TechSpot

(Any antivirus.exe) not a valid win32 Application in Vista

By bennychains
Jan 22, 2008
Topic Status:
Not open for further replies.
  1. I am running Vista Business.

    Problems:
    1. My Windows Defender is is disabled automatically on startup, and will not enable.
    2. I cannot run any AVG, SpyBot, Combofix product (it gives me the error in the title: "(any antivirus.exe) not a valid win32 Application.")
    3. My wireless internet will not connect (side-effect likely)

    (i have read and completed most of the Viruses/Spyware/Malware, preliminary removal instructions anything i did not do is a result of me not being able to run the prog)

    I have run Adaware in safemode, and MS Malicious software removal. Both found stuff, and deleted them, but problem still exists. Smitfraud did not locate anything, nor did Vundofix.

    I noticed that a virus named Bagle came up, which may or may not be the primary problem.

    There are no rogue progs in my installed programs, my msconfig looks normal as well (as far as i can tell).

    Any assistance would be greatly appreciated. I really do not want to wipe and re install everything.

    attached is my hijack this log, its renamed in the list.

    thanks soo much. i am freakin out.
     

    Attached Files:

  2. bennychains

    bennychains TS Rookie Topic Starter


    please assist.
     
  3. dgower2

    dgower2 TS Maniac Posts: 340

    Download and run superantispyware. It has found several infections that all the others missed on multiple occasions, for me.
     
  4. bennychains

    bennychains TS Rookie Topic Starter


    thanks, did you have this exact same problem? Are you running vista?

    I will attempt it, hopefully this EXE will not be blocked as well.

    It seems my last resorts are:

    1. running it as a slave drive and hitting it with AVG
    2. wiping and reinstalling. From now on I am ghosting my drive once a month.


    ANY OTHER THOUGHTS on what might be causing this?

    I have read the other threads that seem like similar problems, but none seemed to be helpful for me.

    thanks!
     
  5. vistaboy2

    vistaboy2 TS Rookie

    Urgent - AV / Firewall / windows defender de-activated

    I'm currently suffering the exact same symptons. All AV and protection now appears to be disables

    I stupidly downloaded a corrupt file and then vista launched into bluescreen of deathed on Monday. When it restarted avg, firewall, defender etc were all disabled, no warnings from avg that it was inactive and it's disapeared and will no longer launch because of the error msg.

    Wireless also disabled. Have tried to install numerous av and cleaning solutions and for various reasons the majority have all been blocked as I'll outline below. Some of AVG appears to be working as it has recognised viruses and moved them to vault. I have a dual partition and have performed various things like the online virus scan, trojan hunter, avg etc whilst logged onto my XP partition on my D drive. All identified viruses/trojans and tried to remove - it would seem with little success.

    It seems to have some effect on programmes when the PC is restarted because things like Ad Aware SE worked when I initially installed them but once a restart is performed it will not start because of 'win32 not valid'. THis also happened with HJT when the version not named crusty turned to an error sign when the system was restarted.

    1. With the online scanner when attempting the removal procedure in vista the message:
    'an error occured while trying to transfer data from the internet. do you want trend micro to try resending the required files' This happens continually.

    2 AVG antispyware installed but then after a system crash it had unitstalled itself. even when it was installed it just gave the error message - connection failed, whenever you launched the app.

    3. Spybot was already installed on my system but would not launch with the win 32 problem, I have attempted to uninstall and the system crashed whilst attempting to uninstall.

    4 Ad aware, installed, scanned, identified viruses, then crashed when trying to quarantine and then would not launch again. has now disapeared from desktop.

    5. CCleaner, was one of the only suggestions that worked, found about 666mb of crap - has now also uninstalled itself.

    6 download tool 1, was identified as a trojan and quarantined by AV (which told me avg was at least active in some capacity). download 2 found nothing download 3 dead link.

    7 On vista so no panda but the avg rootkit caused my system to require a restart. when I did this the system would no longer boot because of a missing driver. I had to load vista dvd to repair OS. It was after this that many of the programs I'd installed removed themselves.

    8. combofix will not install just causes win explorer to freeze with no action from the prog.

