Re: not a valid Win32 application - warning. Can't run antivirus apps

Re: not a valid Win32 application - warning. Can't run antivirus apps
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Re: not a valid Win32 application - warning. Can't run antivirus apps Nehmo 11-16-2008
Posted by Nehmo on November 16, 2008, 12:14 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> On the Tools menu in Windows Explorer, click Folder Options.
> Click the View tab.
> Under the Hidden files and folders heading select Show hidden files and
> folders.
> Uncheck the Hide protected operating system files (recommended) option
> Click ok.
> Can you see those files now? send me a copy of the MBAM log

I already have "Hide protected operating system files (Recommended)"
with an un-checked box. I also have "Hidden files and Folders" set
with a dotted circle to the option "Show hidden files and folders".

The file isn't there. Yet I continually get DriveSentry popups saying
winfilse.exe is trying to write to either Temporary Internet files ie
content or Cookies. These popups are loged by DriveSentry.

The Malwarebytes (MBAM) log is short enough to just post here. MBAM
deleted Winterms.exe (see near the end of the log). That was the other
file I couldn't find.

The MBAM log:
Malwarebytes' Anti-Malware 1.30
Database version: 1400
Windows 5.1.2600 Service Pack 3

11/15/2008 5:15:53 PM
mbam-log-2008-11-15 (17-15-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179546
Time elapsed: 3 hour(s), 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m (Trojan.Agent) ->
Delete on reboot.

Files Infected:
C:\WINDOWS\system32\drivers\downld1671.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7296.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4656.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4546.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4578.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld0921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6953.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8453.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld0140.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld8250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld6312.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4687.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld1265.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld1171.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld4640.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7359.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2593.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld9375.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2750.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5250.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld7609.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld636734.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld704218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld712703.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld734921.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld741343.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld771890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld777218.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld804890.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld871015.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld877390.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld880187.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld937937.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld020203.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld2484.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld625.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld5109.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Owner\Application Data\m\flec006.exe
(Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> Quarantined
and deleted successfully.

--
~~ Nehmo

Posted by Dustin Cook on November 16, 2008, 9:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
@nlpi070.nbdc.sbc.com:

> Any exe that still does not work like HJT will have to be deleted and
> re-download. I need about 3 more hours to put some finishing touches my
> script to rid you of that rootkit and another 2 to update Remove-it.

WTF? Why should he delete ANY of the exes that aren't working? They aren't
actually the issue. The rootkit is the problem, and I don't care how many
static filenames you add, you won't be killing it without help from another
program; one you likely didn't author and probably wouldn't be able to get
permission from it's author to even use. LOL.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org



Posted by Nehmo on November 16, 2008, 9:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Are you still having problems? Is system restore on or off? Now you need =
to
> use a boot disk to manually remove the files.

System restore is on. I saw no restore points. I successfully created
one.
~~ Nehmo

Posted by Nehmo on November 17, 2008, 1:59 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>
> > Are you still having problems? Is system restore on or off? Now you nee=
d to
> > use a boot disk to manually remove the files.
>
> System restore is on. I saw no restore points. I successfully created
> one.

Another thing: rthdcpl.exe is in my startup tab on msconfig, and I
have Realtek High Definition Audio listed in Device Manager, so maybe
this is normal. But the process uses 30,184K in Mem Usage in Task
Manager.That seems like a lot.

Also, the popups from DriveSentry caused by winfilse.exe trying to
write are annoying. I'm not sure if there even *is* a winfilse on this
machine, and the popups demand attention before anything else. I've
had several during the writing of this post.

~~ Nehmo


Posted by Nehmo on November 17, 2008, 4:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>
>
> > > Are you still having problems? Is system restore on or off? Now you n=
eed to
> > > use a boot disk to manually remove the files.
>
> > System restore is on. I saw no restore points. I successfully created
> > one.
>
> Another thing: rthdcpl.exe is in my startup tab on msconfig, and I
> have Realtek High Definition Audio listed in Device Manager, so maybe
> this is normal. But the process uses 30,184K in Mem Usage in Task
> Manager.That seems like a lot.
>
> Also, the popups from DriveSentry caused by winfilse.exe trying to
> write are annoying. I'm not sure if there even *is* a winfilse on this
> machine, and the popups demand attention before anything else. I've
> had several during the writing of this post.

If anybody is still reading :-) , I have a developement. I just found
the emachines Windows XP Home OS disk. So now I can re-install the OS.
I think I can, anyway. I understand these disks that come with new
computers aren't full OS disks. I'm really not clear on the difference
between a re-install disk like this and one with the full OS. But I
understand they can be used to re-install the OS. It says that on the
label.

First, I'm considering running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix . After
reading about it and all the stuff you need to do to run it, it seems
like it may be powerful.

~~ Nehmo



~~Nehmo


Similar ThreadsPosted
not a valid Win32 application - warning. Can't run antivirus apps November 7, 2008, 12:03 pm
NOD32 Antivirus is now both a 32 and 64 Bit Application July 28, 2005, 6:57 am
Malware Evolving Too Fast for Antivirus Apps January 1, 2008, 2:50 pm
Warning! Spyware detected on your computer? Install an antivirus or spyware remover to clean your computer. Bugs crawling on desktop June 4, 2008, 2:59 pm
win32/i-worm/stration - E-mail-worm.win32.warezov or? October 13, 2007, 10:41 am
Best encryption application August 17, 2005, 12:28 am
Universa Application March 3, 2006, 3:00 am
Re:Universa Application March 5, 2006, 10:08 am
Dear All ..... I need an AV application that ..... August 8, 2006, 2:57 am
Virus scanning apps that can be started from the DOS prompt? July 5, 2007, 4:57 am

The site map in XML format XML site map

Contact Us | Privacy Policy