not a valid Win32 application - warning. Can't run antivirus apps

[The Real Truth MVP]

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option
Click ok.
Can you see those files now? send me a copy of the MBAM log


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/

That's good now update your antivirus you may need to re-download it. Any
old exe that did not work before will still not work.

There's a peculiarity that might mean something: I'm running Drive
Sentry http://www.drivesentry.com/ . The program is supposed to alert
the user to writes to the hard drive. Then the user can approve or
disapprove. I continually get (separate) warnings that winfilse.exe
(this is the correct spelling; it's not winfiles) and wintems.exe are
trying to write, and Drive Sentry suggests a rule that I should
disapprove. I do disapprove. But later I get the same warnings. Drive
Sentry, in its log section, says that winfilse.exe is in c:\windows
\system32\drivers . But when I look there using Explorer, I don't see
it.

Right now there's nothing in Drive Sentry's log about winterms.exe . I
think the log only goes so far back.

Another peculiarity: Using Firefox, I can't open messages in Hotmail.
But if I use IE, I can.

I also found this thread:
http://forums.majorgeeks.com/showthread.php?t=172675
.. R4nd seems as though he or she has a similar problem. R4nd has the
two executables I mentioned above, he or she gets the not a valid
Win32 error, he or she seems only to scan with Malwarebytes. But R4nd
doesn't say anything beyond the first post. I don't know if
bjgarrick's solution was successful.

I'm currently in the midst of a after-update scan with Malwarebytes.

Scan finished. 44 more items. Need to reboot to delete.

~~ Nehmo








~~ Nehmo

 

[Dustin Cook]

From: "Nehmo" <[email protected]>



| This is the only key similar to the one above:

| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
| \LoadAppInit_DLLs


| The other keys aren't there.


| I haven't tried that anti-malware app yet (since the problem). I'll
| see if it installs.

attrib -h -r -s "%systemroot%\system32\TDSSxfum.dll"
DEL /F /Q "%systemroot%\system32\TDSSxfum.dll"

attrib -h -r -s "%systemroot%\Temp\*.*"
DEL /F /Q "%systemroot%\Temp\*.*"

attrib -h -r -s "%systemroot%\system32\TDSSlxwp.dll"
DEL /F /Q "%systemroot%\system32\TDSSlxwp.dll"


attrib -h -r -s "%systemroot%\system32\TDSSkkbi.log"
DEL /F /Q "%systemroot%\system32\TDSSkkbi.log"

attrib -h -r -s "%systemroot%\system32\drivers\TDSSpqlt.sys "
DEL /F /Q "%systemroot%\system32\drivers\TDSSpqlt.sys "

attrib -h -r -s "%systemroot%\system32\TDSSlxwp.dll"
DEL /F /Q "%systemroot%\system32\TDSSlxwp.dll"

TSServ is a RootKit and even if you had it, that simple batch file
will not remove it !

It won't remove the peer program, the NT Service and it certainly
won't remove the Registry entries which are protected via access
permissions.

The TDSserv has several variants as well and the files listed in the
above deletion list as totally incomplete.

Oh, and it's a rootkit. Short of direct disk access, if it's resident,
this batch file isn't going to see it.

 

[Dustin Cook]

There's a peculiarity that might mean something: I'm running Drive

Sir,

please ignore that idiot Pcbutts. You have a TDSS variant rootkit.Agent
present on your computer. His advice is not going to do you much good,
aside from recommending MalwareBytes.

You may wish to come to the malwarebytes.org website forums, you can get
expert assistance from professionals there. Who won't bork your system,
and who do understand what they are dealing with.

Sentry, in its log section, says that winfilse.exe is in c:\windows
\system32\drivers . But when I look there using Explorer, I don't see
it.

And you won't, as long as it's resident. It's hiding, intentionally.

I'm currently in the midst of a after-update scan with Malwarebytes.

Scan finished. 44 more items. Need to reboot to delete.

I have been working for the last 2 days practically nonstop on TDSS
definition data, so please let me know how it goes for you.

 

[Nehmo]

From: "Nehmo" <[email protected]>

| Win Defender installation failed. Couldn't write to
| mpengine.dll
| ~~ Nehmo

My suggestion is this...
Wipe the PC after backing up your PC's data and reinstall the OS from scratch.

David, I've been clicking your signature links for days with no
result. I would have alerted you sooner, but my system is so
corrupted, I wasn't sure if maybe anti-malware links were blocked,
like in the HOSTS file or something. Anyway, the links are dead.
~~ Nehmo

 

[The Real Truth MVP]

If you want to be able to get to David's site then you have to unzip and run
this file.
http://pcbutts1.com/downloads/hostsback.zip


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/

From: "Nehmo" <[email protected]>

| Win Defender installation failed. Couldn't write to
| mpengine.dll
| ~~ Nehmo

My suggestion is this...
Wipe the PC after backing up your PC's data and reinstall the OS from
scratch.

