Jump to content

"Not a valid Win32 application" error when running an .exe file (inclu MBAM)


Recommended Posts

Hi there, good MBAM folk :-)

 

I am directed by one of the kind MBAM moderators to open a new thread after initially posting under the incorrect catregory.  Here goes:

 

 

Computer:  PC, Windows 7 Home Premium, 64 bit.  Malwarebytes Free, Avira Pro.

Note:  I have chosen NOT to install the Windows Updates - this may/may not be relevant.
 
I first noticed there might be a problem when I was attempting to download regular definition Updates for Malwarebytes.  The download could never quite complete - it froze up 3/4 of the way through.  Same result after several attempts.
 
I then uninstalled Malwarebytes using Control Panel.  I also downloaded the mbam-cleaner file from the MBAM site.  BUT I was then unable to open this mbam-cleaner file beyond the Run window (which I clicked), getting instead the error message "mbam-cleaner.exe is not a valid Win32 application".

 

Having uninstalled MBAM, I then re-downloaded MBAM, but, when running the .exe file to re-install it, upon hitting Run, the system would not go any further than coming up with the error message, once again, "not a valid Win32 application".

 

So I was unable to run mbam-cleaner OR re-install MBAM.  Not good.
 
Same exact result when I tried to run rkill - same equivalent error message: "rkill.exe is not a valid Win32 application".
 
Definitly something is awry.  These are very likely to be good .exe files, and something is choosing to block their opening.  I've never seen this error message before.  I have made no changes whatsoever to my registry or startup - nothing at all.

 

 

Additional info:

 

As per the malware instructions, I have since downloaded FRST (FRST64.exe) and attempted to run it, and, again, as soon as I click Run, up comes the same error message, this time saying "FRST64.exe is not a valid Win 32 application"  and it doesn't go any further than that.

 

This bad stuff is stopping everything dead in its tracks, so I can't even diagnose/cure the problem with FRST!

 

 

I am posting from the 'infected' computer, so the unit still has considerable functionality, despite whatever bad stuff is going on. 

 

Any wisdom very much appreciated indeed.
 
All warmest wishes,
Ralph

 

Link to post
Share on other sites

Hello,
 
 
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
 
 
Before we start please read and note the following:

  • At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
  • Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
  • If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
  • I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  • Please attach all report using fjqb1h.png button below. Doing this, you make it easier for me to analyze and fix your problem.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay for the repair.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
FRST.gif Scan with Farbar Recovery Scan Tool
 
Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Hi there TwinHeadedEagle,

 

Many, many thanks for your help.

 

I tried this before, and I tried it again - always hopeful! 

 

I downloaded FRST (for my 64-bit OS), saved the .exe file, attempted to run it, and was blocked (again) by the same error message as before, namely, that "FRST64.exe is not a valid Win 32 application".

 

I just can't seem to run any .exe files!

 

All best wishes,

Ralph

Link to post
Share on other sites

No, I did not.  Good call.

 

So, I temporarily deactivated Avira (umbrella down), then tried to run FRST again, and the same error message

 

"FRST64.exe is not a valid Win 32 application"

 

came up after I'd hit the Run button on the FRST launch, not allowing me to go further, the only option being to close out of trying to run it.  So Avira off, same result.  MBAM is now off my system (I have been unable to re-install it - same problem).

 

Also, when I was re-installing Malwarebytes, I got the same error message... I would think that Avira would operate with MBAM without that kind iof message/denial, so, again, it doesn't make me suspect Avira as the culprit here.  It seems I just can't run any .exe or install files.  Even when I was trying an online scanning service, which needed me to download and run its installer on my unit, I got the same error message when attempting to run that too.

 

Thoughts?

Link to post
Share on other sites

Heya - I entered Safe mode and attempted to run FRST from there, but no luck, again, the same error message:  not a Win32 application.  So, no, I can't run FRST from Safe mode.

