Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Problem with globalroot\systemroot\system32\hjgruihwujwmlw.dll not a valid Windows image error message.

  • Please log in to reply
2 replies to this topic

#1 wasthisg


  • Members
  • 2 posts
  • Local time:05:40 AM

Posted 11 July 2009 - 02:31 AM


I looked around the forum previously and I found that I am having an almost identical problem to a previous poster. [link:http://www.bleepingcomputer.com/forums/topic238160.html]

I am constantly getting an error message of "The application or DLL globalroot\systemroot\system32\hjgruihtpdrkmy.dll is not a valid Windows image. Please check this against your installation diskette." This error message pops up when windows initially starts up before the log-in screen ,with the titles (lsass.exe -Bad Image, and Services.exe -Bad Image), as well as when the desktop loads and whenever I open or start a program (with the specific program .exe -Bad Image title). Note: but the programs do run after clicking okay on the error message.

I had the same issue as the previously aforementioned poster whenever I did a search engine search with firefox: Everytime I clicked on a listed query link I was redirected to a random site. I fixed the redirected problem in the exact same was as the previous poster also, I used Malwarebytes. Malwarebytes seems to have solved the initial problem but now the DLL error message pops up. Unlike the previous poster though, I have not had any blue screen errors.

I have followed the first half of the instructions from the above linked post since the advice he was given seemed to have solved his problem.

I downloaded RootRepeal Rootkit Detector, ran it for the file tab and saved a log.

But the second half of the instructions are apparently personalized to his problem. He was asked to delete a file that doesn't seem to be in the log I have. So hopefully maybe someone can help me out with this problem.

Here is a log of my Malwarebytes scan that got rid of the redirecting problem:

Malwarebytes' Anti-Malware 1.38
Database version: 2405
Windows 5.1.2600 Service Pack 3

7/10/2009 10:55:33 PM
mbam-log-2009-07-10 (22-55-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 246471
Time elapsed: 43 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\i386\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\hjgruihtpdrkmy.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\Temp\hjgruixvcanpfdld.tmp (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\hjgruihxithwgk.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\drivers\hjgruijnvmexrq.sys (Trojan.Agent) -> Quarantined and deleted successfully.

And here is a log of the RootsRepeal Log after I rebooted my computer after the malwarebytes scan and fix.

ROOTREPEAL © AD, 2007-2009
Scan Time: 2009/07/10 23:41
Program Version: Version
Windows Version: Windows XP SP3

Hidden/Locked Files
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruiftnldglr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruihtpdrkmy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruihxithwgk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruilog.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruivscdiomq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruijnvmexrq.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\g\application data\mozilla\firefox\profiles\tgw0cq74.default\sessionstore.js
Status: Size mismatch (API: 58139, Raw: 57977)

Thanks for any help and for taking the time to help!

BC AdBot (Login to Remove)


#2 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:40 AM

Posted 11 July 2009 - 06:05 AM


The bold center letters are random, different for every infection


Procede with the wipe/reboot and MBAM scan

No. Try not. Do... or do not. There is no try.

#3 wasthisg

  • Topic Starter

  • Members
  • 2 posts
  • Local time:05:40 AM

Posted 11 July 2009 - 12:53 PM

Thank you for the info and help DAChew! Everything is working perfectly now.

Thanks again!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users