
Running a google search on 0x800700c1 leads to
http://www.techsupportforum.com/microsoft-support/windows-xp-support/85118-microsoft-update-error-number-0x800700c1.html
Take note of the regsvr32 and sfc commands in the second item.
Nehmo
I'm not sure if you are saying system restore will work or not. What
do you mean by not working "directly".
I said one reason I don't feel happy re-installing windows is that it
would be giving up. But actually, I don't have an install disk, so
that's not an immediate option.
I've never used system restore, and so I don't have any confidence in
it. I suppose I should learn about it now.
~~ Nehmo
Larry Sabo
>On Nov 12, 7:48 am, Larry Sabo <larry_s...@hotmail.com> wrote:
>> Nehmo <nehm...@hotmail.com> wrote:
>> >I could also go to
>> >a restore point with System restore.
>>
>> [snip] Hwoever, I doubt very much
>> thay system restore will work directly.
>>
>> Larry
>
>I'm not sure if you are saying system restore will work or not. What
>do you mean by not working "directly".
>I said one reason I don't feel happy re-installing windows is that it
>would be giving up. But actually, I don't have an install disk, so
>that's not an immediate option.
>I've never used system restore, and so I don't have any confidence in
>it. I suppose I should learn about it now.
>~~ Nehmo
Sometimes System Restore will fail (see
http://bertk.mvps.org/html/srfail.html) and it must be done manually.
One method is described in the following link (although I haven't
tried it myself and it is rather complex. I would recommend trying all
the fixes suggested in the previous link first)...
http://www.aade.com/XPhint/XPrecovery.htm
It requires that you are able to boot to the Command Console. Because
you lack a Windows CD, you can download a boot CD from
http://www.bootdisk.com/ and use it instead.
If you had or could borrow a UBCD4Win CD, you could use it to restore
the registry to an earlier date without having to go through the
complex procedure mentioned above. However, restoring just the
registry and not the compromised/missing DLLs won't fix the problem.
Only System Restore and SFC can restore the original DLLs. See the
previous reply on how to run SFC; it requires a Windows CD, but you
could legally use a borrowed one, I believe.
The AUMHA site http://aumha.net/viewforum.php?f=54 mentioned in the
above link is also very helpful, but requires a lot of digging and
often just points back to http://bertk.mvps.org/html/srfail.html in
the advice given. Be sure to create a Restore Point before trying
System Restore.
Good luck.
Larry
Nehmo
I opened System Restore. The only restore point is one created on the
9th, after the onset of the problem. When I opened it previously,
there were other points. I must have, or something must have, deleted
the other points. I don't recall doing anything to delete restore
points, however. I did twice do a Disk Cleanup, but that doesn't (I
just looked) delete restore points.
And don't worry about being "harsh". Say anything you want to say as
long as it tends toward a solution.
~~ Nehmo
The Real Truth MVP
names and I am putting together a package that will clean your system. Give
me a few hours to finish it and test it. You will have to email me to get it
until I put it up on my site.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:55a78e63-c494-4979...@r37g2000prr.googlegroups.com...
Larry Sabo
>On Nov 12, 7:48 am, Larry Sabo <larry_s...@hotmail.com> wrote:
>> Nehmo <nehm...@hotmail.com> wrote:
>> >I could also go to
>> >a restore point with System restore.
>>
>> Not to be too harsh, but a lot of people have spent time trying to
>> help you, and you haven't even tried System Restore yet? ....
>>
>> Larry
>
>I opened System Restore. The only restore point is one created on the
>9th, after the onset of the problem. When I opened it previously,
>there were other points. I must have, or something must have, deleted
>the other points. I don't recall doing anything to delete restore
>points, however. I did twice do a Disk Cleanup, but that doesn't (I
>just looked) delete restore points.
OK, thanks for the feedback. I would suggest going to another
computer, downloading and running the Antivir Rescue System from...
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
...which burns a bootable CD you can use to scan and remove viruses
from your PC.
If it fails to start up after that, I'd borrow a Windows CD and do a
reapir install and change the Product Number to your own after the
repair, if it asks for one while using the borrowed CD, as often is
the case.
If the repair install fails, as it might, given how badly bruised your
system seems, I'd do a fresh install without formatting the drive,
just re-installing Windows into the current Windows directory. You
will have to re-install all your programs and restore it from backup.
I assume you have backed up your data already?
Good luck!
