WiredWX Hobby Weather ToolsLog in

 


Not a valid Win32 Application

2 posters

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    File::
    c:\programdata\ezsidmv.dat

    Folder::
    c:\program files\SQ916D
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Not a valid Win32 Application - Page 2 2v3rg44

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Thanks DragonMaster Jay. Here's the log:

ComboFix 10-01-21.01 - Griffin 21/01/2010 15:40:22.3.2 - x86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6001.1.1252.2.1033.18.2814.1752 [GMT -8:00]
Running from: c:\users\Griffin\Desktop\ComboFix.exe
Command switches used :: c:\users\Griffin\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\ezsidmv.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SQ916D
c:\program files\SQ916D\skin\AVI_Logo.bmp
c:\program files\SQ916D\skin\Delete1.bmp
c:\program files\SQ916D\skin\Delete2.bmp
c:\program files\SQ916D\skin\Delete3.bmp
c:\program files\SQ916D\skin\Delete4.bmp
c:\program files\SQ916D\skin\DeleteAll1.bmp
c:\program files\SQ916D\skin\DeleteAll2.bmp
c:\program files\SQ916D\skin\DeleteAll3.bmp
c:\program files\SQ916D\skin\DeleteAll4.bmp
c:\program files\SQ916D\skin\Exit1.bmp
c:\program files\SQ916D\skin\Exit2.bmp
c:\program files\SQ916D\skin\Exit3.bmp
c:\program files\SQ916D\skin\Exit4.bmp
c:\program files\SQ916D\skin\ImageFrame1.bmp
c:\program files\SQ916D\skin\ImageFrame2.bmp
c:\program files\SQ916D\skin\ImageFrame3.bmp
c:\program files\SQ916D\skin\Main.bmp
c:\program files\SQ916D\skin\Minimize1.bmp
c:\program files\SQ916D\skin\Minimize2.bmp
c:\program files\SQ916D\skin\Minimize3.bmp
c:\program files\SQ916D\skin\Minimize4.bmp
c:\program files\SQ916D\skin\NextPage1.bmp
c:\program files\SQ916D\skin\NextPage2.bmp
c:\program files\SQ916D\skin\NextPage3.bmp
c:\program files\SQ916D\skin\NextPage4.bmp
c:\program files\SQ916D\skin\PreviousPage1.bmp
c:\program files\SQ916D\skin\PreviousPage2.bmp
c:\program files\SQ916D\skin\PreviousPage3.bmp
c:\program files\SQ916D\skin\PreviousPage4.bmp
c:\program files\SQ916D\skin\Progress1.bmp
c:\program files\SQ916D\skin\Progress2.bmp
c:\program files\SQ916D\skin\Save1.bmp
c:\program files\SQ916D\skin\Save2.bmp
c:\program files\SQ916D\skin\Save3.bmp
c:\program files\SQ916D\skin\Save4.bmp
c:\program files\SQ916D\skin\SelectAll1.bmp
c:\program files\SQ916D\skin\SelectAll2.bmp
c:\program files\SQ916D\skin\SelectAll3.bmp
c:\program files\SQ916D\skin\SelectAll4.bmp
c:\program files\SQ916D\skin\Setup.ini
c:\program files\SQ916D\SQ916D.exe
c:\program files\SQ916D\TransTWAIN.exe
c:\programdata\ezsidmv.dat

