(every program) is not a valid win32 application

Problem:
notepad.exe is not a valid win32 application
cmd is not a valid win32 application
(every program I try) is not a valid win32 application

Suspected cause:
Got hit with a rogue antivirus attack while reading my email.
Eliminated the suspicious files but now, NO PROGRAMS WILL RUN except IE.

What happened:
Last email read was viagra spam with photo of some stud running along the beach. After deleting that email, IE closed itself and up pops a window telling me my computer is infected and that I need to buy some antivirus program.
Then another window pops up that appears to be doing a scan of my computer.

Obviously, this was trouble.

I took the following actions:

1. immediately turned off router to end any further internet traffic.
2. brought up task manager and killed suspicious process "tpe.exe" which ended the phoney scan.
3. searched disk for tpe.exe and any other recent files. Found "tpe.exe" and "bo2p13123n7o17w3l" files in my <user>/Local Settings/Application Data/ folder
4. moved those files into password protected zip file in case they needed to be examined later
5. created 2 blank text files in that folder, renamed them "tcp.exe" and "bo2p13123n7o17w3l", marked them read only.
6. rebooted computer
7. after reboot, checked task manager to see if anything else was running, looked normal.
8. found that no programs would start anymore, kept getting above error messages, seems everything "is not a valid win32 application"
9. rebooted in safe mode, started scanning, used existing scanners: hijackthis, malwarebytes, spybot s&d, pctools spyware doctor.
10 scanners found a few cookies they didn't like, a few empty folders, and some old programs that I know were harmless, but let scanners fix all found problems. Scanners were all out of date but I didn't want to connect to internet for updates right then so just ran what I had.
11 rebooted normally, still had the "not a valid win32 application" problem
12 discovered that problem is only with one user account. it's a limited user account that I use daily. all other user accounts work ok.
13 logged into my "owner" account, turned router back on, downloaded updates for above scanners, and rescanned with no new results found.
14 searched for solutions, found likely fix on dougknox.com, xp_exe_fix.reg, cannot get it to work. "Cannot import file: Error opening the file. There may be a disk or file system error."
15 decided to stop fooling around before I broke something and came here (MajorGeeks) for some expert help.
16 followed all instructions on READ & RUN ME FIRST sticky, saved all logs, seemed to go smooth (except for step 4, MsConfig), but, my problem is not fixed.

Had trouble with Step 4, MsConfig.
Kinda sorry I did this step because I knew it would cause problems and it did.
After setting MsConfig to Normal Startup and rebooting, my computer locks up as soon as I choose any user account to log into.

There are 3 media center processes that have always caused my computer to freeze up... Media Center Extender, Receiver,and Scheduler.
Since I never use the media center features anyway, disabling them from starting via MsConfig is useable workaround.

Because of the above, I am not able to keep MsConfig in Normal Startup Mode. I had to go back, in safe mode, and reenable MsConfig to disable these 3 processes from loading.


Recent Changes on this computer last few days (In case this might be helpful)
- Updated FireFox to ver 4.01
- Replaced worn out mouse with new Logitech mouse. (no drivers changed)


So, still have my problem. One user account is not able to run any programs except IE. How can I fix this?

Thanks for chewing thru this long post and looking forward to any suggestons you may have.

 

Kestrel13!,

Thanks for the help.

Ran all as directed and attached are the logs.
These steps did not fix the problem, still can't run any programs on my "Dave" user account.


Accounts:
Owner - the only admin account on this computer, works fine
Dave - limited user, this is the sick account, will not run programs except IE.
All other user accounts are limited user accounts, seem unaffected, and operate normally.

I ran all scans from from "Owner" account. I can't do anything on "Dave" user account.


Anti-Virus:
Currently have no anti-virus installed. Used AVG for years but didn't like some of their new changes and dumped it last year. Switched to PCTools Spyware Doctor, uninstalled that yesterday after it's scans proved useless. Once I get the current problems straightened out I'll try AntiVir or Avast.


I may have messed up the combofix run.

Started combofix by dragging and dropping the CFscript.txt you provided. Let it update as you suggested. After update it restarted itself and ran. Took about 15 minutes running then it rebooted computer. I missed any messages it may have displayed just prior to the reboot.

After reboot, I logged into the "Dave" account instead of the "Owner" account from which I had started combofix. That seemed to be a mistake, I didn't realize that combofix would still be running. As soon as the "Dave" desktop came up, several small window started opening and closing. Maybe 4-6 small windows appeared at a time, opening then closing, too fast to see what was happening. As soon as the first batch of windows closed another 4-6 windows opened and then closed. This kept repeating. Seemed like combofix was trying to do something that wasn't working and got stuck in an endless loop.

For about 5 minutes, I let it continue opening and closing windows, then I gave up and hot-keyed out of "Dave" to switch back to my "Owner" user account.

Once the "Owner" account desktop opened, combofix finished up whatever it was doing and ended by presenting me with log file opened in Notepad.

Not sure if this may have ruined the scan. Will re-run if needed.
Interesting note: combofix seemed to eat the CFscript.txt file, it's no longer on my desktop.

Thanks again for the help, any further suggestions appreciated.

