.exe not a valid Win32 application errors

Good evening!

I seemed to have picked up a virus that targets virus protection and removal software.

Symptoms:
1. McAfee antivirus protection stopped working several days ago.
2. System analysis tools, i.e. HijackThis and SpyBot Search & Destroy no longer launch - get "{app name}.exe is not a valid Win32 application" error. (And re-naming the .exe's doesn't solve this).
3. Options for Windows safe mode startup no longer appeared when F8 bypass of normal startup is attempted.

I have followed the "READ & RUN ME FIRST Before Asking for Support" as best as possible, but the nature of the beast has prevented me from fully following those steps - CCleaner flashes on screen for a second before self terminating, and ComboFix.exe also gets the "not a valid Win32 app" error.

I made several attempts to re-install McAfee - all failed, so I completely removed it. I was able to install & run RAV antivirus program, but it found nothing.

Last weekend, I defragged the hard drive with Auslogics tool. I may have inadvertently caused current crisis when I tried to open some unfamiliar .jpg files while trying to identify potential candidates for deletion prior to defrag. Apparently, not all .jpgs are pictures?

Run MSConfig is hit-or-miss now; sometimes it opens, and sometimes it throws an error and closes. As far as I can tell, it is now set for Normal startup. There is an oddly named service "Alcxltskswi" that concerns me.

I have been able to get F8 pre Win boot to show the safe mode options again, but none of them work - they error, and I'm basically forced to startup in Normal mode.

:cry I'm ready to cry uncle at this point - just being able to diagnose and identify the problem would be a step forward. I appreciate any help you can offer. Thanks for your consideration!!!

 

I looked at "C:\Documents and Settings\All Users\"
921a~1 Sep 22 2007 868 "¹ÙÅÁ È*¸é" in Notepad. It looked like it was leftover file relsted to Tubot video downloader Firefox extension, which I no longer have, so I deleted this file.

Able to remove the old Java OK. Have not tried to replace yet.

MGTools ran OK, able to delete registry keys.

Unable to run Avenger.exe - get that "not a valid Win32 app" message, so I attempted to carry out those steps by other means:
-able to delete C:\windows\system32\drivers\down directory and all files in it via DOS RMDIR command, however, those reincarnate when I re-boot.
-could not delete C:\WINDOWS\SYSTEM32\mdelk.exe by either Win Explorer or DOS del command. In DOS, get "A device attached to the system is not functioning" error.
-able to get rid of Mcafee and alphabet soup tmp folders as requested as intended.

I also tried carrying out the registry changes with registry editor; cautiously optimistic that went OK.

I have not been able to run CCleaner when I login under owner account (the same Win 32 error), but when I log in on my son's account, it does run. Unfortunately, the other apps like combofix and spybot don't run under either login.

When I login under Owner account, also get Windows
"Generic Host Process for Win32 Services encountered a problem and needed to close." messages, here's sample of what I get if I drill down for details -

C:\DOCUME~1\Owner\LOCALS~1\Temp\WERda44.dir00\svchost.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERda44.dir00\appcompat.txt

C:\DOCUME~1\Owner\LOCALS~1\Temp\WERec5a.dir00\svchost.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERec5a.dir00\appcompat.txt

C:\DOCUME~1\Owner\LOCALS~1\Temp\WERabd1.dir00\svchost.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERabd1.dir00\appcompat.txt

So, because I've had limited success being able to run tools, problem still exists. I re-ran SASlog and MGTools logs, this time from my son's account. For the moment, I am leaving the system on indefinitely since rebooting will undermine what's in the logs.

As always, I appreciate any suggestions you can offer!!

 

Not able to get around Win32 error by renaming ComboFix.

Unable to run in safe mode either (tried all safe mode variations available - i.e. with or without networking). When I try to boot up safe mode, it starts to load then aborts back to screen where you choose startup mode . . . and the only working option is the normal startup mode. Is there a way I could run CF or Avenger from a CD startup disk?

 

:banghead No. When I bought system, I took BestBuy tech up on his offer to handle install because I had purchased a TV tuner card too, and didn't realize at the time how fairly straightforward it is to add memory and peripherals . . . didn't notice until far too much time went by that the emachines restore disk with all preloaded software never made it back into box. My own fault for not paying attention.

I've gritted my teeth and ponied up for an unopened copy of XP Home Edition SP2 full install from ebay earlier today, so with luck I'll have that in hand by next weekend.

If there's other options we can try until then, great, if it's best to wait, that's fine too. As I continue to look online for info about this condition, in addition to that mdelk.exe that defies deletion, I also see wintems.exe running in process manager, which of course is unable to shut it down. Unlike mdelke.exe, when I do file search for wintems.exe, explorer can't find it under that name, so not sure what's up with that.

So, depending how critical it is to have xp cd in hand, it may be a few days before I'm able to move onto next steps. Thanks!

 

First, the bad news - still waiting for XP disc to arrive.

Good news - have made substantial progress in getting rid of bad files.

Though I couldn't delete them in Explorer or in command line mode, I was able to get rid of hldrrr.exe, srosa.sys, wintems.exe, and mdelk.exe by using MS Move File utility (http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx).

After doing that I re-traced my earlier steps, reloaded & renamed the various tools, and was able to run CCleaner, SAS, SpyBot, and ComboFix. It looks like they found a few other items things that needed cleanup; log files are attached. Also, I tested whether I can boot to safe mode, and that appears to be working now.

The only remaining sympton is that after startup and logon, the system clocks for awhile then pops up a "Generic Host Process for Win32 Services has encountered a problem and needs to close" error message.
Although the message says details will be saved to two files, ie
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERddf7.dir00\svchost.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERddf7.dir00\appcompat.txt
- these files don't exist, so I don't know which service is struggling on startup.

I have not re-loaded Java or McAfee yet (and I may forego McAfee and try one of your recommended options because it always bothered me how much McAfee seemed to slow down startup process).

Any thoughts on these logs? Thanks!

 

XP professional disc has arrived, if needed

 

Things are looking real good now, and I'm in the process of following through steps to prevent risk of re-occurence.

You asked -
Also what is the below for?
"Win32"=C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

!!! - it appears to be the illegitimate JethroTed variant of the Stanford U Folding@Home distributed computer network app that the MG community supports. It's bad enough someone gets the urge to unleash viruses and trojans to inconvenience others at random, but how can anyone target and undermine resources dedicated to cancer research??? Sick!

To readers unfamiliar with it, see http://www.majorgeeks.com/page.php?id=9.


You'd know what a F@H clean install includes; on my pc C:\Win32\dll contained 7 files:
client.cfg
FahCore_ff.exe
FAHlog.txt
FAHlog-Prev.txt
MyFolding.html
queue.dat
Win32.exe
and 1 subdirectory work containing 1 file named logfile_05.txt

Based on info from http://folding.stanford.edu/English/FAQ-Uninstall, I was able to determine that this version was the JethroTed variant by the following:
1. The absence of an Uninstall.exe
2. client.cfg includes [settings] of username=jethroted@yahoo.com

Naturally, I deleted that directory, then re-ran tools to hopefully clean out any references in registry.

Thank you for all the assistance and great advice! There is no way I would have gotten myself out of this mess alone, and it's great to see someone use their gifts and talents to help instead of harm people!