Number of applications don't run (mostly security-related apps)

Hey guys! I have the following problem: yesterday I downloaded an application off of eMule. I tried to open it; I don't recall it actually opening up properly, though.
My anti-virus - NOD32 - immediately responded, saying it found a threat (which, however, wasn't related to this file, but something else I can't remember now). Then NOD closed, and whenever I tried to run it, I was told something along the lines of "Service failed to start (ekrn), verify privileges". I got a new version of NOD, and that failed to complete the installation process with that reason every time.
Out of the FAQ, few of the programs listed worked initially. SuperAntiSpyware wouldn't install ("Not a win32 application"), SpyBot wouldn't start (I'd installed it previously, and the same "Not a win32 application" error came up), and I couldn't get the new version to install, either. Malwarebytes worked, but after restarting, a text file appeared, saying an error had occured. Attaching both log and error report.
I tried to run Combofix, but the same "Not a win32 application" error came up every time. Still doesn't work. CCleaner didn't initially worked (no error appeared, it simply wouldn't open), but by the end it also started working.
Can't remember what happened during MGtools, but attaching logs.

After running those programs I tried SuperAntiSpyware again, and this time, for no apparent reason, it finished installing, and I ran it without problems. NOD32 also managed to install, and is now running smoothly. However, neither SpyBot nor Combofix work, with the same error present.


Also - and this is a long shot, but I figured I'd try - for some reason my system recovery option doesn't work. I can neither make new save points, nor recover any earlier states of my PC. The function hasn't worked in months and I don't know what triggered it. Any suggestions for that?

Many thanks in advance.
(By the way, my XP is in Russian, and I don't know if there's anything crucial hidden behind the Cyrillic, but let me know and I'll translate to the best of my knowledge)

 

Hi Olga,
Welcome to Major Geeks!

Is the language of your computer Russian?

Did you install this: NetMeeting Remote Desktop Sharing (mnmsrvc)

I will post some instructions to you in a bit. This takes some time, so thanks for being patient.

abri

 

Thanks!

Yep. Windows is in Russian, but pretty much all programs I've installed subsequently are in English.
I'm pretty sure that I'm responsible for the Remote Desktop Sharing, yep.

I appreciate the time that you're putting into this, so time isn't an issue.

 

Hi Olga,

I can't read some of the things on your computer, so I will need some help from you to find out what they are. Also, I have some questions about directories that appear to be normal, but which are in an unusual place. I will ask you what those are to find out if they are normal directories or not.

1) To begin with, the following directory is usually found just below the user names of your computer. Please locate it at the following pathway, right-click on it and see what information is available under properties. When was it installed and how big is it? Also, what files or folders are located in this directory? (Do not open any files)

C:\Documents and Settings\Local Settings


2) Next I would like to know what is in the following directory. Please do the same as above, look at properties for the size and dates and then look in the directory and tell me what kinds of files are in it. (Do not open any files.)

C:\WINDOWS\system32\drivers\downld

3) Finally, please tell me what the following directories are in the same way as above. (the additional information I left is the date these came on your computer and the two different ways the folder might appear to you in Windows Explorer -for the first one 0200~1 would be 0200 and then something else which continues up to the 1 or no directory name at all. For the 2nd one one or the other of the names on either side of the 12 Mar.

C:\Documents and Settings\"
0200~1 17 Feb 2008 " "

C:\Documents and Settings\
Ž‹œƒ€ 12 Mar 2007 "Ž«ì£ "

4) See if you can run CCleaner at the default setting with the Windows tab as the one on top. This will remove all your temporary files except for those from the current date. After you run CCleaner, please go to the following locations and see if everything has been removed except for the file from today's date. If these directories are still full of old files, please delete all the files in them which Windows allows you to delete:

C:\WINDOWS\Temp\
C:\Documents and Settings\Ž«ì£ \Local Settings\Temp\

5) And now, go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 11
Spybot - Search & Destroy 1.4


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

7) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. This will stop you getting sqm files.


8) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://pochta.rian.ru/exchweb/bin/auth/owalogon.asp?url=https://pochta.rian.ru/exchange/&reason=0
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe

After you click fix, just close hijackthis.

9) Download and install Erunt. Use it to create a backup of your registry.

10) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let me know if you get a success message after running the REGEDIT4 patch.


11) If you were not able to run CCleaner above, please try it again now.


12) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.


Let me know how things are running now?

abri

 

1) C:\Documents and Settings\Local Settings (created March 15, 2007, and weighs 2.76 KB) contains a folder named "Temp", which in turns contains the folders "CopyFileList" (empty) and "crl" (contains file "BD36AD9DB685113949272282FBCDA989B9A97D63.crl", which is apparently a list of certificates), and a file called AdopeUpdater.rbt.

2) C:\WINDOWS\system32\drivers\downld was created on the 3rd of April, at 23:51, and weighs 611 KB. It contains 39 EXE files, each one of which is titled with a long number. E.g. 83046.exe, 29257062.exe, 43881781.exe. Most have different file sizes.