David, I've been clicking your signature links for days with no
result. I would have alerted you sooner, but my system is so
corrupted, I wasn't sure if maybe anti-malware links were blocked,
like in the HOSTS file or something. Anyway, the links are dead.
~~ Nehmo

 

[Buffalo]

If you want to be able to get to David's site then you have to unzip
and run this file.
http://pcbutts1.com/downloads/hostsback.zip





David, I've been clicking your signature links for days with no
result. I would have alerted you sooner, but my system is so
corrupted, I wasn't sure if maybe anti-malware links were blocked,
like in the HOSTS file or something. Anyway, the links are dead.
~~ Nehmo

Is that because he installed your program?

 

[The Real Truth MVP]

Yes.

 

[Leythos]

Is that because he installed your program?

No, it's because PCBUTTS blocks access to many very reputable anti-
malware sites because most of the malware community shuns his actions
and his filth that he's posted over the years - so he retaliates by
blocking those people/vendors sites without telling you.

You should avoid anyone that is so unethical.

 

[Leythos]

No, it's because PCBUTTS blocks access to many very reputable anti-
malware sites because most of the malware community shuns his actions
and his filth that he's posted over the years - so he retaliates by
blocking those people/vendors sites without telling you.

You should avoid anyone that is so unethical.

Sorry, didn't follow the thread parsing well enough, should have been:

YES, it's because PCBUTTS blocks access to many very reputable anti-
malware sites....

 

[Nehmo]

Sir,

please ignore that idiot Pcbutts. You have a TDSS variant rootkit.

I haven't been reading this NG long enough to take a stand on personal
fights, and I'd prefer to permanetly stay outside of those. However, I
must say that "idiot" doesn't seem applicable. (But modifying the
HOSTS file was disconcerting.) Now, back to my story.

Why are you and others convinced that I have a "TDSS variant rootkit"?
Is there something that indicates that?


Agent

present on your computer. His advice is not going to do you much good,
aside from recommending MalwareBytes.

Yes, so far, that's the only anti-malware application that installed
and ran. (DriveSentry also installed and ran, but I'm not sure if its
scan really does anything.) This is similar to the problem posted in
MajorGeeks http://forums.majorgeeks.com/showthread.php?t=172675 .
Why are most scanners blocked? How would some malware do that?
Something must trigger this "not a valid Win32 application" warning,
and this trigger is missing from MalwareBytes.

~~ Nehmo

 

[The Real Truth MVP]

The filenames mentioned in your logs and the general overall problems you
are having is how we identified it but there are many variants under
different names. I have updated Remove-it so it will better handle your
issue. Redownload the latest version
http://pcbutts1.com/downloads/tools/tools.htm and run it again. Watch the
screen this time and choose "no" when it asks you if you want to modify your
hosts file. Posts back the results.


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/

Sir,

please ignore that idiot Pcbutts. You have a TDSS variant rootkit.

I haven't been reading this NG long enough to take a stand on personal
fights, and I'd prefer to permanetly stay outside of those. However, I
must say that "idiot" doesn't seem applicable. (But modifying the
HOSTS file was disconcerting.) Now, back to my story.

Why are you and others convinced that I have a "TDSS variant rootkit"?
Is there something that indicates that?


Agent

present on your computer. His advice is not going to do you much good,
aside from recommending MalwareBytes.

Yes, so far, that's the only anti-malware application that installed
and ran. (DriveSentry also installed and ran, but I'm not sure if its
scan really does anything.) This is similar to the problem posted in
MajorGeeks http://forums.majorgeeks.com/showthread.php?t=172675 .
Why are most scanners blocked? How would some malware do that?
Something must trigger this "not a valid Win32 application" warning,
and this trigger is missing from MalwareBytes.

~~ Nehmo

 

[Dustin Cook]

Why are you and others convinced that I have a "TDSS variant rootkit"?
Is there something that indicates that?

The symptoms you describe match that of atleast 2 TDSS variants that have
come across my desk in the past 3 days. One of those two disables
MalwareBytes from being installed or run as well.

Yes, so far, that's the only anti-malware application that installed
and ran. (DriveSentry also installed and ran, but I'm not sure if its
scan really does anything.) This is similar to the problem posted in
MajorGeeks http://forums.majorgeeks.com/showthread.php?t=172675 .
Why are most scanners blocked? How would some malware do that?

The best way to stay alive on a system is to prevent the host from
removing you. That includes blocking access to websites, and disabling
whatever software you have that could prevent and/or detect it.

Something must trigger this "not a valid Win32 application" warning,
and this trigger is missing from MalwareBytes.

The rootkit, most likely. I couldn't say with absolute certainty this is
what you do have without logs from a few apps, but I'd be willing to bet
it's a good wajer.