 

Interestingly, I also tried to run the MBAM setup file (which I had downloaded earlier) while I was still in Safe mode, and the error message for that was that the file was "corrupted" and it couldn't run - not that it was "not a Win32 application", as per all the other error messages I've been getting.  I got the MBAM installer from the MBAM site, so hardly likely that that file is corrupted?

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

  • Plug the flashdrive into the infected PC.
  • Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
  • Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
  • In the Choose Recovery Tool menu select Command Prompt.
  • You will see a big black window with a blinking cursor (command prompt).
     
     
     
    notepad.png Access the notepad and identify your USB drive
     
    In the Command Prompt please type in:
    notepad
    and press Enter.
  • When the notepad opens, go to File menu.
  • Select Open.
  • Go to Computer and search there for your USB drive letter.
  • Note down the letter and close the notepad.
     
     
     
    FRST.gif Scan with Farbar Recovery Scan Tool
     
    Once back in the command prompt window, please do the following:
  • Type in e:\frst64.exe and press Enter.
    You need to replace e with the letter of your USB drive taken from notepad!
  • FRST will start to run. Give him a minute or so to load itself.
  • Click Yes to Disclaimer.
  • In the main console, please click Scan and wait.
  • When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.
     
    Transfer it to your clean machine and include it in your next reply.
Link to post
Share on other sites

Making some progress!  Yes, this way I was able to run FRST - at last :-)   Here's the log, copied and pasted in its entirety.

 

Thanks for your ongoing help, TwinHeadedEagle - much appreciated.

 

