PC virus C:\... exe cannot be run in Win32 mode

Solved/Closed
Irina01
Posts
13
Registration date
Sunday June 29, 2014
Status
Member
Last seen
September 6, 2014
- Jun 29, 2014 at 07:27 AM
2011N2
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
- Aug 1, 2014 at 04:38 AM
Hello,
Anticipated thanks for your aid. I appreciate it greatly.

The following in a lengthy description of all the steps I have gone through in an attempt to rescue my PC (Windows 7 Home Premium, Service Pack1 x64 Dell Inc Inspiron One) .
Yesterday I had noticed that an automated scan from my antivirus (COMODO) had started, but the automated scan which should have started at the same time from Malwarebytes Anti-Malware had not.
I checked and it wasn't showing minimized in the tray either. Thinking it odd I tried to open it by double clicking its desktop icon and then by doubleclicking its exe file in its source folder. Each time it said "C:\...cannot be run in Win32 mode."
Almost every application/program I tried to open said "... cannot be run in Win32 mode". (In the meantime Comodo had finished the scan and found nothing and shut down by itself). I panicked and tried disinfecting by any means that I could
think of by aid of my laptop and USB memory stick.
From my Usb memory stick I had managed to install on my evidently infected PC (in Safe Mode - it was the only way it let me): SuperAntiSpyware Professional, a Professional version of Malwarebytes, Spybot Search & Destroy, Webroot SecureAnywhere, Trojan Killer and CCleaner.
I ran each of them in Safe Mode, in that order. Clicked the fix/delete command depending on each one, and got rid of the files they had found as suspicious or infected. Then I ran all the scans a second time for verification and they no longer found anything/ any other results to display.
Even so, when starting windows Normally, neither one of these security/cleanup programs would not run and that "... cannot be run in Win32 mode" message would always appear (despite having selected for each the option to launch at system startup in hopes to bypass the damned virus that wouldn't let me open/run exe files). After some time only Webroot Secure Anywhere started and after finishing its scan found nothing; to my great dismay.
I had also noticed that the virus blocked my Administrator privileges. It wouldn't let me force run anything in administrator mode. Nor alter user settings in control panel nor uninstall programs. In SafeMode I managed to regive myself Administrator status and set a password.
After much searching, I had found your thread "Win32/worm blaster" and the instructions you gave jonboy2011. I did run rkill (in Safe mode - it wouldn't let me otherwise) and it said it found no malware. I ran a Malwarebyte scan again and it didn't have any results to display.
The first time I ran FixBlast.exe it died on me and dissappeared halfway through the scan.
Then I downloaded ComboFix and when I tried to run it, it told me to disable Comodo Antivirus. I disabled it then clicked OK, but ComboFix still said Comodo Antivirus was running and had to be closed. I closed ComboFix and uninstalled Comodo. Even after uninstalling it, when I tried to run ComboFix again it still said that Comodo Antivirus is running and needs to be disabled. I manually searched for and deleted any stray files I could find that had anything to do with Comodo, and tried again. Same message.
Becoming quite concerned and desperate that I couldn't use the only thing that had helped jonboy2011, I tried as final attempts a scan with Avast antivirus and then a scan with Kaspersky via its RescueDisk 10 which I had saved and made work onto a bootable USB stick. Both Avast and Kaspersky had found a (different) file with a long name string of letters and numbers which were in a Comodo Quarantine folder apparently and I deleted them upon instruction and warning of high risk from Kaspersky and Avast.
It was 4.30 AM at that time, my memory was rather clouded around that time. Anyway, even after all that, when starting window in Normal Mode the situation remained the same "cannot be run in Win32 mode".
So ultimately, in Safe Mode again, I ran ComboFix without being able to disable anything and saved the log.txt on my USB stick and now I have uploaded it here in hopes that you would please help me and read it and make sense of it and save my PC with your knowledge.
I also ran FixBlast.exe after. This time it did not crash midway - it completed and said "W32.Blaster.Worm has not been found on your computer."
As of the moment of this writing, when starting windows Normally (after typing in the new password) the only programs that start automatically are DriverReviver, Avast, SuperAntiSpyware and Webroot SecureAnywhere. A message saying "The C:\Program Files\CCleaner\CCleaner64.exe application cannot be run in Win32 mode" appears. No Malwarebytes in sight. When I try to run it, it says "The C:\Program Files(x86)\Malwarebytes Anti-Malware\mbam.exe application cannot be run in Win32 mode". Trojan Killer gets the same "cannot run in Win32 mode" message. ComboFix the same. And trying to run FixBlaster.exe it tells me "You do not have Administrator rights to run the tool". I am stumped. I am at a loss. I am desperate. Please help me, sir, because I don't know what else to do to fix/cure my PC.

I apologize for my very long post, but I hoped that maybe by seeing all the steps I had gone through would help find out who the culprit/what kind of damned virus it is and what course of action can be taken.

Thank you very much for taking the time to read my message. I will be eternally grateful if you can help me with this difficult situation.

Kindest Regards,
Irina

P.S. I could only send the rkill and ComboFix logs I got after scanning in Safe Mode.
I tried to run ZHPDiag2.exe and it said "ShellExecuteEx a echoue ; code 129. the %1 application cannot be run in Win32 mode". Tried again in Safe Mode, installed it, opened it - it gave some sort of error message that dissappeared in a second and then it started and I could run the scan. Maybe there is hope after all.

http://ww1.sshzz.gce8xz.ygwt.online/?sov=96448523&hid=gkikoksmmsmkisss&cntrl=00000&pid=14497&redid=49184&gsid=453&campaign_id=12&p_id=14497&id=XNSX.-r49184-t453&impid=4a6dc1ac-3c04-11e8-a66b-aa1f778d2780&sub1=20201204-0405-1346-802b-04a8af6fa04c
http://ww1.kfjzz.gce8xz.ygwt.online/?sov=96448523&hid=egwqkqkkqkigqqq&cntrl=00000&pid=14497&redid=49184&gsid=453&campaign_id=12&p_id=14497&id=XNSX.-r49184-t453&impid=4c59c3bc-3c04-11e8-b5b5-aa1f778d2780&sub1=20201204-0405-15c4-b203-807182f39e20
http://ww1.3mfzz.gce8xz.ygwt.online/?sov=96448523&hid=hjhxvlntnljttt&cntrl=00000&pid=14497&redid=49184&gsid=453&campaign_id=12&p_id=14497&id=XNSX.-r49184-t453&impid=4d0865e8-3c04-11e8-931f-12c26be3c49e&sub1=20201204-0405-18ab-8147-a89fd2e8a7af

9 replies

2011N2
Posts
13334
Registration date
Saturday January 29, 2011
Status
Security contributor
Last seen
December 24, 2016
39
Aug 1, 2014 at 04:38 AM
Hi,

Thanks for the reply.
I'm not sure it's an infection that caused this, maybe it's a problem in the system.

See you later.

Gabriel.
6