Mswin32.exe problem

By sritce
May 24, 2009
  1. I managed to remover this virus mswin32.exe which disables my task manager and folder option..But now my problem is I am getting an message "WINDOWS CAN NOT FIND WIN32.EXE " whenever i start my system..How to get rid of this message ..Thanks in advance..
  2. dipo003

    dipo003 TS Enthusiast Posts: 37

    try thiiiisss

    what i think is that there is a refrence to the file in the windows startup handles which it cannot find. which possibly could have caused this error.

    you can try this
    1 try running msconfig.exe by pressing window+R then type msconfig
    then try go to the startup tab then try to find if there is any link to the file, then try to disable it
    2 some registry tools can fix this for you such as system mechanic
    3 if u have usb security software the one by zhengou, try go to it and there you can delete the file handle
  3. sritce

    sritce TS Rookie Topic Starter Posts: 47

    no..none of the above solves my problem...
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's get the terminology straight first:

    mswin32.exe is the process for the Microsoft Update Service

    win32.exe is added to the system as a result of the RATEGA virus. It is a Trojan horse give a remote user access to your computer.

    So you removed the wrong file and still have the malware!

    Unfortunately, sometimes people jump on with answers without checking content first.

    Please move to the Virus and Malware Removal Forum and follow the steps set up here:

    When you have finished, attach the three logs. We will review them.
    Be sure to check the lines in both Malwarebytes and Superantispyware for the removal of the malware they find. Don't remove anything in HijackThis. That's out job.
  5. sritce

    sritce TS Rookie Topic Starter Posts: 47

    thanks for ur suggestion

    Every thing is fine now..only after scanning with malwarebytes problem got solved..
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're on your own. I would not release you at this point if I was helping with cleaning.
  7. sritce

    sritce TS Rookie Topic Starter Posts: 47

    ok ..I will send u log files what u asked before as soon as possible..
  8. sritce

    sritce TS Rookie Topic Starter Posts: 47

    Pls review my log files

    Please check my log files..
  9. snowchick7669

    snowchick7669 TS Maniac Posts: 660

    MBAM didnt clean the reg files?

    Sorry Bobbye, I'm not intruding on your fix :) Just having a nosey
  10. sritce

    sritce TS Rookie Topic Starter Posts: 47


    ya your rite..because MBAM always shows 4 infection files..even after cleaning ,some times later when i do scan it ll show the same 4 infected files..any my system still infected ??
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    P2P: As long as you're doing file sharing, you're going to get malware. Please see P2P Warning in Step 3.
    C:\Program Files\uTorrent\utorrent.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"

    FYI: when the Mbam results come back showing No action taken it means that the following wasn't done:

    * Make sure that everything is checked, and click Remove Selected.

    Malwarebytes needs to be UPDATED and run again with this checked. The infection isn't 'coming back'- it wasn't removed!

    Superantispyware has a similar line:
    * Make sure everything found has a checkmark next to it,then press 'Next'
    Same thing> if it wasn't checked, malware wasn't removed.

    So the Vundo infection remains. Understand: it's not a matter of "still infected"- it's a matter of not removing the malware due to not following directions in the cleaning programs.

    Please open HijackThis, and select Do a system scan only.
    Place a checkmark next to the following entries (if present):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
    (FYI: From time to time Kagi may use external service providers who need to know all your financial payment information to help verify the information provided or to help Kagi make business decisions.)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\system.exe,>> a Backdoor W32.Spybot.OBB
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: (no name) - {8DF6AD7A-3096-49A3-96FF-9ED869DA8AC1} - c:\windows\system32\jvrbjiu.dll
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O20 - Winlogon Notify: nauzbsuj - C:\WINDOWS\SYSTEM32\jvrbjiu.dll

    Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

    Please download ComboFix HERE

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Rescan with HijackThis AFTER running Malwarebytes again and Combofix. Attach all logs and reports.
  12. sritce

    sritce TS Rookie Topic Starter Posts: 47


    No I did checked all items and then only removed it..i did it many times..It says items will be removed after next restart..Any how after scanning with comba fix ,it got removed i think..because now malware scanner didnt show any infected file..check the log files ..thank you..
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's go through some of the entries I found:

    1. Firefox
    C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
    The final for v3 has been out for a long time. Please update to current version v3.0.10-link is on lower right:

    2. [BFile Sharing:[/B]
    c:\program files\TeamViewer (2009-04-12) Remote access/Desktop sharing
    C:\Program Files\uTorrent\utorrent.exe

    3. Pirating:
    The following indicates you are using a crack/keygen program to download software. Pirating is NOT supported on TS:
    IE: Download All Links with IDM - d:\softwaress\downloader\Internet Download Manager v5.01 Trial to Full by Great Elmo!!\IEGetAll.htm
    IE: Download with IDM - d:\softwaress\downloader\Internet Download Manager v5.01 Trial to Full by Great Elmo!!\IEExt.htm

    4. Antivirus programs:
    c:\program files\WinClamAVShield> 2009-05-25 12:35
    c:\program files\ESET\ESET NOD32 Antivirus

    5. Registry Cleaner:
    c:\program files\Uniblue>> Registry Booster>> (KillRBProcess.exe)

    All of these need to be handled as soon as possible:
    1. Firefox: it's important to keep updates current. Many are for security reasons.
    2. Files haring is a trip straight to malware. Recommend uninstall these programs.
    3. Using crack programs to load software is the same thing as stealing it.
    4. You should run only 1 antivirus program. Uninstall one of them
    5. Registry Cleaners are not recommended. Recommend uninstall this.
  14. touch

    touch TS Rookie Posts: 978

  15. sritce

    sritce TS Rookie Topic Starter Posts: 47

  16. sritce

    sritce TS Rookie Topic Starter Posts: 47


    I will do what you have mentioned ..thanks..
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...