.
((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-21 23:49 . 2010-01-21 23:49 -------- d-----w- c:\users\Griffin\AppData\Local\temp
2010-01-21 23:49 . 2010-01-21 23:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-21 23:49 . 2010-01-21 23:49 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-01-21 23:49 . 2010-01-21 23:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-21 01:33 . 2010-01-21 01:33 -------- d-----w- c:\program files\Common Files\Skype
2010-01-20 03:43 . 2010-01-20 03:43 -------- d-----w- c:\program files\ESET
2010-01-19 23:46 . 2010-01-21 22:52 -------- d-----w- c:\users\Griffin\AppData\Roaming\skypePM
2010-01-19 23:43 . 2010-01-21 23:38 -------- d-----w- c:\users\Griffin\AppData\Roaming\Skype
2010-01-19 23:43 . 2010-01-21 01:34 -------- d-----r- c:\program files\Skype
2010-01-19 23:42 . 2010-01-21 01:33 -------- d-----w- c:\programdata\Skype
2010-01-19 15:17 . 2010-01-19 15:17 -------- d-----w- c:\users\Griffin\AppData\Roaming\Malwarebytes
2010-01-19 15:17 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 15:17 . 2010-01-19 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 15:17 . 2010-01-19 15:17 -------- d-----w- c:\programdata\Malwarebytes
2010-01-19 15:17 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 06:00 . 2010-01-19 06:00 -------- d-----w- c:\windows\McAfee.com
2010-01-19 05:04 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-01-19 01:27 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2010-01-19 00:12 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-19 00:10 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-19 00:10 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-19 00:10 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-19 00:08 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-19 00:08 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-19 00:06 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-01-19 00:06 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-18 23:24 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2010-01-18 23:24 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-18 23:23 . 2009-08-31 13:55 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-01-18 23:23 . 2009-08-31 13:55 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-01-18 23:23 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-01-18 23:23 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-01-18 23:23 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2010-01-18 23:23 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-01-18 23:23 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-01-18 23:23 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2010-01-18 23:23 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-01-18 23:22 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2010-01-18 23:22 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2010-01-18 23:18 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2010-01-10 01:06 . 2010-01-10 01:08 -------- d-----w- c:\users\Griffin\AppData\Roaming\QuickScan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 20:49 . 2009-06-30 21:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 05:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-14 19:12 . 2009-10-03 09:21 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-13 04:54 . 2008-08-19 02:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-13 04:53 . 2009-12-13 04:52 -------- d-----w- c:\program files\Snap 'n Share
2009-12-08 01:02 . 2009-01-04 00:43 -------- d-----w- c:\program files\Google
2009-12-03 17:03 . 2009-06-10 00:29 -------- d-----w- c:\program files\Java
2009-12-03 14:29 . 2008-08-19 09:14 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 14:29 . 2008-08-19 09:12 -------- d-----w- c:\programdata\Microsoft Help
2009-11-30 16:34 . 2009-05-08 02:43 -------- d-----w- c:\programdata\avg8
2009-11-30 14:58 . 2009-11-30 14:58 -------- d-----w- c:\programdata\avg9
2009-11-30 14:58 . 2009-05-08 02:43 -------- d-----w- c:\program files\AVG
2009-11-21 06:40 . 2010-01-19 01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2010-01-19 01:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2010-01-19 01:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2010-01-19 01:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 01:15 . 2009-11-09 01:15 95 ----a-w- c:\users\Griffin\AppData\Local\fusioncache.dat
2009-11-09 01:07 . 2009-11-09 01:07 9662 ----a-r- c:\users\Griffin\AppData\Roaming\Microsoft\Installer\{21209AE8-1E93-4289-A88F-5EE0F22CF9F8}\ARPPRODUCTICON.exe
2009-11-09 01:07 . 2009-11-09 01:07 49152 ----a-r- c:\users\Griffin\AppData\Roaming\Microsoft\Installer\{21209AE8-1E93-4289-A88F-5EE0F22CF9F8}\NewShortcut7_21209AE81E934289A88F5EE0F22CF9F8_1.exe
2009-11-09 01:07 . 2009-11-09 01:07 49152 ----a-r- c:\users\Griffin\AppData\Roaming\Microsoft\Installer\{21209AE8-1E93-4289-A88F-5EE0F22CF9F8}\NewShortcut1_21209AE81E934289A88F5EE0F22CF9F8_6.exe
2009-11-06 16:47 . 2009-11-26 00:20 2064152 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-11-03 16:47 . 2009-11-26 00:20 3513624 ----a-w- c:\programdata\avg8\update\backup\avgui.exe
2009-11-03 16:47 . 2009-11-26 00:20 2028312 ----a-w- c:\programdata\avg8\update\backup\avgtray.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-21 6144000]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"LXCFCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-09-14 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoChangeAnimation"= 0 (0x0)
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-05-30 00:44 167936 ------w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-05-15 01:05 526896 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [07/05/2009 6:44 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [07/05/2009 6:44 PM 108552]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [19/08/2008 1:39 AM 61424]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [19/08/2008 1:40 AM 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [19/08/2008 1:36 AM 24576]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [19/08/2008 1:40 AM 122368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [28/03/2008 3:44 AM 210432]
R3 usbfilter;AMD USB Filter Driver;c:\windows\System32\drivers\usbfilter.sys [03/01/2009 4:44 PM 22072]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/05/2009 6:43 PM 297752]
S3 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [03/03/2008 12:11 PM 16384]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [25/04/2008 8:36 PM 45056]
S3 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [25/04/2008 8:36 PM 131072]
S3 SQTECH9090;TOP Cam;c:\windows\System32\drivers\Capt9090.sys [12/12/2009 8:54 PM 48384]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=2&o=vp32&d=0309&m=aspire_5535
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Griffin\AppData\Roaming\Mozilla\Firefox\Profiles\ke765pq8.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Griffin\AppData\Roaming\Mozilla\Firefox\Profiles\ke765pq8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 15:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,RunDLLEntry???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-21 15:53:30
ComboFix-quarantined-files.txt 2010-01-21 23:53
ComboFix2.txt 2010-01-21 23:10
ComboFix3.txt 2010-01-19 17:31