    9 I had to run HJT as admin and I have attached the report below.

    I can access my system through my XP partition and run various AV programmes through there that will not otherwise run on my vista partition. Does anyone know if doing this can potentially remove the infection from my C drive. because it seems to be identifying problems but still struggling to remove anything. various progs have found 15 or so trojans, viruses etc when running the progs on my alternative partition.

    This is really freaking me out. I've never come across such an aggressive virus before that so systematically wipes out most forms of protection and seems to recognise (and attack) virtually any av programme you use.

    If you can think of any suggestions please let me know because my system seems so corrupted. - I don't knoiw what else I can try!!!!

    ANy help at all is much appreciated. HJT attached
     
  6. bennychains

    bennychains TS Rookie Topic Starter

  7. vistaboy2

    vistaboy2 TS Rookie

    Thanks mate I'll get googling. Keep me informed.
    Cheers,
     
  8. vistaboy2

    vistaboy2 TS Rookie

    The symantec tool didn't find any of those viruses on my sys. This must be a new virus because it seems to understand it's way around the very latest software out there. Must be rare though because you're the first person I've come across that has the exact same problem.

    I'm going to boot into my xp install again and run through a few more programs and see if as many trojans / viruses are still being found. This is rapidly becoming, what seems like the only option!
     
  9. vistaboy2

    vistaboy2 TS Rookie

    Running AVG on my dual XP install I have found:
    Trojan Horse/backdoor.sdbot3.xmg as well as Bagle.AFJ, and Bagle AFB twice. Scan is still running but it seems to have moved the files to the vault. Going to carry out the rest of the steps then attempt to load into vista again.

    They were in C:system volume information_restore{long alphanumeric combination.exe
     
  10. vistaboy2

    vistaboy2 TS Rookie

    Found another thread discussing the same topic and they seem to have eventually resolved it. http://forums.spybot.info/showthread.php?t=23005

    There's some work arounds for some of the analysis progs that aren't working and after a lot of logfiles their system seems to be fixed. It's doesn't look anything like a quick fix but there's SpyBot tech support to talk you through what you need to do. It's way too late here now for me to start to think about doing it now and I've registered but am unable to make posts on their forum for some reason. It looks like you have to completely clean your system then reinstall AVG, Spybot etc.

    I'm going to leave a few scanners running overnight and see if anything's been found in the morning.
     
  11. loyalsidhu

    loyalsidhu TS Rookie

    not a valid win32 application in vista home premium

    Hi Friends

    me also suferd by same problem every application is blocked shows "not a valid win32 application".

    if Anyone found the wayout of this problem plz help me.

    most of the exe file are infected by win32/jeefo.

    I have installed bitdefender but nothing happen good.
     
     
  12. dgower2

    dgower2 TS Maniac Posts: 340

    I didn't have this problem and I don't have Vista. It looks like between you and vistaboy2, you'll get this thing resolved. Viruses are definitely evolving, aren't they. Don't forget trend micro's online scanner - works great when you can't install apps.

     
  13. bennychains

    bennychains TS Rookie Topic Starter

    As of right now, this issue is UNRESOLVEABLE.

    I dont consider this to be a typical virus, it does not manifest itself in registry, or startup progs.

    I dont have the time to continue different suggestions but the next step i would undertake is getting a better program that monitors all startup programs.

    I have already wiped my vista installation and have begun my reinstallation of softwares.

    This time, i will make a ghost image of my drive in its most virgin state, so in the future i will just reload it and not worry about this. I dont keep any personal files on my laptop anyway, just on external hd's. so no real loss, except for my f'n time.

    I also feel like this is not some new age virus by some bad *** programmer.

    I think this is just a normal old virus that when applied to Vista can do horrible irrepairable corruption to certain files. Even after the virus is located and deleted.

    my 2 cents. whatever this is, it has won. even experts-exchange couldnt get it.
     
  14. vistaboy2

    vistaboy2 TS Rookie

    My earlier optimist appears to be unfounded. I worked through the whole procedure of my XP install until it was delivering clean results. As soon as I've loaded into Vista the exact same problems exist.

    I eventually managed to run Combofix by starting in safemode but there were various errors along the way and when it finished it did not post a log file. DSS worked and I have attached both the logs from this scan.

    I really don't know what other options are left to me. Can anybody translate these logs and suggest any possible resolutions. My HJT log is posted in a previous post.