Larry
Nehmo
wrote:
> On Wed, 12 Nov 2008 04:24:47 -0500, Nehmo <nehm...@hotmail.com> wrote:
> > There are two types of error messages. One, when I try to install many
> > programs; and the other, when I try to run many programs. There isn't
> > any "error code" as such.
>
> I was referring to your Nov 7th post which contained ...
> "Local machine: installation failed
> Installation:
> Error: Action failed for file avgwdsvc.exe: starting
> service....
> Error 0x800700c1"
>
>
> Take note of the regsvr32 and sfc commands in the second item.
>
> Regards, Dave Hodgins
>
> --
> Change nomail.afraid.org to ody.ca to reply by email.
> (nomail.afraid.org has been set up specifically for
> use in usenet. Feel free to use it yourself.)
I tried re-registering the dll's as suggested on that xp-support
forum. Nothing improved. That error was from when I tried to install
AVG free.
After every attempt at fixing, I try to run HijackThis to see if the
problem is resolved. I have HijackThis renamed and moved to the
desktop. It never runs. I just get the Win32 error.
~~ Nehmo
The Real Truth MVP
require you to reinstall your operating system. I cannot guarantee that
problems resulting from modifications to the registry can be solved. Use the
information provided at your own risk.
On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option
Click ok.
Click start run, type in the box regedit, then press enter.
Navigate to this key in your registry and delete the value for AppInit_DLLs
by right clicking on it and choosing modify, if you see that karna.dat,
delete it.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs.
Navigate to this key in your registry and delete them if they are there.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKEY_LOCAL_MACHINE\SOFTWARE\tdss
Download my trojan.tdss fix tools (beta) from here unzip it then double
click on it to run it.
http://pcbutts1.com/downloads/TDSS.zip
Reboot your computer.
Download MBAM from this link and install it
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html you should be
able to run it now and be able to update your AV definitions, ran a full
scan with both.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:55a78e63-c494-4979...@r37g2000prr.googlegroups.com...
David W. Hodgins
> I tried re-registering the dll's as suggested on that xp-support
> forum. Nothing improved. That error was from when I tried to install
Might be a good time to consider switching to linux. It's free, and you
don't have to worry about viruses (unless you really try to mess things
up).
Nehmo
> Disclaimer: Modifying the registry can cause serious problems that may
> require you to reinstall your operating system. I cannot guarantee that
> problems resulting from modifications to the registry can be solved. Use the
> information provided at your own risk.
>
> On the Tools menu in Windows Explorer, click Folder Options.
> Click the View tab.
> Under the Hidden files and folders heading select Show hidden files and
> folders.
> Uncheck the Hide protected operating system files (recommended) option
> Click ok.
>
> Click start run, type in the box regedit, then press enter.
> Navigate to this key in your registry and delete the value for AppInit_DLLs
> by right clicking on it and choosing modify, if you see that karna.dat,
> delete it.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs.
This is the only key similar to the one above:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
\LoadAppInit_DLLs
The other keys aren't there.
> Navigate to this key in your registry and delete them if they are there.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
> HKEY_LOCAL_MACHINE\SOFTWARE\tdss
>
> Download my trojan.tdss fix tools (beta) from here unzip it then double
> click on it to run it.http://pcbutts1.com/downloads/TDSS.zip
> Reboot your computer.
>
> Download MBAM from this link and install ithttp://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.htmlyou should be
> able to run it now and be able to update your AV definitions, ran a full
> scan with both.
I haven't tried that anti-malware app yet (since the problem). I'll
see if it installs.
~~ Nehmo
David H. Lipman
attrib -h -r -s "%systemroot%\system32\TDSSxfum.dll"
DEL /F /Q "%systemroot%\system32\TDSSxfum.dll"
attrib -h -r -s "%systemroot%\Temp\*.*"
DEL /F /Q "%systemroot%\Temp\*.*"
attrib -h -r -s "%systemroot%\system32\TDSSlxwp.dll"
DEL /F /Q "%systemroot%\system32\TDSSlxwp.dll"
attrib -h -r -s "%systemroot%\system32\TDSSkkbi.log"
DEL /F /Q "%systemroot%\system32\TDSSkkbi.log"
attrib -h -r -s "%systemroot%\system32\drivers\TDSSpqlt.sys "
DEL /F /Q "%systemroot%\system32\drivers\TDSSpqlt.sys "
attrib -h -r -s "%systemroot%\system32\TDSSlxwp.dll"
DEL /F /Q "%systemroot%\system32\TDSSlxwp.dll"
TSServ is a RootKit and even if you had it, that simple batch file will not remove it !