Pre-Run: 62,689,001,472 bytes free
Post-Run: 62,650,490,880 bytes free

- - End Of File - - 4A6D678F494E03A3123E5763E5F925CF

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Now, try any scan again (online or MBAM), and let me know if it finishes successfully.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
It finished. I did a full scan, and it said there was nothing detected. I tried to download another anti-virus that was recommended from here. It downloaded, but when I tried to run it, it said that it was not a valid Win32 Application.

Here is the MBAM scan log.

Malwarebytes' Anti-Malware 1.44
Database version: 3611
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18865

21/01/2010 6:37:13 PM
mbam-log-2010-01-21 (18-37-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 278179
Time elapsed: 1 hour(s), 21 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Suspect

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Now, try to run the installer in Safe Mode with Networking and see if it runs.

I am thinking this is a deeper issue.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Just tried to re-start in safe mode with networking. I walked away after I hit start, so I didn't actually see how far it got before the computer shut down. I'm going to try it again, right away, and get back right after that.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
I finally got the file downloaded in safe mode, after many system crashes. Sometimes it would let me get into windows, sometimes not. Then twice it would not let me connect to the net. Anyways, still, in safe mode, I got the notification that avira_antivir_personal__en.exe is a not a valid win32 application.

to beat that, when I tried to post this in safe mode, I was almost finished typing, and my system crashed. I almost chucked this computer out my front window. Bring it on

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Please download RootRepeal from GooglePages.com.

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
    Not a valid Win32 Application - Page 2 Nclahc

  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    Not a valid Win32 Application - Page 2 2j5lb6
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

==

Please download Rooter and Save it to your desktop

  1. Double click it to start the tool.
  2. Click Scan.
  3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.


==

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • hȋdden Files << Selected

  • At the bottom of the page

    • hȋdden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The
    log will be saved automatically in the same folder Sysprot.exe was
    extracted to. Open the text file and copy/paste the log here.


==

Post any or all logs you get from these programs.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
I ran Root Repair. It gave me a huge long list, and while still running, the screen went blank, and the hard drive light stayed on full bright. I had to unplug the machine to get it to reset. This was after 20 mins of dark screen.

Will try the other two first, then root repair again.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Ok. Let me know how it goes. If it is what I think it is, we have a dragon on our hands. (Gunsmoke)

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
A Dragon? I must have the right guy helping me.

I got a Sysprot report. Here it is


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No hȋdden Processes found

******************************************************************************************
******************************************************************************************
No hȋdden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hȋdden files/folders found

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
When I tried to run Rooter, it scanned for about 2 seconds, then I got a popup that said :

Malaware Finder has stopped working correctly. Windows will close the program and notify you if a solution is available."

when I clicked close program, Rooter closed. I tried it two more times with the exact same result.