3) Neither folder with such names exist in the directory (I suspect the second just uses a different character encoding system), but one of them is probably the folder for my user account, which is in Cyrillic: Ольга, and it's the only "Russian" folder in that directory. It contains - well, a lot. Still want me to write it out? I don't know much about computer, but it all looks entirely familiar (contains Desktop, My Documents, et cetera).

The second folder, created in February, doesn't seem to exist. There's one entirely empty folder with no name, but it's completely empty. I think it's a leftover file from a program I uninstalled a couple of days ago.

4) Holy crap. I had no idea I had so many temp files.

7) Doesn't seem to let me select it. Guess it's already off?

8) I didn't remove this:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://pochta.rian.ru/exchweb/bin/a...ange/&reason=0
Reason being is it's a very long and wily way of getting to my work mailbox. Or should I just keep quiet and do as I'm told?

10) The patch doesn't work; I get an error saying that "the given file is not a registry data file. Only the import of binary [?] files with registry data is possible".


That program on my desktop - cf.exe - still doesn't work, as "it's not a win32 application".

 

Hi Olga,

Heavens no! This is exactly why I need for you to help me, so we don't end up deleting things you need. This also applies to the following. I simply can't read all your files, even if they appeared in the right script. I wouldn't know what they mean. So that's why I need your help before I can see what needs getting rid of. The following you should keep.

With regard to the below, it should be left as it is. Do not delete it.

The next one, however, needs to be deleted and that is where we will start. See if you can download this tool and run it:

1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Now run CCleaner again at the default setting with the Windows tab as the one on top.

3) The registry patch didn't run because of a syntax error. Sorry. Here it is again, hopefully correct this time:
Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let me know if you get a success message after running the REGEDIT4 patch.

4) Then see if you can uninstall the cf.exe on the desktop in this way:
Go to Start / Run and copy/paste in "%userprofile%\Desktop\cf" /u
This should uninstall combofix for you. After this, please go to XP Cleaning Instructions and find the Combofix link which includes the instructions for installing it and running it. See if you have better luck now installing it and running it or if you still get the same error.

5) Finally, I must ask you what your resident antivirus and two-way firewall are?

abri

 

Sure took me a while.

Damn! I had time issues, and now I barely remember what I've done. Will be prompt next time.

1) Avenger looked a little different for some reason, but I ran it anyway.

3) Patched successfully!

4) I get the same "not a win32 application" error.

5) I use NOD32 ver. 3.something, and the default Windows firewall.

A few days ago I tried to install SpyBot, but I think I got the same win32 error. However, I just tried again, and it runs fine now - which means that out of all of the original problems I came across, only Combofix remains.

 

Hi Olga,

I expect your computer is still infected. I would like for you to run the Kaspersky online scan and see if it picks up something we've missed. After you finish, I will ask you to get a new copy of the MGlogs.zip. Here is the information for the online scan:

To run the following scan, you will need to use Internet Explorer! If it doesn't load properly when you click on accept, you will need to enable Active X. Please go to Kaspersky WebScanner. Click on accept and allow the ActiveX component to install.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT
Click on Scan Settings and make sure the following are selected:

• Scan using the following Anti-Virus database:
• Extended (if available otherwise Standard)
• Scan Options:
• Scan Archives Scan Mail Bases
• Click OK
  
• Uunder select a target to scan:
• Select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display a report. Click Save as Text:
Save the file somewhere where you can find it again.
Attach this report to your next post.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Kaspersky log.

Let me know how things are running now?

abri

 

Kaspersky picked up tons of stuff.

Nothing's changed, really. Same problem with Combofix remains. I get the weird impression my computer's been a bit slow lately (considering the fact that it's a mean machine, occasionally the speed doesn't seem right), but I'm pretty sure that's just my imagination.

 

Hi Olga,

Please download the free version of AVG Antispyware and allow it to fix all that it finds. You have to scroll down and you'll see it's the button at the bottom of the column on the right. This should get rid of some of the things Kaspersky found. If possible, have it create a log. If you can't see how to do that, please just note which ones it removes, if any, so I can see what it found and removed and what it left.

When you're finished, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

abri

 

Yep, got a log file from AVG. It found mostly tracker stuff, and around 3 "serious" infections - 2 of which were program crack files I downloaded intentionally a very long time ago, so I skipped those.

Combofix still doesn't work, and gives the same "Not a win32 application". Nothing else seems to be happening though, apart from some slowness.

 

Hi Olga,

1) When you ran AVG Antispyware, you didn't have it fix any of the items if found. Not all, but 99% of all cracks invite trouble. The purpose of most cracks is to get around a system. Within that ethical code the boundaries of which system that refers to become very gray. There must be a setting which allows AVG Antispyware to fix the things it finds. Generally this is part of the report at the end.

2) Also, you have a program called Antispy which I would like for you to remove. Please go to the following and delete first the contents of the Anti-Spyware folder and then the folder itself.

C:\Program Files\Common Files\iS3\Anti-Spyware\fullupd.rsf
C:\Program Files\Common Files\iS3\Anti-Spyware

3) In your most recent logs, all the temp files I asked you to remove are still there. Please install and run the following. Let me know if this works.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

4) Try Combofix again and see what happens. You may have to reinstall it over the previous version.

5) Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.


Let me know how things are running now?

abri