PC virus C:\... exe cannot be run in Win32 mode [Solved/Closed]

Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 29, 2014 at 07:27 AM - Latest reply: 2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen
- Aug 1, 2014 at 04:38 AM
Hello,
Anticipated thanks for your aid. I appreciate it greatly.

The following in a lengthy description of all the steps I have gone through in an attempt to rescue my PC (Windows 7 Home Premium, Service Pack1 x64 Dell Inc Inspiron One) .
Yesterday I had noticed that an automated scan from my antivirus (COMODO) had started, but the automated scan which should have started at the same time from Malwarebytes Anti-Malware had not.
I checked and it wasn't showing minimized in the tray either. Thinking it odd I tried to open it by double clicking its desktop icon and then by doubleclicking its exe file in its source folder. Each time it said "C:\...cannot be run in Win32 mode."
Almost every application/program I tried to open said "... cannot be run in Win32 mode". (In the meantime Comodo had finished the scan and found nothing and shut down by itself). I panicked and tried disinfecting by any means that I could
think of by aid of my laptop and USB memory stick.
From my Usb memory stick I had managed to install on my evidently infected PC (in Safe Mode - it was the only way it let me): SuperAntiSpyware Professional, a Professional version of Malwarebytes, Spybot Search & Destroy, Webroot SecureAnywhere, Trojan Killer and CCleaner.
I ran each of them in Safe Mode, in that order. Clicked the fix/delete command depending on each one, and got rid of the files they had found as suspicious or infected. Then I ran all the scans a second time for verification and they no longer found anything/ any other results to display.
Even so, when starting windows Normally, neither one of these security/cleanup programs would not run and that "... cannot be run in Win32 mode" message would always appear (despite having selected for each the option to launch at system startup in hopes to bypass the damned virus that wouldn't let me open/run exe files). After some time only Webroot Secure Anywhere started and after finishing its scan found nothing; to my great dismay.
I had also noticed that the virus blocked my Administrator privileges. It wouldn't let me force run anything in administrator mode. Nor alter user settings in control panel nor uninstall programs. In SafeMode I managed to regive myself Administrator status and set a password.
After much searching, I had found your thread "Win32/worm blaster" and the instructions you gave jonboy2011. I did run rkill (in Safe mode - it wouldn't let me otherwise) and it said it found no malware. I ran a Malwarebyte scan again and it didn't have any results to display.
The first time I ran FixBlast.exe it died on me and dissappeared halfway through the scan.
Then I downloaded ComboFix and when I tried to run it, it told me to disable Comodo Antivirus. I disabled it then clicked OK, but ComboFix still said Comodo Antivirus was running and had to be closed. I closed ComboFix and uninstalled Comodo. Even after uninstalling it, when I tried to run ComboFix again it still said that Comodo Antivirus is running and needs to be disabled. I manually searched for and deleted any stray files I could find that had anything to do with Comodo, and tried again. Same message.
Becoming quite concerned and desperate that I couldn't use the only thing that had helped jonboy2011, I tried as final attempts a scan with Avast antivirus and then a scan with Kaspersky via its RescueDisk 10 which I had saved and made work onto a bootable USB stick. Both Avast and Kaspersky had found a (different) file with a long name string of letters and numbers which were in a Comodo Quarantine folder apparently and I deleted them upon instruction and warning of high risk from Kaspersky and Avast.
It was 4.30 AM at that time, my memory was rather clouded around that time. Anyway, even after all that, when starting window in Normal Mode the situation remained the same "cannot be run in Win32 mode".
So ultimately, in Safe Mode again, I ran ComboFix without being able to disable anything and saved the log.txt on my USB stick and now I have uploaded it here in hopes that you would please help me and read it and make sense of it and save my PC with your knowledge.
I also ran FixBlast.exe after. This time it did not crash midway - it completed and said "W32.Blaster.Worm has not been found on your computer."
As of the moment of this writing, when starting windows Normally (after typing in the new password) the only programs that start automatically are DriverReviver, Avast, SuperAntiSpyware and Webroot SecureAnywhere. A message saying "The C:\Program Files\CCleaner\CCleaner64.exe application cannot be run in Win32 mode" appears. No Malwarebytes in sight. When I try to run it, it says "The C:\Program Files(x86)\Malwarebytes Anti-Malware\mbam.exe application cannot be run in Win32 mode". Trojan Killer gets the same "cannot run in Win32 mode" message. ComboFix the same. And trying to run FixBlaster.exe it tells me "You do not have Administrator rights to run the tool". I am stumped. I am at a loss. I am desperate. Please help me, sir, because I don't know what else to do to fix/cure my PC.