That is when I went to sysprot Antirrotkit

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: Not a valid Win32 Application - Page 2 Bat_icon
Double click on fix.bat & allow it to run

Post the log.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
20:31:38:870 1420 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
20:31:38:870 1420 ================================================================================
20:31:38:870 1420 SystemInfo:

20:31:38:870 1420 OS Version: 6.0.6001 ServicePack: 1.0
20:31:38:870 1420 Product type: Workstation
20:31:38:870 1420 ComputerName: GRIFFIN-PC
20:31:38:870 1420 UserName: Griffin
20:31:38:870 1420 Windows directory: C:\Windows
20:31:38:870 1420 Processor architecture: Intel x86
20:31:38:870 1420 Number of processors: 2
20:31:38:870 1420 Page size: 0x1000
20:31:38:870 1420 Boot type: Normal boot
20:31:38:870 1420 ================================================================================
20:31:38:886 1420 UnloadDriverW: NtUnloadDriver error 2
20:31:38:886 1420 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:31:38:901 1420 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
20:31:58:214 1420 UtilityInit: KLMD drop and load success
20:31:58:214 1420 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
20:31:58:214 1420 UtilityInit: KLMD open success
20:31:58:214 1420 UtilityInit: Initialize success
20:31:58:214 1420
20:31:58:214 1420 Scanning Services ...
20:31:58:214 1420 CreateRegParser: Registry parser init started
20:31:58:214 1420 CreateRegParser: DisableWow64Redirection error
20:31:58:214 1420 wfopen_ex: Trying to open file C:\Windows\system32\config\system
20:31:58:214 1420 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
20:31:58:214 1420 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:31:58:214 1420 wfopen_ex: Trying to KLMD file open
20:31:58:214 1420 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
20:31:58:214 1420 wfopen_ex: File opened ok (Flags 2)
20:31:58:230 1420 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 22F2B98
20:31:58:230 1420 wfopen_ex: Trying to open file C:\Windows\system32\config\software
20:31:58:230 1420 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
20:31:58:230 1420 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:31:58:230 1420 wfopen_ex: Trying to KLMD file open
20:31:58:230 1420 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
20:31:58:230 1420 wfopen_ex: File opened ok (Flags 2)
20:31:58:230 1420 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 22F2BC0
20:31:58:230 1420 CreateRegParser: EnableWow64Redirection error
20:31:58:230 1420 CreateRegParser: RegParser init completed
20:31:59:212 1420 GetAdvancedServicesInfo: Raw services enum returned 442 services
20:31:59:212 1420 fclose_ex: Trying to close file C:\Windows\system32\config\system
20:31:59:228 1420 fclose_ex: Trying to close file C:\Windows\system32\config\software
20:31:59:228 1420
20:31:59:228 1420 Scanning Kernel memory ...
20:31:59:228 1420 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:31:59:228 1420 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8628B798
20:31:59:228 1420 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
20:31:59:228 1420
20:31:59:228 1420 DetectCureTDL3: DEVICE_OBJECT: 8528B478
20:31:59:228 1420 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8528B478
20:31:59:228 1420 DetectCureTDL3: DEVICE_OBJECT: 84F5E820
20:31:59:228 1420 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84F5E820
20:31:59:228 1420 KLMD_ReadMem: Trying to ReadMemory 0x84F5E820[0x38]
20:31:59:228 1420 DetectCureTDL3: DRIVER_OBJECT: 87C107D0
20:31:59:228 1420 KLMD_ReadMem: Trying to ReadMemory 0x87C107D0[0xA8]
20:31:59:228 1420 KLMD_ReadMem: Trying to ReadMemory 0x87BA4C30[0x1E]
20:31:59:228 1420 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
20:31:59:228 1420 DetectCureTDL3: IrpHandler (0) addr: 99A64B40
20:31:59:228 1420 DetectCureTDL3: IrpHandler (1) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (2) addr: 99A64BB8
20:31:59:228 1420 DetectCureTDL3: IrpHandler (3) addr: 99A64C30
20:31:59:228 1420 DetectCureTDL3: IrpHandler (4) addr: 99A64C30
20:31:59:228 1420 DetectCureTDL3: IrpHandler (5) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (6) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (7) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (8) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (9) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (10) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (11) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (12) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (13) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (14) addr: 99A64828