It won't remove the peer program, the NT Service and it certainly won't remove the
Registry entries which are protected via access permissions.
The TDSserv has several variants as well and the files listed in the above deletion list
as totally incomplete.
The Real Truth MVP
lease with that he should be able to update his antivirus and malware apps.
What help have you given him......... oh yea Format and re-install GREAT JOB
David you are some kind of tech.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:UeednZRR-cvhiYHU...@giganews.com...
Buffalo
The Real Truth MVP wrote:
> What part of beta don't you understand dickwad? It's work in
> progress. At lease with that he should be able to update his
> antivirus and malware apps. What help have you given him......... oh
> yea Format and re-install GREAT JOB David you are some kind of tech.
>
>
Yeah David,
What have you got to say for yourself?
David H. Lipman
I stick by my orginal response. I am not one for indicating a wipe and reload too easily.
However I do understand what is going on and what he has is too far involved. In this
situation a wipe and reload is the best solution.
Nehmo
> > able to run it now and be able to update your AV definitions, ran a full
> > scan with both.
>
> I haven't tried that anti-malware app yet (since the problem). I'll
> see if it installs.
As I previously said, the keys aren't present, so there was nothing to
delete. But now there is significant progress. I was able to install
and run Malwarebytes_Anti-Malware. It found 300-some bad files. I then
ran Drive Sentry which found 4 more. I'm running Malwarebytes again.
But...yes, but I still can't install and run Hijack This or some other
programs. I still get the not a valid Win32 error.
~~ Nehmo
Buffalo
David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>
>
>> The Real Truth MVP wrote:
>>> What part of beta don't you understand dickwad? It's work in
>>> progress. At lease with that he should be able to update his
>>> antivirus and malware apps. What help have you given him......... oh
>>> yea Format and re-install GREAT JOB David you are some kind of tech.
>
>
>> Yeah David,
>> What have you got to say for yourself?
>
>
> I stick by my orginal response. I am not one for indicating a wipe
> and reload too easily. However I do understand what is going on and
> what he has is too far involved. In this situation a wipe and reload
> is the best solution.
I was just being facetious.
I think you always give excellent advice.
The Real Truth MVP
old exe that did not work before will still not work.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:9376d8f4-d01c-4133...@s9g2000prg.googlegroups.com...
David H. Lipman
Thank you -- my apologies.
Nehmo
> That's good now update your antivirus you may need to re-download it. Any
> old exe that did not work before will still not work.
There's a peculiarity that might mean something: I'm running Drive
Sentry http://www.drivesentry.com/ . The program is supposed to alert
the user to writes to the hard drive. Then the user can approve or
disapprove. I continually get (separate) warnings that winfilse.exe
(this is the correct spelling; it's not winfiles) and wintems.exe are
trying to write, and Drive Sentry suggests a rule that I should
disapprove. I do disapprove. But later I get the same warnings. Drive
Sentry, in its log section, says that winfilse.exe is in c:\windows
\system32\drivers . But when I look there using Explorer, I don't see
it.
Right now there's nothing in Drive Sentry's log about winterms.exe . I
think the log only goes so far back.
Another peculiarity: Using Firefox, I can't open messages in Hotmail.
But if I use IE, I can.
I also found this thread: http://forums.majorgeeks.com/showthread.php?t=172675
. R4nd seems as though he or she has a similar problem. R4nd has the
two executables I mentioned above, he or she gets the not a valid
Win32 error, he or she seems only to scan with Malwarebytes. But R4nd
doesn't say anything beyond the first post. I don't know if
bjgarrick's solution was successful.
I'm currently in the midst of a after-update scan with Malwarebytes.
Scan finished. 44 more items. Need to reboot to delete.
~~ Nehmo
~~ Nehmo
The Real Truth MVP
Click the View tab.
Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option
Click ok.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:c354188b-0954-4ffb...@1g2000prd.googlegroups.com...
Dustin Cook
Oh, and it's a rootkit. Short of direct disk access, if it's resident,
this batch file isn't going to see it.
--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
Dustin Cook
news:c354188b-0954-4ffb...@1g2000prd.googlegroups.com:
> On Nov 14, 8:51 am, "The Real Truth MVP" <to...@tpap.com> wrote:
>> That's good now update your antivirus you may need to re-download it.
>> Any old exe that did not work before will still not work.