Ralph

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-05-2015 02
Ran by SYSTEM on MININT-EKIF8NA on 18-05-2015 23:16:01
Running from g:\
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11474024 2010-10-05] (Realtek Semiconductor)
HKLM-x32\...\Run: [biosNotice] => C:\Program Files (x86)\BIOSTAR\BiosNotice\BiosNotice.exe [1003008 2010-10-13] ()
HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-02-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [DigidesignMMERefresh] => C:\Program Files (x86)\Digidesign\Drivers\MMERefresh.exe [77824 2010-06-15] (Avid Technology, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [726320 2015-05-11] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-08-01] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [129272 2015-03-16] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Startup: C:\Users\Ralph Lister\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-05-05]
ShortcutTarget: Dropbox.lnk ->  (No File)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [815920 2015-05-11] (Avira Operations GmbH & Co. KG)
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [434424 2015-05-11] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [434424 2015-05-11] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1004280 2015-05-11] (Avira Operations GmbH & Co. KG)
S4 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [168400 2013-07-26] (APN LLC.)
S2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [201008 2015-03-16] (Avira Operations GmbH & Co. KG)
S2 DigiRefresh; C:\Program Files (x86)\Digidesign\Drivers\MMERefresh.exe [77824 2010-06-15] (Avid Technology, Inc.)
S2 RalinkRegistryWriter; C:\Program Files (x86)\Ralink\Common\RalinkRegistryWriter.exe [75040 2008-09-05] (Ralink Technology, Corp.)
S2 RalinkRegistryWriter64; C:\Program Files (x86)\Ralink\Common\RalinkRegistryWriter64.exe [210720 2008-09-05] (Ralink Technology, Corp.)
S2 rtpMIDIService; C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe [1142272 2012-08-23] (Tobias Erichsen)
S4 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1025408 2013-07-17] (Enigma Software Group USA, LLC.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [128536 2015-05-05] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132120 2015-05-05] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-11-26] (Avira Operations GmbH & Co. KG)
S2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [44088 2015-05-05] (Avira Operations GmbH & Co. KG)
S1 BIOS; C:\Windows\system32\drivers\BIOS64.sys [14136 2009-06-10] (BIOSTAR Group)
S1 BIOS; C:\Windows\SysWOW64\drivers\BIOS64.sys [14136 2009-06-10] (BIOSTAR Group)
S1 BS_I2cIo; C:\Windows\system32\drivers\BS_I2c64.sys [15408 2010-05-17] (BIOSTAR Group)
S3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
S3 MBOX; C:\Windows\System32\DRIVERS\AvidMbox.sys [423728 2012-02-23] (Avid)
S3 MBOXDFU; C:\Windows\System32\DRIVERS\AvidMbox_DFU.sys [30512 2012-02-23] (Avid)
S3 teVirtualMIDI64; C:\Windows\System32\DRIVERS\teVirtualMIDI64.sys [30208 2012-08-15] (Tobias Erichsen)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-18 23:15 - 2015-05-18 23:16 - 00000000 ____D () C:\FRST
2015-05-17 14:25 - 2015-05-17 14:25 - 00582335 _____ () C:\Users\Ralph Lister\Downloads\FRST64(1).exe
2015-05-12 13:45 - 2015-05-12 13:45 - 00415895 _____ () C:\Users\Ralph Lister\Downloads\FRST64.exe
2015-05-11 19:42 - 2015-05-11 19:42 - 02042244 _____ () C:\Users\Ralph Lister\Downloads\esetsmartinstaller_enu.exe
2015-05-11 19:34 - 2015-05-11 19:34 - 00214415 _____ () C:\Users\Ralph Lister\Downloads\rkill.exe
2015-05-11 19:26 - 2015-05-11 19:27 - 20373700 _____ (Malwarebytes Corporation ) C:\Users\Ralph Lister\Downloads\mbam-setup-2.1.6.1022.exe
2015-05-11 19:20 - 2015-05-11 19:21 - 00301892 _____ (Malwarebytes Corporation) C:\Users\Ralph Lister\Downloads\mbam-clean-2.1.1.1001.exe
2015-05-11 19:16 - 2015-05-11 19:16 - 00261988 _____ () C:\Users\Ralph Lister\Downloads\mbam-clean-2.1.1.1001 (2).exe
2015-05-11 16:40 - 2015-05-11 16:40 - 00003014 _____ () C:\Windows\System32\Tasks\{2AAB8110-7528-4E10-B217-91A47FCC7099}
2015-05-11 16:39 - 2015-05-11 16:39 - 00003014 _____ () C:\Windows\System32\Tasks\{5B0C8252-A725-4436-8FE3-0DE4D91F2617}
2015-05-11 16:35 - 2015-05-11 16:35 - 00000000 ____D () C:\Users\Ralph Lister\Desktop\Old Firefox Data
2015-05-11 16:16 - 2015-05-11 16:17 - 06420600 _____ (Tim Kosse) C:\Users\Ralph Lister\Downloads\FileZilla_3.10.3_win64-setup.exe
2015-05-05 12:35 - 2015-05-05 12:35 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-18 11:15 - 2014-02-12 16:20 - 00000000 ___RD () C:\Users\Ralph Lister\Dropbox
2015-05-18 11:15 - 2014-02-12 16:18 - 00000000 ____D () C:\Users\Ralph Lister\AppData\Roaming\Dropbox
2015-05-18 11:14 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-18 11:14 - 2009-07-13 20:51 - 00179967 _____ () C:\Windows\setupact.log
2015-05-17 22:51 - 2013-01-26 17:19 - 01797811 _____ () C:\Windows\WindowsUpdate.log
2015-05-17 22:43 - 2009-07-13 20:45 - 00014608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-17 22:43 - 2009-07-13 20:45 - 00014608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-17 22:39 - 2013-09-16 04:43 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-05-17 22:39 - 2009-07-13 21:13 - 00713888 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-05-11 19:05 - 2013-01-29 08:51 - 00000000 ____D () C:\Users\Ralph Lister\AppData\Roaming\FileZilla
2015-05-11 17:49 - 2013-01-26 15:33 - 00291820 _____ () C:\Windows\PFRO.log
2015-05-11 16:22 - 2013-08-19 09:01 - 00000000 ____D () C:\Users\Ralph Lister\AppData\Roaming\Avira
2015-05-11 16:22 - 2013-08-19 08:59 - 00000000 ____D () C:\ProgramData\Avira
2015-05-11 16:17 - 2013-01-29 08:51 - 00000000 ____D () C:\Program Files (x86)\FileZilla FTP Client
2015-05-05 17:02 - 2013-01-26 15:36 - 00000000 ____D () C:\Users\Ralph Lister\AppData\Roaming\Digidesign
2015-05-05 12:39 - 2013-09-16 04:43 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-05-05 12:39 - 2013-08-04 17:11 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-05-05 12:39 - 2013-01-28 13:52 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-05-05 12:38 - 2013-08-19 08:59 - 00132120 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2015-05-05 12:38 - 2013-08-19 08:59 - 00128536 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
2015-05-05 12:38 - 2013-08-19 08:59 - 00044088 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
2015-05-05 12:36 - 2014-08-13 05:24 - 00001131 _____ () C:\Users\Public\Desktop\Avira.lnk
2015-05-05 12:36 - 2014-08-13 05:24 - 00000000 ____D () C:\ProgramData\Package Cache
2015-05-05 12:35 - 2013-08-19 08:59 - 00000000 ____D () C:\Program Files (x86)\Avira