20:31:59:228 1420 DetectCureTDL3: IrpHandler (15) addr: 99A594AA
20:31:59:228 1420 DetectCureTDL3: IrpHandler (16) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (17) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (18) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (19) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (20) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (21) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (22) addr: 99A62F9A
20:31:59:228 1420 DetectCureTDL3: IrpHandler (23) addr: 99A607A2
20:31:59:228 1420 DetectCureTDL3: IrpHandler (24) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (25) addr: 8206CFE3
20:31:59:228 1420 DetectCureTDL3: IrpHandler (26) addr: 8206CFE3
20:31:59:228 1420 KLMD_ReadMem: Trying to ReadMemory 0x99A5BA44[0x400]
20:31:59:228 1420 TDL3_StartIoHookDetect: CheckParameters: 4, 99A5F000, 0
20:31:59:228 1420 TDL3_FileDetect: Processing driver: USBSTOR
20:31:59:228 1420 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:31:59:228 1420 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:31:59:244 1420 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
20:31:59:244 1420
20:31:59:244 1420 DetectCureTDL3: DEVICE_OBJECT: 8638EAC8
20:31:59:244 1420 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8638EAC8
20:31:59:244 1420 DetectCureTDL3: DEVICE_OBJECT: 85CD1A60
20:31:59:244 1420 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85CD1A60
20:31:59:244 1420 DetectCureTDL3: DEVICE_OBJECT: 856E3828
20:31:59:244 1420 KLMD_GetLowerDeviceObject: Trying to get lower device object for 856E3828
20:31:59:244 1420 KLMD_ReadMem: Trying to ReadMemory 0x856E3828[0x38]
20:31:59:244 1420 DetectCureTDL3: DRIVER_OBJECT: 8540B268
20:31:59:244 1420 KLMD_ReadMem: Trying to ReadMemory 0x8540B268[0xA8]
20:31:59:244 1420 KLMD_ReadMem: Trying to ReadMemory 0x853CF8D8[0x20]
20:31:59:244 1420 DetectCureTDL3: DRIVER_OBJECT name: \Driver\ahcix86s, Driver Name: ahcix86s
20:31:59:244 1420 DetectCureTDL3: IrpHandler (0) addr: 89B7A60A
20:31:59:244 1420 DetectCureTDL3: IrpHandler (1) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (2) addr: 89B7A565
20:31:59:244 1420 DetectCureTDL3: IrpHandler (3) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (4) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (5) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (6) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (7) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (8) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (9) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (10) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (11) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (12) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (13) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (14) addr: 89B7A6CB
20:31:59:244 1420 DetectCureTDL3: IrpHandler (15) addr: 89B49EE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (16) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (17) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (18) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (19) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (20) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (21) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (22) addr: 89B4F98F
20:31:59:244 1420 DetectCureTDL3: IrpHandler (23) addr: 89B7A8FE
20:31:59:244 1420 DetectCureTDL3: IrpHandler (24) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (25) addr: 8206CFE3
20:31:59:244 1420 DetectCureTDL3: IrpHandler (26) addr: 8206CFE3
20:31:59:244 1420 TDL3_FileDetect: Processing driver: ahcix86s
20:31:59:244 1420 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\ahcix86s.sys
20:31:59:244 1420 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\ahcix86s.sys
20:31:59:259 1420 TDL3_FileDetect: C:\Windows\system32\DRIVERS\ahcix86s.sys - Verdict: Clean
20:31:59:259 1420
20:31:59:259 1420 Completed
20:31:59:259 1420
20:31:59:259 1420 Results:
20:31:59:259 1420 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:31:59:259 1420 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:31:59:259 1420 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:31:59:259 1420
20:31:59:259 1420 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
20:31:59:259 1420 UtilityDeinit: KLMD(ARK) unloaded successfully

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
Go Start type in CMD and right-click on it in the results pane and select Run as Administrator.
Type in: sfc /scannow
Press enter.

After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.

==

Now let's see if that error happens again.

descriptionNot a valid Win32 Application - Page 2 EmptyRe: Not a valid Win32 Application

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum