Page 2 - Not a valid win32 application - can't follow the process described in the sticky

Woooooo, this is new and scary!

I made just the same thing I did yesterday, downloaded combofix from that link, renamed it to combo-fix.exe and executed it. After double clicking it a dialog window appears with the text:

"You cannot rename ComboFix as Combo-Fix

Please use another name, preferbaly made up of alphanumeric characters".

Maybe this is not a problem of combofix, but yesterday I didn't receive such a message.

Call it MyCombo instead.

It is also possible that the program has been rewritten again(happens very often) because some infections are programed to resist combofix.

Combofix didn't finish. My system rebooted/crashed while combofix was working. I mean, it was not combofix that made the system reboot. I don't know exactly what was comofix's last message, but I think it had reached "etapa 15" at least.

Btw, I tried to install AVG and Avast as I said before and although none of them were correctly installed, Avast seems to be present in my system, though I can't execute it (not a valid win32 application).

Lets go another route.

Download Deckard's System Scanner. HERE

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - Main.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread here.
5. A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt.
6. Attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What Deckard's System Scanner will do:

* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review. Deckard's System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


When you get the two notepad documents, click somewhere inside the notepad document and hold CTRL/Control and press A then C. This will "select all" and "copy" the text.

Please post both of the logs.

NEW IDEA......



BAGLEGUI is a disinfector for standalone Windows computers

* open BAGLEGUI Download HERE
* run it
* then click GO.

I'm officially desperate, my malware got tougher!

I can't execute dss.exe. It happens something similar to what happenned to ccleaner. I see the application briefly but then it automatically closes.

EDIT: Now going to try baglegui...

Check post #20

I'm running baglegui right now but I'm not sure if it's going to work as it told me that "I'm not logged as system administrator" so it wouldn't be able to manipulate some files or something of the like. That shouldn't be true as I only have this user account which is the admin account and a guest account (I've checked it) created long ago by .NET framework (I think).

I'll post the results when it's done.

While were waiting, Do you have your Windows disk? And a place to back up your documents ect.

Baglegui finished. It only found and changed 1 registry entry.

I have my XP disk and other computers where to backup my documents in my LAN. but I'm afraid they might get infected too through the LAN. I have the OS and installed applications in partition C and all data and docs in partition E on the same HDD. Anyway, there are too many things I'd like to keep to copy all of them to another computer. If that was the case it would be faster to just format partition C and keep E as it's right now (I think partition E should be clean).

I'm thinking that yesterday mbam worked correctly and deleted two files "srosa.sys" and "hldrrr.exe". After that I rebooted and combofix worked. Is this any help to you?

I just used mbam and it found and erased (two of them after reboot) 4 files:

Malwarebytes' Anti-Malware 1.11
Versión de la Base de Datos: 669

Tipo de examen : Examen Rápido
Objetos examinados: 32177
Tiempo transcurrido: 4 minute(s), 0 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 4

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\hldrrr.exe (Rootkit.Agent) -> Delete on reboot.

I never saw any signs of the E drive being infected. It would be faster and will erase that C drive and all infection.

Do you need any guides on how to format and install windows?

Will combofix run now?

Actually I think I installed XP about two weeks ago... I got a new box and had to reinstall everything. The bad thing is that I've already installed the applications that I use most and just thinking about having to do it all again... damn that SUCKS.

I think that is what I will do anyway as I'll have a totally clean system and maybe I'll waste more time tracking down the malware that is affecting me than reinstalling

No it won't. Uninstalled it, downloaded again and executed it and rebooted like last time. Sooo... I'll reinstall. I'll grab some files in "my documents" that I might want to keep.