Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

globalroot\systemroot\system32\hjgruihwujwmlw.dll not a valid Windows image


  • Please log in to reply
9 replies to this topic

#1 laundry95

laundry95

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 01 July 2009 - 06:36 PM

Hello! :thumbsup:

A couple of days ago, I started noticing that when I clicked on Google links in Mozilla Firefox, I was redirected to shopping sites. I ran Malwarebytes and asked it to remove about four infected files, then restarted my computer. I am no longer redirected, but every time I try to run a program, I get an error message:

The application or DLL globalroot\systemroot\system32\hjgruihwujwmlw.dll is not a valid Windows image. Please check this against your installation diskette.

Each program's name (ex. firefox.exe) is in the title bar of the message. I have also noticed that my computer isn't going to screensaver/standby unless it is closed (laptop). It has also bluescreened three times recently with the error message DRIVER_IRQL_NOT_LESS_OR_EQUAL. Other than that, everything is running fine (the programs run after clicking 'OK' on the error message).

From the MBAM log BEFORE I deleted the files:

Files Infected:
c:\WINDOWS\system32\hjgruiakdqoomt.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\hjgruihwujwmlw.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\drivers\hjgruiodrwtmxf.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\hjgruihqntotqvtu.tmp (Trojan.TDSS) -> Delete on reboot.

Malwarebytes no longer picks up any infected files. Oh, and I am running Windows XP, if you need to know that :flowers:

Thanks so much for taking the time to read this! Any help would be great.

BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 01 July 2009 - 06:42 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:16 PM

Posted 01 July 2009 - 07:26 PM

I am moving this to the Am I Infected forum for you. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 laundry95

laundry95
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 02 July 2009 - 11:43 AM

Orange Blossom - Thanks! Sorry I posted in the wrong forum...

Budapest - Thanks for the reply! Here is the log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/02 12:49
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\hjgruiakdqoomt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruibiwykmdp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruihwujwmlw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruirfxktqpm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruiodrwtmxf.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\big al\local settings\temp\etilqs_m76fiwaw3ppdxiymt0uv
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\big al\local settings\temp\etilqs_mgggw1gphxldzyuoqlin
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\big al\local settings\temp\etilqs_qdaohsxmrotc97dllgrh
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\documents and settings\big al\local settings\temp\etilqs_txndknyl0ohaihgaiuzt
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\documents and settings\big al\local settings\temp\etilqs_ypxcwhnlrtdylp913bdu
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\Big Al\Application Data\Mozilla\Firefox\Profiles\2vtkiynp.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

:thumbsup:

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 02 July 2009 - 04:57 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\hjgruiodrwtmxf.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run another quick-scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 laundry95

laundry95
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 08 July 2009 - 10:51 AM

The messages have stopped! Thank you! But Malwarebytes still found some infected files. Should I remove them?


Malwarebytes' Anti-Malware 1.38
Database version: 2353
Windows 5.1.2600 Service Pack 2

7/8/2009 10:54:36 AM
mbam-log-2009-07-08 (10-54-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202140
Time elapsed: 49 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruikdqvvssq (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hjgruikdqvvssq (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hjgruikdqvvssq (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\hjgruiakdqoomt.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\hjgruihwujwmlw.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\drivers\hjgruiodrwtmxf.sys (Trojan.Agent) -> No action taken.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:16 PM

Posted 08 July 2009 - 11:59 AM

Should I remove them?


Yes

Rootrepeal just tricks the infection so MBAM can clean it up.
Chewy

No. Try not. Do... or do not. There is no try.

#8 laundry95

laundry95
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 08 July 2009 - 12:05 PM

Neat, thanks! Love the icon, by the way :thumbsup:

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 08 July 2009 - 04:36 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 laundry95

laundry95
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 08 July 2009 - 05:28 PM

Okay, I will. Thank you so much! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users