Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

globalroot\systemroot\system32\UAClujrcynvvyllrxt.dll not a valid Windows image


  • Please log in to reply
2 replies to this topic

#1 Ahqaaaaaaa

Ahqaaaaaaa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 15 July 2009 - 05:04 PM

Hi!

So, upon looking around the forum, I have a problem similar to a couple of previous posters. [link: http://www.bleepingcomputer.com/forums/t/240563/problem-with-globalrootsystemrootsystem32hjgruihwujwmlwdll-not-a-valid-windows-image-error-message/] and [link: http://www.bleepingcomputer.com/forums/t/238160/globalrootsystemrootsystem32hjgruihwujwmlwdll-not-a-valid-windows-image/]

I get the message "globalroot\systemroot\system32\UAClujrcynvvyllrxt.dll is not a valid Windows image. Please check this against your installation diskette." This message, as with the previous posters, pops up whenever I start up the computer, when the processes start, and every time I open a program. The programs run fine after that.

I also had the same issue with being redirected from links I clicked on with google. I also fixed that with Malwarebytes, along with problems with System Security, yesterday. I wasn't even able to install or run Malwarebytes or other such applications before until I read about changing the file extensions. Since then, howvere, I'm now getting this "....system32\UAClujrcynvvyllrxt.dll....." message all the time.

I have tried running Rootrepeal, but it gives me the warnings, "Could not read boot sector. Try adjusting the Disk Access level in the options dialog." and "Could not find module file on disk." upon starting, and when I try to scan in the files tab, it it gives an error, "DeviceIoControl Error! Error Code = 0xc0000001". I have adjusted the Disk Access level, but to no avail... So I haven't been able to run it. I've also tried GMER, but the system jsut crashed and restarted itself before the scan was done.

I've run MBAM since, but it's failed to get rid of the problem. Anyhow, here's a log of the scan prior to my current problem (it's pretty long. Sorry....):

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/14/2009 7:05:03 PM
mbam-log-2009-07-14 (19-05-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 197884
Time elapsed: 59 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 7
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACjncbwthnifwwhxb.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a8bf871a-fba2-4af2-a404-9dff7a4c5890} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a8bf871a-fba2-4af2-a404-9dff7a4c5890} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuzewomime (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Sarah\XP Deluxe Protector (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\XP Deluxe Protector (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SystemStore (Rogue.UltraAntiVir2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\PCenter (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\dbases (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\keys (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\temp (Rogue.PCenter) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\UACjncbwthnifwwhxb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\installb[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\~TM68.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\~TME2.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\program files\sFX\SfX.DlL (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tagetega.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Sarah\xp deluxe protector\xpdeluxe.exe (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
c:\documents and settings\User\xp deluxe protector\1.exe (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
c:\documents and settings\User\xp deluxe protector\xpdeluxe.exe (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\systemstore\uavir.cfg (Rogue.UltraAntiVir2009) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\dbases\cg.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\dbases\mw.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\dbases\rd.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\dbases\sc.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\dbases\sm.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\dbases\sp.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\keys\cg.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\keys\rd.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\keys\sc.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\keys\sp.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\temp\settings.ini (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\PCenter\temp\spfilter (Rogue.PCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETlog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\gdi32lib.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\Startup\.security (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\t.id (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122458.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Sarah\local settings\Temp\vcru_1247199284.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Sarah\local settings\Temp\vcru_1247221949.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101465749.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101465752.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETpbqdrxum.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNEThxxnknfj.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETwuyqradn.sys (Trojan.Agent) -> Quarantined and deleted successfully.

It says that it deleted something with a UAC prefix, but apparently it wasn't enough.... Anyways, thanks in advance for taking the time to have a look. I appreciate it!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:05 PM

Posted 15 July 2009 - 05:51 PM

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply

Have you tried just a file scan with rootrepeal
Chewy

No. Try not. Do... or do not. There is no try.

#3 Ahqaaaaaaa

Ahqaaaaaaa
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 17 July 2009 - 02:00 AM

Alright, sorry for the delayed response. Was gonna do it this morning, but got attacked by System Security again (it just keeps regenerating!).... Anyhow, went in to safe mode and ran Malwarebytes again, getting rid of it, at least for the time being. Now the message about not a valid windows path isn't showing up anymore, but I have seen that it still has a presence.

I'm able to run RootRepeal on pretty much everything except the files tab, it seems. I ran it on stealth objects and it found a bunch of UAC files, but it won't allow any of them to be wiped or deleted.

So, here is the Processexplorer log:

Process PID CPU Description Company Name
System Idle Process 0 59.09
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 1.52
smss.exe 396 Windows NT Session Manager Microsoft Corporation
csrss.exe 444 1.52 Client Server Runtime Process Microsoft Corporation
winlogon.exe 468 Windows NT Logon Application Microsoft Corporation
services.exe 516 18.18 Services and Controller app Microsoft Corporation
svchost.exe 692 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 788 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 872 1.52 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 956 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1024 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1184 Spooler SubSystem App Microsoft Corporation
svchost.exe 1352 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 1388 Apple Mobile Device Service Apple, Inc.
avgwdsvc.exe 1404 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 1724 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
avgnsx.exe 1740 AVG Network scanner Service AVG Technologies CZ, s.r.o.
jqs.exe 1448 Java™ Quick Starter Service Sun Microsystems, Inc.
NMSAccessU.exe 1488
sprtlisten.exe 1528 sprtlisten Module SupportSoft, Inc.
svchost.exe 1600 3.03 Generic Host Process for Win32 Services Microsoft Corporation
avgemc.exe 1696 AVG E-Mail Scanner AVG Technologies CZ, s.r.o.
avgcsrvx.exe 308 AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o.
alg.exe 688 Application Layer Gateway Service Microsoft Corporation
iPodService.exe 3708 iPodService Module Apple Inc.
lsass.exe 528 3.03 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 2104 Windows Explorer Microsoft Corporation
shwiconEM.exe 2872 Alcor Micro, Corp.
lxbtbmgr.exe 2880 Lexmark 5200 Series Button Manager Lexmark International, Inc.
lxbtbmon.exe 2920 Lexmark 5200 Series Button Monitor Lexmark International, Inc.
tgcmd.exe 3024 Support.com Scheduler and Command Dispatcher Support.com, Inc.
QTTask.exe 3080 QuickTime Task Apple Inc.
jusched.exe 3128 Java™ Platform SE binary Sun Microsystems, Inc.
iTunesHelper.exe 3208 iTunesHelper Module Apple Inc.
sprtcmd.exe 3228 SupportSoft, Inc.
avgtray.exe 3244 AVG Tray Monitor AVG Technologies CZ, s.r.o.
msmsgs.exe 3316 Windows Messenger Microsoft Corporation
iexplore.exe 2224 Internet Explorer Microsoft Corporation
iexplore.exe 3492 Internet Explorer Microsoft Corporation
procexp.exe 124 12.12 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ctfmon.exe 2448 CTF Loader Microsoft Corporation

Alright, and rootrepeal's stealth objesct scan says that the svchost.exe with pid 692 has some UAC hidden object. Not sure what it really means or if it's helpful, but figured I'd throw it out there anyway. Again, sorry for the delay, and thanks for the response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users