>
> There's a peculiarity that might mean something: I'm running Drive
Sir,
please ignore that idiot Pcbutts. You have a TDSS variant rootkit.Agent
present on your computer. His advice is not going to do you much good,
aside from recommending MalwareBytes. :-)
You may wish to come to the malwarebytes.org website forums, you can get
expert assistance from professionals there. Who won't bork your system,
and who do understand what they are dealing with.
> Sentry, in its log section, says that winfilse.exe is in c:\windows
> \system32\drivers . But when I look there using Explorer, I don't see
> it.
And you won't, as long as it's resident. It's hiding, intentionally.
> I'm currently in the midst of a after-update scan with Malwarebytes.
>
> Scan finished. 44 more items. Need to reboot to delete.
I have been working for the last 2 days practically nonstop on TDSS
definition data, so please let me know how it goes for you.
Nehmo
> On the Tools menu in Windows Explorer, click Folder Options.
> Click the View tab.
> Under the Hidden files and folders heading select Show hidden files and
> folders.
> Uncheck the Hide protected operating system files (recommended) option
> Click ok.
I already have "Hide protected operating system files (Recommended)"
with an un-checked box. I also have "Hidden files and Folders" set
with a dotted circle to the option "Show hidden files and folders".
The file isn't there. Yet I continually get DriveSentry popups saying
winfilse.exe is trying to write to either Temporary Internet files ie
content or Cookies. These popups are loged by DriveSentry.
The Malwarebytes (MBAM) log is short enough to just post here. MBAM
deleted Winterms.exe (see near the end of the log). That was the other
file I couldn't find.
The MBAM log:
Malwarebytes' Anti-Malware 1.30
Database version: 1400
Windows 5.1.2600 Service Pack 3
11/15/2008 5:15:53 PM
mbam-log-2008-11-15 (17-15-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 179546
Time elapsed: 3 hour(s), 7 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 46
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m (Trojan.Agent) ->
Delete on reboot.
Files Infected:
C:\WINDOWS\system32\drivers\downld\161671.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\177296.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\198265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\204656.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\304546.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\314578.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\330921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\346953.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\348453.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\366687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\380140.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\388250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\416312.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\464687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\475625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\501265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\517921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\581171.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\594640.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\677359.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\682593.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\689375.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\692750.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\695250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\705703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\707609.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73636734.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73704218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73712703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73734921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73741343.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73771890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73777218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73804890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73871015.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73877390.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73880187.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\73937937.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\74020203.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\762484.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\76625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\795109.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
(Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> Quarantined
and deleted successfully.
--
~~ Nehmo
The Real Truth MVP
use a boot disk to manually remove the files.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:a721ebf0-6852-439d...@o4g2000pra.googlegroups.com...
Nehmo
wrote:
> From: "Nehmo" <nehm...@hotmail.com>
>
> | Win Defender installation failed. Couldn't write to
> | mpengine.dll
> | ~~ Nehmo
>
> My suggestion is this...
> Wipe the PC after backing up your PC's data and reinstall the OS from scratch.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp
David, I've been clicking your signature links for days with no
result. I would have alerted you sooner, but my system is so
corrupted, I wasn't sure if maybe anti-malware links were blocked,
like in the HOSTS file or something. Anyway, the links are dead.
~~ Nehmo
Nehmo
> Are you still having problems? Is system restore on or off? Now you need to
> use a boot disk to manually remove the files.
>
> --
> The Real Truthhttp://pcbutts1-therealtruth.blogspot.com/
>
Yes, I still can't run Hijack etc. This. The last scan using MBAM
yielded one more bad folder. It said bad "folder" detected not bad
file. There was nothing in the folder when I looked, but that was
after the scan.
Something is creating these bad files.
If the problem ever get solved, I'll certainly post how it happened.
~~ Nehmo
The Real Truth MVP
re-download. I need about 3 more hours to put some finishing touches my
script to rid you of that rootkit and another 2 to update Remove-it.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:5bb4bbdc-e233-4fcb...@w1g2000prk.googlegroups.com...
The Real Truth MVP
this file.
http://pcbutts1.com/downloads/hostsback.zip
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:a2dea7ad-0b1d-45d6...@o40g2000prn.googlegroups.com...
Buffalo
The Real Truth MVP wrote:
> If you want to be able to get to David's site then you have to unzip
> and run this file.
> http://pcbutts1.com/downloads/hostsback.zip
>
>
>
> "Nehmo" <neh...@hotmail.com> wrote in message
> news:a2dea7ad-0b1d-45d6...@o40g2000prn.googlegroups.com...