I apologize for my very long post, but I hoped that maybe by seeing all the steps I had gone through would help find out who the culprit/what kind of damned virus it is and what course of action can be taken.

Thank you very much for taking the time to read my message. I will be eternally grateful if you can help me with this difficult situation.

Kindest Regards,
Irina

P.S. I could only send the rkill and ComboFix logs I got after scanning in Safe Mode.
I tried to run ZHPDiag2.exe and it said "ShellExecuteEx a echoue ; code 129. the %1 application cannot be run in Win32 mode". Tried again in Safe Mode, installed it, opened it - it gave some sort of error message that dissappeared in a second and then it started and I could run the scan. Maybe there is hope after all.

http://www.speedyshare.com/uuvSF/log.txt
http://www.speedyshare.com/zzDRq/Rkill.txt
http://speedy.sh/99Hnf/ZHPDiag.txt

See more 

18 replies

Best answer
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Aug 1, 2014 at 04:38 AM
5
Thank you
Hi,

Thanks for the reply.
I'm not sure it's an infection that caused this, maybe it's a problem in the system.

See you later.

Gabriel.

Thank you, 2011N2 5

Something to say? Add comment

CCM has helped 1666 users this month

2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jun 30, 2014 at 01:57 AM
0
Thank you
Hello,

In safe mode with networking, try to uninstall Malwarebytes.
Then, reinstall it and try to run it. And then tell me if it's OK or not.

Gabriel.
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 30, 2014 at 04:42 AM
Hello!

In Safe Mode with Networking, I have uninstalled Malwarebytes. Then installed it again. Updated it and performed a Hypper Scan (because a Threat Scan would take 2 and a half hours) to see if it found anything. In 1min43s Hyper Scan was done and said "Scan completed successfully! No malicious items were detected!". But that can't be right if I still cannot run programs in Normal Mode.
What do I do...?
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jun 30, 2014 at 05:11 AM
0
Thank you
Hello,

Please do a threat scan, with the all options activates. Then, post the log.

Gabriel.
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 30, 2014 at 05:21 AM
Understood. Started scan right now. I will post a link with the log text when the scan will finish, which if I recall correctly should be in 2 hours time.

Thank you so much for helping me with this!
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jun 30, 2014 at 05:22 AM
Ok, see you later :)
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 30, 2014 at 07:09 AM
Hello again :)
Back with the logs. Still surprised no malicious items were detected...Here are the links:

http://speedy.sh/MMJW9/mb-fullcustomscan-log.txt
http://speedy.sh/HH2wA/mb-threatscan-log.txt
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jun 30, 2014 at 08:15 AM
0
Thank you
Hello,

Good :)

Can you run again ZHPDiag by clicking on full options please ? Host the report and paste the link.

Gabriel.
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 30, 2014 at 08:26 AM
Hello,

Yes, clicked on Full Options. A message appeared about a new version being available. Closed the message and the scan started. ZHPDiag Report link below:

http://speedy.sh/99CJf/ZHPDiag.txt
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jun 30, 2014 at 08:32 AM
0
Thank you
Hi,

Yes, it is not the last version but never mind.

1. Close all applications

2. Select and copy all of the following bold lines.
----------------------------------------------------------------------------------


