Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender virus updates not a valid Win32 application


  • This topic is locked This topic is locked
7 replies to this topic

#1 TripodBob

TripodBob

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Williamsburg, Virginia
  • Local time:08:48 AM

Posted 19 April 2016 - 10:32 AM

System is fully updated XP Home. Still using Defender (along with MBAM and MBAE and Avira). 4/11/16 was the last time I was able to update Defender.    I now get the message: 'mpas-fe.exe is not a valid Win32 application'.  I download the updates using "hxxp://go.microsoft.com/fwlink/?linkid=70631". This has worked for years.   All other .exe files seem to work.

 

Attached are Addition.txt and FRST.txt  from Farbar.

Attached Files


Edited by hamluis, 19 April 2016 - 11:35 AM.
Moved from XP to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,184 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:48 AM

Posted 21 April 2016 - 10:11 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellExecuteHooks:  - {4F07DA45-8170-4859-9B5F-037EF2970034} -  No File [ ]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-839522115-115176313-682003330-1012] ATTENTION => Default URLSearchHook is missing
Toolbar: HKU\S-1-5-21-839522115-115176313-682003330-1004 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -  No File
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-839522115-115176313-682003330-1004: tdameritrade.com/thinkorswim -> C:\Program Files\thinkorswim02\npthinkorswim.dll [No File]
FF Plugin HKU\S-1-5-21-839522115-115176313-682003330-1004: tdameritrade.com/tossc -> C:\Program Files\thinkorswim02\nptossc.dll [No File]
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path\update_url>
S3 ALSysIO; \??\C:\DOCUME~1\ROBERT~1.ROI\LOCALS~1\Temp\ALSysIO.sys [X]
S3 gdrv; \??\C:\WINDOWS\gdrv.sys [X]
S3 HPZid412; system32\DRIVERS\HPZid412.sys [X]
S3 HPZipr12; system32\DRIVERS\HPZipr12.sys [X]
S3 HPZius12; system32\DRIVERS\HPZius12.sys [X]
S4 IntelIde; no ImagePath
S3 MagicTune; system32\drivers\MTiCtwl.sys [X]
S3 SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys [X]
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2014.RTM\WNt500x86\Sandra.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

No malware was found on your logs.

How long have you had Avira?
When running is real life this application will disable Windows defender.

---

Let me check further.

Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • It will produce a log named SA Log.txt on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in this topic.
Note: The link to the most current version of the program will always be in the first post of this topic.
Note: Windows 10 may pop up a warning message.
Note: The current java version on XP will show as "out of date".
Note: Flash Player ActiveX is pre-installed with Internet Explorer in Windows 10 and updates Automatically.

 ===

#3 TripodBob

TripodBob
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Williamsburg, Virginia
  • Local time:08:48 AM

Posted 21 April 2016 - 12:58 PM

Thanks for your quick response nasdaq

 

Here's the requested logs:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:18-04-2016
Ran by name goes here (2016-04-21 13:32:36) Run:1
Running from C:\Documents and Settings\name goes here\Desktop\Downloads from FireFox
Loaded Profiles: name goes here (Available Profiles: name goes here & kodak & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellExecuteHooks:  - {4F07DA45-8170-4859-9B5F-037EF2970034} -  No File [ ]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-839522115-115176313-682003330-1012] ATTENTION => Default URLSearchHook is missing
Toolbar: HKU\S-1-5-21-839522115-115176313-682003330-1004 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -  No File
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-839522115-115176313-682003330-1004: tdameritrade.com/thinkorswim -> C:\Program Files\thinkorswim02\npthinkorswim.dll [No File]
FF Plugin HKU\S-1-5-21-839522115-115176313-682003330-1004: tdameritrade.com/tossc -> C:\Program Files\thinkorswim02\nptossc.dll [No File]
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path\update_url>
S3 ALSysIO; \??\C:\DOCUME~1\ROBERT~1.ROI\LOCALS~1\Temp\ALSysIO.sys [X]
S3 gdrv; \??\C:\WINDOWS\gdrv.sys [X]
S3 HPZid412; system32\DRIVERS\HPZid412.sys [X]
S3 HPZipr12; system32\DRIVERS\HPZipr12.sys [X]
S3 HPZius12; system32\DRIVERS\HPZius12.sys [X]
S4 IntelIde; no ImagePath
S3 MagicTune; system32\drivers\MTiCtwl.sys [X]
S3 SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys [X]
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2014.RTM\WNt500x86\Sandra.sys [X]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{4F07DA45-8170-4859-9B5F-037EF2970034} => value removed successfully.
HKCR\CLSID\{4F07DA45-8170-4859-9B5F-037EF2970034} => key not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
Could not restore Default URLSearchHook.
HKU\S-1-5-21-839522115-115176313-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => value removed successfully.
HKCR\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => key not found.
"HKCR\PROTOCOLS\Handler\cetihpz" => key removed successfully.
HKCR\CLSID\{CF184AD3-CDCB-4168-A3F7-8E447D129300} => key not found.
"HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf" => key removed successfully.
"HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf" => key removed successfully.
"HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp" => key removed successfully.
"HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf" => key removed successfully.
"HKU\S-1-5-21-839522115-115176313-682003330-1004\Software\MozillaPlugins\tdameritrade.com/thinkorswim" => key removed successfully.
C:\Program Files\thinkorswim02\npthinkorswim.dll => not found.
"HKU\S-1-5-21-839522115-115176313-682003330-1004\Software\MozillaPlugins\tdameritrade.com/tossc" => key removed successfully.
C:\Program Files\thinkorswim02\nptossc.dll => not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\nneajnkjbffgblleaoojgaacokifdkhm" => key removed successfully.
ALSysIO => service removed successfully.
gdrv => service removed successfully.
HPZid412 => service removed successfully.
HPZipr12 => service removed successfully.
HPZius12 => service removed successfully.
IntelIde => service removed successfully.
MagicTune => service removed successfully.
SABProcEnum => service removed successfully.
SANDRA => service removed successfully.
EmptyTemp: => 2.2 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 13:34:41 ====