> On Nov 7, 3:35 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
> wrote:
>> From: "Nehmo" <nehm...@hotmail.com>
>>
>>> Win Defender installation failed. Couldn't write to
>>> mpengine.dll
>>> ~~ Nehmo
>>
>> My suggestion is this...
>> Wipe the PC after backing up your PC's data and reinstall the OS from
>> scratch.
>>
>> --
>> Davehttp://www.claymania.com/removal-trojan-adware.html
>> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp
>
> David, I've been clicking your signature links for days with no
> result. I would have alerted you sooner, but my system is so
> corrupted, I wasn't sure if maybe anti-malware links were blocked,
> like in the HOSTS file or something. Anyway, the links are dead.
> ~~ Nehmo
Is that because he installed your program?
David W. Hodgins
> David, I've been clicking your signature links for days with no
> result. I would have alerted you sooner, but my system is so
> corrupted, I wasn't sure if maybe anti-malware links were blocked,
> like in the HOSTS file or something. Anyway, the links are dead.
Both links
http://www.claymania.com/removal-trojan-adware.html and
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
are responding fine here.
The claymania site doesn't work if you use the ip address, but the pctipp
site does. Try
http://212.98.39.7/downloads/sicherheit/35905/multi_av_scanning_tool.html
The Real Truth MVP
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Buffalo" <Er...@nada.com.invalid> wrote in message
news:gfqca9$tsf$1...@news.motzarella.org...
Dustin Cook
@nlpi070.nbdc.sbc.com:
> Any exe that still does not work like HJT will have to be deleted and
> re-download. I need about 3 more hours to put some finishing touches my
> script to rid you of that rootkit and another 2 to update Remove-it.
WTF? Why should he delete ANY of the exes that aren't working? They aren't
actually the issue. The rootkit is the problem, and I don't care how many
static filenames you add, you won't be killing it without help from another
program; one you likely didn't author and probably wouldn't be able to get
permission from it's author to even use. LOL.
Nehmo
> Are you still having problems? Is system restore on or off? Now you need to
> use a boot disk to manually remove the files.
System restore is on. I saw no restore points. I successfully created
one.
~~ Nehmo
Leythos
says...
No, it's because PCBUTTS blocks access to many very reputable anti-
malware sites because most of the malware community shuns his actions
and his filth that he's posted over the years - so he retaliates by
blocking those people/vendors sites without telling you.
You should avoid anyone that is so unethical.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Leythos
spam9...@rrohio.com says...
Sorry, didn't follow the thread parsing well enough, should have been:
YES, it's because PCBUTTS blocks access to many very reputable anti-
malware sites....
Nehmo
> Nehmo<nehm...@hotmail.com> wrote innews:c354188b-0954-4ffb...@1g2000prd.googlegroups.com:
>
> > On Nov 14, 8:51 am, "The Real Truth MVP" <to...@tpap.com> wrote:
> >> That's good now update your antivirus you may need to re-download it.
> >> Any old exe that did not work before will still not work.
>
> > There's a peculiarity that might mean something: I'm running Drive
>
> Sir,
>
> please ignore that idiot Pcbutts. You have a TDSS variant rootkit.
I haven't been reading this NG long enough to take a stand on personal
fights, and I'd prefer to permanetly stay outside of those. However, I
must say that "idiot" doesn't seem applicable. (But modifying the
HOSTS file was disconcerting.) Now, back to my story.
Why are you and others convinced that I have a "TDSS variant rootkit"?
Is there something that indicates that?
Agent
> present on your computer. His advice is not going to do you much good,
> aside from recommending MalwareBytes. :-)
Yes, so far, that's the only anti-malware application that installed
and ran. (DriveSentry also installed and ran, but I'm not sure if its
scan really does anything.) This is similar to the problem posted in
MajorGeeks http://forums.majorgeeks.com/showthread.php?t=172675 .
Why are most scanners blocked? How would some malware do that?
Something must trigger this "not a valid Win32 application" warning,
and this trigger is missing from MalwareBytes.
~~ Nehmo
Nehmo
Another thing: rthdcpl.exe is in my startup tab on msconfig, and I
have Realtek High Definition Audio listed in Device Manager, so maybe
this is normal. But the process uses 30,184K in Mem Usage in Task
Manager.That seems like a lot.
Also, the popups from DriveSentry caused by winfilse.exe trying to
write are annoying. I'm not sure if there even *is* a winfilse on this
machine, and the popups demand attention before anything else. I've
had several during the writing of this post.