Script ZHPFix
O2 - BHO: Webroot Filtering Extension [64Bits] - {C9C42510-9B41-42c1-9DCD-7282A2D07C61} . (.Webroot - Webroot SecureAnywhere Browser Extension.) -- C:\Program Files\Webroot\WRData\PKG\Vistax86\wrflt.dll
O4 - HKLM\..\Run: [InstallerLauncher] C:\Users\Ionut\AppData\Local\Temp\GZ_INSTALL_0\setuplauncher.exe (.not file.)
[HKCU\Software\PC VITALWARE]
[HKLM\Software\Wow6432Node\PC VITALWARE]
O43 - CFD: 14-Sep-13 - 3:28:59 PM - [] ----D C:\Users\Ionut\AppData\Roaming\PC VITALWARE
O43 - CFD: 23-Jul-12 - 6:39:02 PM - [] ----D C:\Users\Ionut\AppData\Local\Com
O43 - CFD: 28-Jun-14 - 1:36:52 PM - [] ----D C:\Users\Ionut\AppData\Local\lptmp1246118101
O61 - LFC: 28-Jun-14 - 3:20:18 PM ---A- . (.Webroot.) -- C:\Users\Ionut\AppData\Local\lptmp1246118101\npwebroot.dll [1513472]
O61 - LFC: 28-Jun-14 - 3:20:18 PM ---A- . (.Webroot.) -- C:\Users\Ionut\AppData\Local\lptmp1246118101\npwebroot64.dll [1957888]
[HKCU\Software\PC VITALWARE]
[HKLM\Software\Wow6432Node\PC VITALWARE]
C:\Users\Ionut\AppData\Roaming\PC VITALWARE
C:\Users\Ionut\AppData\Local\lptmp1246118101
O2 - BHO: Webroot Vault [64Bits] - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} . (.Webroot - Webroot Toolbar.) -- C:\ProgramData\WRData\pkg\LPBar.dll
O3 - Toolbar: Webroot Toolbar - [HKLM]{97ab88ef-346b-4179-a0b1-7445896547a5} . (.Webroot - Webroot Toolbar.) -- C:\ProgramData\WRData\pkg\LPBar64.dll
O2 - BHO: avast! Online Security [64Bits] - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} . (.AVAST Software - IE Webrep plugin.) -- D:\AvastAntivirus 2014\Avast Antivirus 9-2014-Final+Serial-2095\AvastAntivirus2014\aswWebRepIE.dll
O2 - BHO: (no name) [64Bits] - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} Orphan key
O3 - Toolbar: avast! Online Security - [HKLM]{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} . (.AVAST Software - IE Webrep plugin.) -- D:\AvastAntivirus 2014\Avast Antivirus 9-2014-Final+Serial-2095\AvastAntivirus2014\aswWebRepIE64.dll
O9 - Extra button: Webroot [64Bits] - {43699cd0-e34f-11de-8a39-0800200c9a66} . (.Webroot - Webroot Toolbar.) -- C:\ProgramData\WRData\pkg\LPBar64.dll



3. ZHP Diag created a short cut on your desktop called ZHP Fix, launch ZHP Fix (For Windows 7 click right to run as admin. Answer yes if you get an enquiry as to weither you want to run it or not

4. Click on the the Import button and the lines will automatically paste themselves.

5. Click on the Go button to clean

6. Confirm by clicking OK

7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time

8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.

Gabriel.
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 30, 2014 at 08:47 AM
Hi,
Pasted it below:

Rapport de ZHPFix 2014.4.13.3 par Nicolas Coolman, Update du 13/04/2014
Fichier d'export Registre :
Run by Ionut at 30-Jun-14 3:40:53 PM
High Elevated Privileges : OK
Windows 7 Home Premium Edition, 64-bit Service Pack 1 (Build 7601)

Recycle Bin emptied (04mn AMs)

========== Registry keys ==========
REMOVES: HKCU\Software\PC VITALWARE
REMOVES: HKLM\Software\Wow6432Node\PC VITALWARE
REMOVES: [HKLM\SOFTWARE\Classes\CLSID\{97ab88ef-346b-4179-a0b1-7445896547a5}]
REMOVES: CLSID BHO: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06}
REMOVES: [HKLM\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}]
REMOVES:* CLSID Extra Buttons: {43699cd0-e34f-11de-8a39-0800200c9a66}

========== Registry values ==========
REMOVES RunValue: InstallerLauncher
REMOVES: Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5}
REMOVES: Toolbar: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5}

========== Folders ==========
REMOVES: C:\Users\Ionut\AppData\Roaming\PC VITALWARE
REMOVES: C:\Users\Ionut\AppData\Local\Com
REMOVES: C:\Users\Ionut\AppData\Local\lptmp1246118101

========== Files ==========
REMOVES: c:\program files\webroot\wrdata\pkg\vistax86\wrflt.dll
REMOVES: c:\programdata\wrdata\pkg\lpbar.dll
REMOVES: d:\avastantivirus 2014\avast antivirus 9-2014-final+serial-2095\avastantivirus2014\aswwebrepie.dll


========== Summary ==========
6 : Registry keys
3 : Registry values
3 : Folders
3 : Files


End of clean in 08mn AMs

========== Path to file report ==========
C:\Users\Ionut\AppData\Roaming\ZHP\ZHPFix[R1].txt - 30-Jun-14 3:40:58 PM [1492]


P.S. Thank you for all your help so far. Maybe there's still hope for my pc after all
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jun 30, 2014 at 08:52 AM
0
Thank you
Hi,

OK, restart your computer. And tell me if it's better.

Gabriel.
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 30, 2014 at 09:03 AM
Hi,

I restarted it. Started Windows in Normal Mode. The first things to appear on my screen were "C:\Program Files\CCleaner\CCleaner64.exe application cannot be run in Win32 mode" and "D:\Perfect Uninstaller\PU.exe application cannot be run in Win32 mode".
A change however, is that Malwarebytes, Avast, Webroot SecureAnywhere and SuperAntiSpyware which were supposed to launch at system startup have appeared this time.