 

 

 

Result of Security Analysis by Rocket Grannie (x86) version: 16th April 2016
Running from:C:\Documents and Settings\name goes here\Desktop\Downloads from FireFox (13:49:13 - 04/21/2016)
***---------------------------------------------------------***
Microsoft Windows XP Home Edition X86 Service Pack 3
*WARNING* Windows XP is no longer supported
Internet Explorer 8
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
***-----------------Anti-Virus - Firewall-------------------***
Avira Antivirus Disabled - up to Date!
Windows Firewall is Enabled!
Searching for any other Firewall
*No other Firewall Installed*
***----------------AntiSpyware - Miscellaneous---------------***
Adobe flash Player Plugin (version 21.0.0.213)
Adobe Flash Player ActiveX (version 21.0.0.213)
CCleaner -- An older version than '5.16' is installed.
HijackThis -- An older version than '2.0.5' is installed.
Java (version 8.0.77.3)
Malwarebytes Anti-Malware (version 2.2.1.1043)
Mozilla Firefox (version 45)
CCleaner (version 5.05) is *out of Date*
HiJackThis (version 1.0.0) is *out of Date*

 

 

I've used Avira and Windows Defender together for years.  I installed a new copy of Avira a few months ago and know that it disabled Defender.  But I restarted Defender and they have worked side by side since then.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,184 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:48 AM

Posted 22 April 2016 - 08:11 AM

Glad to see that both AV can work together. The only bad effect may be that both are checking the operating system and may cause some delays.
If all is well for you the it's fine.

I see that Avira is listed as disabled in the Result of Security Analysis log.

What current issues persists with this computer?

#5 TripodBob

TripodBob
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Williamsburg, Virginia
  • Local time:08:48 AM

Posted 22 April 2016 - 08:28 AM

I disabled Avira before I ran RGSA.

 

The only issue that persists is that I cannot update Windows Defender.  The downloaded update files continually give me the error:

'mpas-fe.exe is not a valid Win32 application'.  The last update I was able to run was on 4/11/16.  Maybe Microsoft has changed the updates so they no longer run on XP.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,184 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:48 AM

Posted 23 April 2016 - 06:45 AM

Some were able to circumvent the issue.
http://www.msfn.org/board/topic/175514-microsoft-security-essentials-and-windows-xp/

I would not attempt any of it.
You presently have some type of prevention and it's as good as Windows Defender.

Your call you you want to take a chance. Keeping in mind that Microsoft does not support XP any more.

#7 TripodBob

TripodBob
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Williamsburg, Virginia
  • Local time:08:48 AM

Posted 23 April 2016 - 09:04 AM

nasdaq

 

Thanks very much for that info.  I really only keep Windows Defender around because I like some of the tools that come with it.

Since I was searching on 'Windows Defender' and not "MSE' I never found the link you have provided.  I agree with you; not worth the effort / risk to do the workaround.  At least the issue has been solved and thank you for that.

 

Call this one closed.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,184 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:48 AM

Posted 24 April 2016 - 06:43 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users