~~ Nehmo
Nehmo
If anybody is still reading :-) , I have a developement. I just found
the emachines Windows XP Home OS disk. So now I can re-install the OS.
I think I can, anyway. I understand these disks that come with new
computers aren't full OS disks. I'm really not clear on the difference
between a re-install disk like this and one with the full OS. But I
understand they can be used to re-install the OS. It says that on the
label.
First, I'm considering running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix . After
reading about it and all the stuff you need to do to run it, it seems
like it may be powerful.
~~ Nehmo
~~Nehmo
1PW
Snip, snip...
>
> If anybody is still reading :-) , I have a development. I just found
> the emachines Windows XP Home OS disk. So now I can re-install the OS.
> I think I can, anyway. I understand these disks that come with new
> computers aren't full OS disks. I'm really not clear on the difference
> between a re-install disk like this and one with the full OS. But I
> understand they can be used to re-install the OS. It says that on the
> label.
>
If the CD is the recovery CD that was sold with the system, it can help
you return the system's hard disk drive to the condition it was when it
first left eMachines. The problem arises that your system would then
lack /every/ patch, update, and service pack that was ever released
after that. If you contemplate its use, do so without connecting the
system to the Internet in any manner. After using the CD, obtain all
service packs, patches, updates and upgrades, from trusted media.
Also, all your security templates, security settings, and anti-malware
applications would need to be installed/re-installed from trusted media.
Only then, allow the system in question to "see" the Internet.
Pete
--
1PW
@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
Nehmo
It sure seems like a pain to re-install XP. I don't have much in the
way of anti-malware except Malwarebytes, and I used the default
settings on that. But still, I'd have to re-install everything. I'm
going to try ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix
. It's easier if you have a re-install disk. I have to install the
Recovery Console.
~~ Nehmo
The Real Truth MVP
are having is how we identified it but there are many variants under
different names. I have updated Remove-it so it will better handle your
issue. Redownload the latest version
http://pcbutts1.com/downloads/tools/tools.htm and run it again. Watch the
screen this time and choose "no" when it asks you if you want to modify your
hosts file. Posts back the results.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
"Nehmo" <neh...@hotmail.com> wrote in message
news:4c555913-4a4a-47fd...@t39g2000prh.googlegroups.com...
1PW
I believe many of us will still follow this thread. Please let us know
how things are going for you.
Good luck and best wishes to you.
Dustin Cook
news:4c555913-4a4a-47fd...@t39g2000prh.googlegroups.com:
> On Nov 15, 7:08 pm, Dustin Cook <bughunter.dus...@gmail.com> wrote:
>> Nehmo<nehm...@hotmail.com> wrote
>> innews:c354188b-0954-4ffb-91ab-54464ef6a
> d...@1g2000prd.googlegroups.com:
>>
>> > On Nov 14, 8:51 am, "The Real Truth MVP" <to...@tpap.com> wrote:
>> >> That's good now update your antivirus you may need to re-download
>> >> it. Any old exe that did not work before will still not work.
>>
>> > There's a peculiarity that might mean something: I'm running Drive
>>
>> Sir,
>>
>> please ignore that idiot Pcbutts. You have a TDSS variant rootkit.
> Why are you and others convinced that I have a "TDSS variant rootkit"?
> Is there something that indicates that?
The symptoms you describe match that of atleast 2 TDSS variants that have
come across my desk in the past 3 days. One of those two disables
MalwareBytes from being installed or run as well.
> Yes, so far, that's the only anti-malware application that installed
> and ran. (DriveSentry also installed and ran, but I'm not sure if its
> scan really does anything.) This is similar to the problem posted in
> MajorGeeks http://forums.majorgeeks.com/showthread.php?t=172675 .
> Why are most scanners blocked? How would some malware do that?
The best way to stay alive on a system is to prevent the host from
removing you. That includes blocking access to websites, and disabling
whatever software you have that could prevent and/or detect it.
> Something must trigger this "not a valid Win32 application" warning,
> and this trigger is missing from MalwareBytes.
The rootkit, most likely. I couldn't say with absolute certainty this is
what you do have without logs from a few apps, but I'd be willing to bet
it's a good wajer.
Dustin Cook
news:7983b83e-1bce-466f...@a26g2000prf.googlegroups.com:
I've been reading this thread for awhile now before I posted initially.
Based on your posts, it sounds to me like you should be visiting a forum
for help with malware; Before you go off running tools and not being sure
of what they do. You could make things worse for yourself. Just my 2
cents.