Cheers

 

Alright, found a way to open a command window and was able to run RogueKiller.exe (renamed winlogon.exe) from command line prompt. Report is attached.

The "tpe.exe" file mentioned in this report was the fake scanner program that started running when the attack first happened. I replaced this file. tpe.exe is now a zero length, read only file.

This didn't fix the problem.

 

PROGRESS... YAY!!

mbam - fixed the problem
I can now run programs again on the Dave user account!


Followed thru all steps on the READ ME FIRST just in case there's any thing suspicious left on the system. Logs attached.

Could only run SAS & MBAM from the Dave user account (limited user account). Had to run the rest from "Owner" (administrator).

The RootRepeal log is short so I'll just paste a copy below:

###
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/05/08 19:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
###

The other 4 logs are attached. Let me know if you see anything else suspicious or have other cleanup suggestions.

Thanks again for helping me thru this.

Cheers,
-Dave

 

Thanks for sticking with me on this.

Changed Dave account to admin and re-ran combofix & mgtools.
The new logs are attached.

 

That will result in computer freezing up as I explained in my first post.
I can only run in safe mode while msconfig is set to normal startup.

 

I was able to run ComboFix with the CFscript you provided and after that ran MGtools. Both logs are attached.

 

Kestrel13,

Thanks for the StartupCPL suggestion. I will give that a try.

Computer running pretty smooth now. Have only seen a couple problems which I think might be result of running combofix, mgtools, or other tools.

Problems Noted:
1. my hosts file keeps getting replaced with a 1 line hosts file
- restoring my backup hosts file fixes this

2. User account login problem. When logging into a user account, the account sometimes doesn't load normally. Instead, an error message is displayed saying something wrong with user profile and it then brings up a temp desktop (maybe default user desktop?). This temp desktop has none of the settings/programs/icons that would be normal for that user although their user name is displayed at the top of the start button menu. This has only happened a few times over last few days. I've never seen this problem before. It's easy enough to fix.
- after rebooting, the user account will load normally.

I think those 2 problems may be a side effect of some of the repair tools we've been using. I don't think I will see them again if we've finished the repair work.

I'm real happy that the computer is back running good again. Thank you very much for all your help.

Let me know if you have any finish up suggestions.

Cheers,
Dave

 

Kestrel13!,

The disappearing hosts file problem has not reoccurred, I don't think I will see that problem again.


But my other problem, "unable to load user profile" problem has happened a couple more times. I took more careful notes last time it happened.

What happens:
From welcome/user login screen, click a user to login and instead of normal login, get 2 pop up warning boxes, one after the other. Then get taken to temporary user desktop.

This desktop has none of the normal icons, only Recycle Bin, Internet Explorer, and Windows Media Player icons. It has wrong desktop wallpaper. The start button menu is wrong, no recently used programs listed nor any of the normal pinned programs listed. Left pane of start menu looks like it might have come from a new default user, it only lists: Internet, Email, Media Center, Windows Media Player, Tour Windows, and File and Settings Transfer Wizard. Top of the start button menu shows the right name of User, but that is the only thing that is right for this user.

Before the temp user desktop opens, I get 2 warning messages. I wrote these down word for word. First warning pop-up window....

window title:
- User Environment
window message:
- Windows cannot load the locally stored profile. Possilbe causes of this error include insufficient security rights, or a corrupt local profile. If this problem persists, contact your network administrator.
window countdown timer:
- 30 seconds
window button
- OK

After pressing OK or waiting 30 seconds, the 2nd warning pop up appears...

window title:
- User Environment
window message:
- Windows cannot load the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
window countdown timer:
- 30 seconds
window button
- OK

After pressing OK or waiting 30 seconds, the temporary user desktop then loads.


Here is what happened just before this problem showed up...

User Bonnie logged in, checked fbook & email.
Left machine without logging off.

Machine idle for a couple hours.
Screen had gone blank (screensaver?, power mangement?)

I sat down and moved mouse to get screen back on
observed brief flash of Bonnie desktop then
it changed to the welcome/user logon screen listing all users
and showing Bonnie user still logged on.

I logged in to Bonnie user and then logged off.
Back at the user login screen, showed no users logged in
tried to login to Dave account and got above errors.
Logged out of temporary Dave account.

Tried loggin on to all user accounts, one by one.
Dave, Kristy, Owner accounts all went to temp user
Bonnie, Juanita accounts loaded fine.

Rebooted machine.
After reboot, all user accounts work fine.


Suspect problem is being generated from idle time on Bonnie user account.
Maybe screen saver or power management time exceeded causes problem?

Tried experiment by setting screen saver to 1 minute. Let time expire, screen saver took over. Moving mouse brings back welcome/user login screen showing one user, Bonnie, logged in. This would be exactly what I see before the temp user problem. But experiment did not result in error, all user accounts worked normally. Concluded the screen saver is not the problem.

Tried to test power management, but, Bonnie account has no rights to change power management setting so will have to try that experiment later.


I have never seen this problem until about a week ago. It started happening after infection during repairs.


You have any ideas what could be wrong or how to fix this?

Cheers,
Dave

 

Kestral13!,

Thanks for all your help.

Followed all final steps, and all running smooth now.

Glad to have my computer back.

Cheers,
Dave