something blocking AV programs - can't reinstall

Hi,

Two days ago I noticed that my WinPatrol "exe" file seemed to be renamed. At the same time, my anti-virus program and firewall did not appear in the taskbar. I could not manually start them - I got a "not valid win32 app" message - nor could I reinstall them.

I went through the steps before posting as directed. SuperAntiSpyware installed, but my computer reboots when I try to run it. Spybot can't be installed and ComboFix gets the same "not valid win32 app" as noted above.

I can install and run Malwarebytes, which identified some viruses and trojans, particularly "wintems" and "hldrrr." Those two keep popping up.

I hope the information is sufficient and clear. Anything you can do would be appreciated!

RR

 

If SUPERAntiSpyware is rebooting, that means there is a faulty kernel driver (probably the infection) - we have addressed this in our upcoming 4.1 version - for now, assuming you are running the 4.0.1154 version - uncheck the Kernel Direct options under the Scanning Control Preferences of SUPERAntiSpyware and then peform your scan again and it won't reboot and should detect and remove the problem.

If not, we (with MajorGeeks permission) can run a diagnostic on your system that will see everything and we can update the SUPERAntiSpyware definitions to remove the problem.

Nick Skrepetos
SUPERAntiSpyware.com

 

Here are the log files as requested...

Thanks,
RR

 

I am unable to run analyse.exe It starts, and I can click "system scan only," but at that point it seems to freeze up and then suddenly disappears.

I was able to delete the various Java programs as you instructed. I have not installed Java Runtime 6 yet.

As to the files you asked about, I deleted 322756.exe, but the other - Dog Site - is a website I am working on.

Thanks,
RR

 

By reg patch, I assume you mean "DisableUAC.reg" in the MGtools folder. I did double click this and got a message that it was added to the registry. I do not get the "Windows needs your permission to continue" message.

I am unable to boot into Safe mode. Once I choose Safe Mode, it begins to run various files and then kicks me back to the options screen.

Sorry this is so difficult.
RR

 

For some reason, I am now able to run analyze.exe as previously suggested. I did so, and then ran the "fixme.reg" file. Following that I ran MBtools and have now attached the latest log file.

Thanks,
RR

 

No, I am not getting any messages from Deep Freeze.

I ran analyze.exe, but none of the items were listed except
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Start%20Page/MyPage.html G (without the G)

I ran MalwareBytes, rebooted as suggested and this is the logfile. WinPatrol pointed out two programs/drivers that were trying to run: wintemps and hldrrr. I've seen this before and even though I click "no" they obviously load anyway.

Thanks,
RR

 

Here you go....still picking up on 2 of the 4 that are constantly showing up.

RR

 

My apologies. I think I saved a logfile before rebooting as suggested by Malwarebytes. I ran Malwarebytes again and have attached the logfile. Once again, I rebooted and Winpatrol picked up this file: C:\WINDOWS\system32\drivers\hldrrr.exe, which Malwarebyte was trying to delete by rebooting. This happens time and again. This was the only file that was caught by Winpatrol.

We have not yet discussed Avenger.exe. I searched for it on your website and found a link, but I get the same error message as when trying to install other programs, like AVG: "not a valid win32 file." Basically, it locks up and I have to use the task manager to close it.

Thanks for your patience.
RR

 

BTW, Winpatrol also notifies me that some unnamed program is trying to edit my win.ini file. I keep saying no to this, but is there any possibility that this is Malwarebytes trying to edit the file?

 

Sorry for the delay - I've been out of town.

I've not been able to find the files, even though my folders are set to show hidden files. I did discover a subfolder of /windows/system32 called something like "dwnld" that was full of "EXE" files. I don't see them right now, but I suspect it will be back once I reboot.

RR

 

I can and will. It goes without saying that it doesn't show up right now; in fact, even though I have the folders view set to display hidden files, my system32 folder doesn't show at all. I have to type in the address, but even then that "download" folder isn't showing up.

RR

 

I ran a program called "catchme" and here is the log. Note the list of files in the c:\windows\system32\drivers\downld folder.



RR

 

Message received.

Unfortunately, I cannot run Avenger. I get the same message as when I try to run AV programs: "not a valid win32 application."

Any other ideas?

TIA,
RR

 

I get the same error message as with Avenger - "not a valid win32 applcation."

RR

 

Yes, I meant ComboFix. I have deleted all of the files and folders using Unlocker......

RR

 

It's running pretty much the same as it has in the last few days. Still can't install AV programs, etc...

Here is the log...

Thanks
RR

 

Yes, I still have AVG installed on my machine but it doesn't work - meaning it doesn't show up in the toolbar and if I right click a file to "scan with avg," literally nothing happens. I cannot start the program by double clicking the EXE file and I cannot reinstall (not a valid win32 file message).

One of the files/folders on my desktop was an Avenger program, but it was the wrong program and I never installed it. The other two are a Texas Hold'em game that I got off your website. I deleted it last night as it's too easy to win.

I could not find the various C:\uninstall files. I ran "Cleanup!" yesterday before receiving your message, so perhaps they have been deleted already? I used Windows Search and I searched for them using the Command Prompt, but still found nothing.

I was able to get the new fixME.reg file to be added to the registry.

I was not able to run bitdefender. When I click on "start scan," it stops and says it cannot update the virus definitions, but gives me the option to scan anyway. When I do so, it immediately stops and says only that it cannot scan my computer. I downloaded the free home version, but it stopped during installation and said I should verify whether or not I have sufficient privleges to install the program. I cannot get any further than that and had to cancel the installation.

Sorry this is so troublesome. I hope you can continue to help.

RR

 

Well, it goes without saying that none of the files showed up using Explorer. I used the command prompt again and even though they didn't show up, I still went through the old Dos delete commands just in case. I also checked attributes of the files, but none of the files showed up.

I tried using ClamAV a week ago as I already had it on my thumb drive, but it wouldn't run. I may try it again by downloading ClamAV from a different computer on a different thumb drive.

In the meantime, I appreciate any further suggestions.

RR

 

Here is the latest logfile. I could not load ClamAV on a thumb drive and run it - same message as with others "not a valid win32 file."

 

First of all, I finally found those three "unins*" files and deleted them. The rest, however, I haven't been able to locate. As to AVG Rootkit revealer and GMER - no, they do not run.

So, we're up to the word I dreaded - reformatting. Are there any other choices, like trying to reload Windows or do a repair?

Again, thanks for your help and if a reformat is the only option, I'll go ahead with that.

RR