Maybe we're getting close to finding and deleting this rotten virus. I wonder where it came from and where it's hiding
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jun 30, 2014 at 03:27 PM
Hello again,

Thank you very much for your aid thus far, Gabriel. You're assistance means a lot to me, as it may very well be the only chance I have to disinfect and salvage my PC. I would hate to have to erase everything I have and reinstall Windows. My family and friend would probably hate me for it, since there are several things on the computer that are important to them. I kept telling them not to worry and to wait until all possibilities to save the computer will be exhausted.

Since it is 10:25 PM for me now, and I will most likely not be in front of my laptop by the time you will be reading this, I would just add some further info - as of this moment I have run in Normal Mode
1 - a SuperAntiSpyware Complete scan which found nothing (I've included a link with the scan log)
2 - and a Webroot SecureAnywhere scan that also found nothing (Included its log, too) and a System scan through it (I hope it will help maybe as crossreference comparison with the ZHPDiag report to discover where the pesky virus may be hiding - link below)
3 - and a Spybot S&D Scan (log included).
I tried to run a scan with Stronghold AntiMalware which found 1 AdWare: TranslateGenius and 1 Worm apparently in ZHPDiag and 22 suspicious files, but when I clicked Fix Now it crashed and never came back.

Added mentions would be that I am not permitted to run CCleaner, Trojan Killer, FixBlast, Perfect Uninstaller, rkill, TDSSKiller and ZHPDiag in Normal Mode the same "C:\.... .exe application cannot be run in Win32 mode" appearing each time. The same message also appears when I try to install any other new anti-malware software/program; so I suppose the only way to install anything is in Safe Mode.
What if some other files need to be deleted? When I was in Safe Mode and pasted that Script ZHPFix bolded text you said in ZHP Fix clicked Go and the restarted the computer, Malwarebytes, Avast and SuperAntiSpyware were able to launch themselves automatically (when the previously couldn't) even if the others (Trojan Killer, CCleaner, FixBlast, TDSSKiller etc) still cannot be run. What if the virus hasn't taken over everything yet and can be eliminated by removing other files where it may be hiding/may be affected by it?

I apologize for the long post. Just a little worried yet hopeful that this situation can be salvaged, so I'm trying to give as much information as I can. Logs below:

http://speedy.sh/wwYF6/SysAnalyzerLog-Mon-30-06-2014-20-58-15.log
http://speedy.sh/99TZf/webroot-secureanywhere-scan-log.log
http://speedy.sh/44apm/SUPERAntiSpyware-Scan-Log-06-30-2014-20-53-09.log
http://speedy.sh/33KZz/Scan-Results.140630-2152.txt

Goodnight,
Kindest Regards,

Irina
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jul 1, 2014 at 02:54 AM
0
Thank you
Hello,

First you can uninstall Spybot, it is obsolete.

And, before doing other manipulations, have you tried to restore your system ? http://ccm.net/faq/6693-system-restore-on-windows-7-and-vista

Gabriel.
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jul 1, 2014 at 03:34 AM
Hello,

Alright, I have uninstalled Spybot S&D.
No,I hadn't tried to use System Restore. The last restore point is rather far back in time and I cannot be certain that when that restore point was made the PC was 100% clean. Even if it were, I don't know if going back in time will get rid of the source of this virus.
Last time my PC started acting strange 2 years ago due to a virus not even my officially purchased premium version security utilities couldn't detect, I had followed this suggestion and it had messed up my computer and the places where known files were supposed to be; and after I restarted it it just died. All I could get was a black screen with a long string of letters and numbers.
I would use System Restore only as a last resort. Are you certain that all other possibilities of fighting the virus have been exhausted?
2011N2 13385 Posts Saturday January 29, 2011Registration dateSecurity contributorStatus December 24, 2016 Last seen - Jul 2, 2014 at 03:51 AM
0
Thank you
Hello,

OK so don't use the system restore now.
Run again ZHPDiag, also by clicking on full options and send the report.

Gabriel.
Irina01 13 Posts Sunday June 29, 2014Registration date September 6, 2014 Last seen - Jul 31, 2014 at 01:13 PM
0
Thank you
Hi,

I apologize for the late reply. Unfortunately, the following day my computer had died on me, presented me with a black screen and nothing more. I eventually saved u some money and sent it to a repair service and now I have it back. Almost everything had to be deleted and Windows had to be reinstalled.
To, anyone who will have this problem, I suppose deleting all exe files and reinstalling windows seems to be the only escape. I still don't know where the virus came from. But hopefully I won't run into it again any time soon.

Thank you for your aid so far.
Good luck with your PCs