    I have uninstalled and re installed AVG free in an attempt to load a clean version but this hasn't worked.

    Pretty much every AV programme, Spybot, avg anti spyware etc will not start because it is not a valid win32 file. I really don't want to have to resort to a reformat but unless anybody can suggest anything else I can't see what else I can try.
    Help please.
     
  15. vistaboy2

    vistaboy2 TS Rookie

    Losing hope of being able to fix this!

    I managed to run a combofix scan and get it to produce a log. Also attached is a more recent hijackthis log. If anyone understands what it means I'd really appreciate some advice.

    I don't want to be defeated by this virus but it's tied me up for three days solid and reinstalling seems like the only remaining option unless anyone has any suggestions.
    Thanks
     
  16. Strob

    Strob TS Rookie

    I think I got the same as vistaboy2

    I had a keygen that I scanned with Nod32 just before running. Nod32 did not find anything. I ran the file and got a blue screen. When I restarted, nod32 was screwed and I could not even uninstall it. I downloaded Kapersky trial which uninstall nod32 but I got the same message for all antivirus (win32 not valid).

    When I used the Kapersky online file scanning seervice on the keygen, it tells me it is oinfected by

    Trojan-Downloader.Win32.Bagle.it

    But I can't find any info about this virus... I think it is new and we have to wait fos someone to find a cure...
     
  17. sahara

    sahara TS Rookie

    Hi, I'm having the same problems on my Windows XP "Media Center Edition":

    1. Shortcuts for AVG, Spybot S&D, Adaware etc disappeared, and when I try to run them from their actual location, I get "????? is not a valid win32 Application"

    2. Same thing with HijackThis, the first time I tried to run it after downloading, it crashed explorer.exe. After Ctrl+Alt+Del and start explorer.exe again, I start getting the "????? is not a valid win32 Application" for it also.
    I tried changing the filename incase that'd bypass the virus, but that crashes explorer.exe also, and "C:\>rename hijackthis.exe test.exe" in command prompt didn't work either.

    3. Tried scanning with online scanner, Trend Micro gives me "an error occured while trying to transfer data from the internet. do you want trend micro to try resending the required files" continously.
    Pander Scan starts, but crashes IE half way through.
    Kaspersky somehow insists that I need to use IE5+ (IE6, and FF2)

    4. Downloaded SuperAntiSpyware that dgower suggested, it started, but crashes windows half way through. I tried twice, once with the internet disconnected and nothing else running. So I think it must have hit the infected file or something... Unfortunately it doesn't seems to produce a log, so I don't know what killed it.

    5. I can't even go into safe mode, I'd pick safe mode on the screen, it'd go through a bunch of code as usual, and then it'd go back to the bios screen and starts windows as usual.

    6. I noticed a lot of the things services.msc are disabled. Wifi doesn't work because of WZC being off, Windows Update doesn't work "The site cannot continue because one or more of these Windows services is not running" etc.

    7. Just tried running ComboFix and SREng ( kztechs.com/eng ), ComboFix got the "not valid win32 application" error and SREng freezes on first screen. Edit: eventually got SREng to work, attached the log.


    The only thing I downloaded yesterday was FileZilla (from the sourceforge page, and I installed the same thing on my work computer, which doesn't have any proble, so I think this is unrelated), and I also accepted some file transfers via MSN (photos of friends, rar file with a few text files in it, nothing out of the special), and until today when they disappeared, I had AVG on and updated regularily, so I'm at a lost as to what is causing this :/
     
  18. Strob

    Strob TS Rookie

    By luck, I have a dual boot with Windows XP 32 bit and Windows XP 64 bits. Only my 32 bits is infected so far.

    I'm running kapersky trial on my 64 bits system (I could not run it on the infected one).

    I also got the blue screen everytime I try to star my infected system in safe mode. And I got a blue screen too when trying to install Spy Doctor (from the google pack) in 32 bit.

    I can't install spy doctor on my 64 bit system. But if kapersky does not succeed I will try installing spy doctor from the exe filse downloaded directly from their site.

    I forgot to say, on my infected system it takes a long time (like 10 minutes) for iexplorer to access the internet but it still can access it if I wait.

    If I can't find a solution after that I will definitely switch to my 64 bit system.
     