Some content of TEMP:
====================
C:\Users\Ralph Lister\AppData\Local\Temp\AskSLib.dll
C:\Users\Ralph Lister\AppData\Local\Temp\avgnt.exe
C:\Users\Ralph Lister\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpild7n1.dll
C:\Users\Ralph Lister\AppData\Local\Temp\processhacker-2.33-setup.exe
C:\Users\Ralph Lister\AppData\Local\Temp\RHSetup.exe
C:\Users\Ralph Lister\AppData\Local\Temp\SHSetup.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.3-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.5-win32.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-11-30 22:03:33
Restore point made on: 2014-12-08 08:50:57
Restore point made on: 2014-12-15 09:53:23
Restore point made on: 2015-05-05 13:31:46
Restore point made on: 2015-05-11 19:19:31
Restore point made on: 2015-05-11 19:56:12
Restore point made on: 2015-05-17 15:07:09

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3967.3 MB
Available physical RAM: 3367.56 MB
Total Pagefile: 3965.45 MB
Available Pagefile: 3352 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:196.06 GB) (Free:65.4 GB) NTFS
Drive e: (Storage) (Fixed) (Total:735.35 GB) (Free:10.65 GB) NTFS
Drive g: (ATTACHE16GB) (Removable) (Total:14.96 GB) (Free:14.96 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 956F78D7)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=196.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=735.3 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)


LastRegBack: 2015-05-17 14:59

==================== End Of Log ============================

Link to post
Share on other sites

Download attached fixlist.txt and save it to your USB flashdrive as fixlist.txt
 
>>  Boot into Recovery Environment
 
 
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

  •    Press the Fix button once and wait.
  •    FRST will process fixlist.txt
  •    When finished, it will produce a log fixlog.txt on your USB flashdrive.

>>  Exit out of Recovery Environment and post me the log please.
 
 
 
Try to boot Windows normally...

fixlist.txt

Link to post
Share on other sites

Here's the fixlog.txt in its entirety:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-05-2015 02
Ran by SYSTEM at 2015-05-19 11:43:02 Run:1
Running from g:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Startup: C:\Users\Ralph Lister\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-05-05]
ShortcutTarget: Dropbox.lnk ->  (No File)
S4 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [168400 2013-07-26] (APN LLC.)
C:\Program Files (x86)\AskPartnerNetwork
C:\Users\Ralph Lister\AppData\Local\Temp\AskSLib.dll
C:\Users\Ralph Lister\AppData\Local\Temp\avgnt.exe
C:\Users\Ralph Lister\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpild7n1.dll
C:\Users\Ralph Lister\AppData\Local\Temp\processhacker-2.33-setup.exe
C:\Users\Ralph Lister\AppData\Local\Temp\RHSetup.exe
C:\Users\Ralph Lister\AppData\Local\Temp\SHSetup.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.3-win32.exe
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.5-win32.exe

*****************

C:\Users\Ralph Lister\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk => Moved successfully.
ShortcutTarget: Dropbox.lnk ->  (No File) not found.
APNMCP => Service deleted successfully.
C:\Program Files (x86)\AskPartnerNetwork => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\AskSLib.dll => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\avgnt.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpild7n1.dll => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\processhacker-2.33-setup.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\RHSetup.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\SHSetup.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.0.7-win32.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.0.8-win32.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.2-win32.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.3-win32.exe => Moved successfully.
C:\Users\Ralph Lister\AppData\Local\Temp\vlc-2.1.5-win32.exe => Moved successfully.

==== End of Fixlog 11:43:03 ====

Link to post
Share on other sites

So, I re-started the infected PC, booting as per normal.

 

I then downloaded a fresh version of MBAM (to re-install it after uninstalling a week ago, when the problem arose), and attempted to run it:  same error message came back as before - the file is "corrupted".  That seems strange.

 

I then tried to run mbam-cleaner (which, admittedly, I had downloaded last week), and, as before, back came the message that this not "a valid Win32 application".

 

Is there something I am missing?

 

I can hardly believe the new MBAM setup would be "corrupted"...

Link to post
Share on other sites

I have now uninstalled all components of Avira using Control Panel, and have re-booted (twice).

 

MBAM still says it's set-up file is corrupted, and mbam-cleaner still responds saying it is not a valid Win32 application.

 

So removing Avira does not seem to help.

 

Now I no longer have Avira OR MBAM on my infected unit!

Link to post
Share on other sites

Bingo! 

 

Having run FixExec and re-booted, I ran the previously-downloaded MBAM installer, and still got the "corrupted" error message.

 

So, not to be outdone, I then re-downloaded a fresh version of MBAM installer from the MB site, which overwrote the last download, and ran that.  It then installed perfectly, and, as I write, I'm carrying out a full Threat Scan on the infected computer.  It's scanning the files now, and will begin the heuristic phase of the scan in a short while, no doubt.  So far, no infections logged.

 

I will let you know what the scan finds, if anything, when it's finished.

 

I am beginning to feel relieved!  :-)

 

Best wishes,

Ralph

Link to post
Share on other sites

No threats found by MBAM!  Wonderful.

 

Have downloaded Avira Free and am presently running that as well.

 

Maybe I can take a big breath now, TwinHeadedEagle :-)  Many, many thanks for your kind help.  It looks like you've solved it! 

 

Do you happen to know what might have caused all this in the first place?  Knowing this might help me avoid getting into this kind of trouble again...

 

All best wishes,

Ralph

Link to post
Share on other sites

You had some policies that prevented applications from running.
 
 
Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself :)
 
 

Recommended reading:

 
 
icon_exclaim.gifMUST READ - security tips:

icon_exclaim.gifMUST READ - general maintenance:

The Importance of Software Updating:

 

 
In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.
 
Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

Recommended additional software:

 
 
icon_arrow.gifCCleaner - to clean unneeded temporary files.
icon_arrow.gifMalwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gifMalwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gifMcShield - to prevent infections spread by removable media.
icon_arrow.gifUnchecky - to prevent from installing additional foistware, implemented in legitimate installations.
icon_arrow.gifAdblock - to surf the web without annoying ads! 
 
 

Post-cleanup procedures:

 

 
Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report. You do not need to attach it.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning. 
 
 
 


My help is free for everybody.

If you're happy with the help provided and/or wish to show your appreciation for the assistance you received, then you can consider a donation: 
btn_donateCC_LG.gif

 

Thank you!

 
 
Stay safe,
TwinHeadedEagle   :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.