  19. vistaboy2

    vistaboy2 TS Rookie

    I was able to download Kaspersky on my infected Vista install eventually and run the programme which appears to have removed some of the problems. This enabled me to re-install HijackThis, AVG Spyware and Combofix and go through the removal techniqes which I had been unable to access previously. This seems to have solved the problem. I am still worried there may be an infection because every security certificate fails when I try to access secure sites and I'm not 100% confident it has been removed in it's entirety.

    I'm going to run another Combofix scan and see if there are any other problems removed.

    When I ran one of the removal tools it also identified problems. I can't remember whether it was the first or the third one.

    I re-activated my WiFi (which had been completely disabled) with the procedure below:

    1. regedit
    2. [HKEY_LOCAL_MACHINE]\System\CurrentControlSet\Services\ndisuio
    3. Change Start to "0x000000002 (2)"
    4. Restart

    I'll post another combofix when I'm home to see if there is still something lurking.

    Even if the virus is removed it will have damaged the AV installs and you will need to reinstall AV, Firewalls etc as far as I know.
     
  20. dgower2

    dgower2 TS Maniac Posts: 340

    Thanks for all your updates. This bagle virus seems to be an extreme headache. I'm surprised there's not a guide exclusive to its removal somewhere. Best of luck to you guys; I wish I had more information/advice for you.
     
  21. sahara

    sahara TS Rookie

    I eventually managed to get the Kaspersky online scan to run and complete without crashing, and the report listed a lot of "Object is locked" and:
    "C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of "
    I tried removing the file, but got an error that says "Cannot delete mdelk: Cannot read from the source file or disk".
    The online help files about the file suggested uninstalling it first, but it isn't showing up in my program list. Neither is it in my task manager's process list either.

    I'll try to get the full version of Kaspersky and see if I've any luck with it.

    By the way, thanks vistaboy2, I managed to get wifi working again following your instruction.

    Edit Installed Kaspersky trial, and then restarted into command prompt, removed the mdelk.exe file there, but when I restart I still have the same old problem of Kaspersky "is not a valid Win32 application"...
     
  22. jigjag

    jigjag TS Rookie

    Same Issue

    Just to brief things up, antivirus didnt recognize it(nod32), tried installing the trial of kaspersky, avg etc, nothing worked. same old error, however did an online virus scan, managed to recognize 6 virus, said it cleaned them, but left 1 behind, rebooted, voila - problem still persists.

    problems inlcude: cant boot up in safe mode, wireless disabled, even tried to overwrite my system files by 'upgrading windows' (windows xp)

    what i can recommend is, get a windows disk that boots up from a CD, use an antivirus program in that os and scan for issues and then reboot again

    else

    clean format your pc.

    unfortunately i dont have a Windows Cd boot up thing-a-ma-jig.

    im just saying thats an idea...
     
  23. DanielKatz

    DanielKatz TS Rookie

    I'm experiencing the same disturbances too

    It's also started with blue screen, and followed by disabling any security systems I had… including the system services that supports security.
    I solved the issue by reinstalling the operation system, but because it's obviously a new virus (only one more match on Google) I very interested on any evolvement on the subject.
     
  24. temir

    temir TS Rookie Posts: 87

  25. sahara

    sahara TS Rookie

    Good news, I've managed to (I think) fix my computer :)
    I followed bloo2k's reply on
    nivas.hr/blog/2008/01/13/biohazard-outbreak-of-wintemsexe-28-hours-later-how-to-get-rid-of-a-virus-if-you-cant-boot-to-safe-mode-and-your-computer-keeps-deleting-anti-virus-software
    - basically, download something that doesn't need installation (Rootkit UnHooker, IceSword, ComboFix), save it as something .bak/txt/whatever instead of a exe, so the virus won't recognize it, and then change the file to read only before renaming it to .exe and run it.
    With that method, I managed to avoid the "not a valid win32 application" error messages. And I used Rootkit UnHooker to kill the wintem.exe and hldrrr.exe processes, and then use IceSword, ComboFix, BitDefender online scanner and Kaspersky online scanner to delete all remaining traces of the virus.

    Looks like all the old firewall and antivirus/spyware programs will need reinstalling, but so far everything I've installed works.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.