Articles

Bad Image - system32 not designed to run on..

Asus / F8series
July 10, 2009 at 15:03:46
Specs: Windows Vista- home premium

Every time i open a program i get a bad image error.

"globalroot\systemroot\system32\hjgruigfcwjfym.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support"

Also i cannot open any of my files for windows office... so no word documents or powerpoint documents etcr etcr.

It also prevents me from turning the windows security service center back on. If i try and search for viruses with Norton, it simply says im searching while 0 files are searched. I have run Malwarebytes scan and deleted a few files, but the problem persists.

Please help!


See More: Bad Image - system32 not designed to run on..

Report •


#1
July 10, 2009 at 19:27:14


Report •

#2
July 11, 2009 at 08:18:00

Malwarebytes' Anti-Malware 1.38
Database version: 2404
Windows 6.0.6001 Service Pack 1

7/11/2009 11:08:08 AM
mbam-log-2009-07-11 (11-08-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193016
Time elapsed: 1 hour(s), 25 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


also, new development, but I'm not sure its related to the
problem... my internet does not work, despite being
"connected" Dunno if that helps or if you prefer to ignore that
part...


Report •

#3
July 11, 2009 at 08:37:37

If you internet doesn't work try to download this on another computer and transfer it via usb.

Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
July 11, 2009 at 15:48:33

virusinfo_syscure.zip:

http://rapidshare.com/files/2547371...
ml


DDS file:

http://rapidshare.com/files/2547397...


Attach file:

http://rapidshare.com/files/2547399...

I dont think i have any script-blocking programs... What would
be an example of one?


Report •

#5
July 11, 2009 at 16:16:43

Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
 ExecuteRepair(14);
 ExecuteRepair(15);
 ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
 SetAVZPMStatus(true); 
 RebootWindows(true);
end.

2) Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
July 11, 2009 at 17:45:39

Name of file downloaded:

pdzszdmt.exe

Download link for GMER log:

http://rapidshare.com/files/2547641...


Report •

#7
July 11, 2009 at 18:07:57

Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
StopService('hjgruisbefmndo');
DeleteService('hjgruisbefmndo');
BC_DeleteSvc('hjgruisbefmndo');
QuarantineFile('C:\Windows\Temp\hjgruivhxnqeajpx.tmp','');
DeleteFile('C:\Windows\Temp\hjgruivhxnqeajpx.tmp');
QuarantineFile('C:\Windows\System32\hjgruisymlnxdt.dll','');
DeleteFile('C:\Windows\System32\hjgruisymlnxdt.dll');
QuarantineFile('C:\Windows\System32\hjgruioqqpavvu.dat','');
DeleteFile('C:\Windows\System32\hjgruioqqpavvu.dat');
QuarantineFile('C:\Windows\System32\hjgruiimyraekt.dat','');
DeleteFile('C:\Windows\System32\hjgruiimyraekt.dat');
QuarantineFile('C:\Windows\System32\hjgruigfcwjfym.dll','');
DeleteFile('C:\Windows\System32\hjgruigfcwjfym.dll');
QuarantineFile('C:\Windows\System32\drivers\hjgruivqfmoebj.sys','');
DeleteFile('C:\Windows\System32\drivers\hjgruivqfmoebj.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

3) Redo Response Number 5 Step 2 (GMER).

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
July 11, 2009 at 18:39:50

Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
July 11, 2009 at 19:00:37

In reply to Response 7

gmer.log file:

http://rapidshare.com/files/2547759...


gmer log name:
t5f62iv6.exe


Report •

#10
July 11, 2009 at 19:19:56

Follow: Response Number 8 If it doesn't work we try to remove it with some manual tools.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
July 12, 2009 at 07:17:36

Malwarebyte's Anti Malware:
http://rapidshare.com/files/2549568...
12__05-29-01_.txt.html

Superantispyware:
http://rapidshare.com/files/2549573...
can_Log_-_07-12-2009_-_06-26-57.log.html

unfortunately i was unable to update either when they were
installed because my computer is refusing to use the internet
(despite it saying its connected)
The problem, ofcourse, still persists.


Report •

#12
July 12, 2009 at 08:44:03

Follow these steps carefully and in order numbered:

1) Download The Avenger by Swandog46 from here.

2) Unzip/extract it to a folder on your desktop.

3) Double click on avenger.exe to run The Avenger.

4) Click OK.

5) Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

6) Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

Drivers to delete:
hjgruisbefmndo

Files to delete:
C:\Windows\System32\drivers\hjgruivqfmoebj.sys
C:\Windows\System32\hjgruigfcwjfym.dll
C:\Windows\System32\hjgruiimyraekt.dat
C:\Windows\System32\hjgruioqqpavvu.dat
C:\Windows\System32\hjgruisymlnxdt.dll


7) In the avenger window, click the Paste Script from Clipboard, button.

8) Click the Execute button.

9) You will be asked Are you sure you want to execute the current script?.

10) Click Yes.

11) You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.

12) Click Yes.

13) Your PC will now be rebooted.

Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.

14) After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

15) Please upload this log to rapidshare.com and post a download link to the uploaded file.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
July 12, 2009 at 09:16:26

avenger log:

http://rapidshare.com/files/2550009...

FYI:
Other than when it first just started up, the image error mostly
stopped. I don't believe its completely gone though. The
internet has yet to function as it claims a possible firewall
preventing me. Symantec refuses to turn on its auto-protect.
The microsoft office issue seems to be resolved.


Report •

#14
July 12, 2009 at 10:22:41

Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

2) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#15
July 12, 2009 at 17:53:17

combo fix log:
http://rapidshare.com/files/2551593...

Report •

#16
July 12, 2009 at 18:22:38

Please run a BitDefender Online Scan
    * Click I Agree to agree to the EULA.
    * Allow the ActiveX control to install when prompted.
    * Click Cleaning Options > Scanning options > Scan files > Select "Scan all files" > Press "OK"
    * Click Start Scan to begin the scan.
    * Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
    * When the scan is finished, click on Click here to export the scan results.
    * Save the report to your desktop so you can post it in your next reply.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#17
July 12, 2009 at 19:03:22

When i turn on the internet browser it does not let me get
online.

says:

"C:\Program Files\Mozilla Firefox\firefox.exe

Illegal operation attempted on a registry key that has been
marked for deletion."


Report •

#18
July 12, 2009 at 19:27:56

Download ccleaner and run registry cleaner with it.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#19
July 13, 2009 at 09:22:44

I ran the cleaner under the cleaner tab. But the registry tab i did
not "fix selected issues" after scanning for the issues because it
wanted me to back up the registries first.

Report •

#20
July 13, 2009 at 10:29:16

fix the issues with registry and post screenshot of detected entries,

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#21
July 13, 2009 at 10:37:12

I couldnt open up paint or a word document to save the
printscreen. But i did manage to save them in a text file.

http://rapidshare.com/files/2554263...

They have been fixed, however, all programs still refuse to open
saying the same message as i said in response 17.


Report •

#22
July 13, 2009 at 11:25:21

http://technet.microsoft.com/en-us/...

Redo: Make sure your connected to internet then redo response Number 3 step 1.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#23
July 13, 2009 at 14:30:30

virusinfo Sycure:

http://rapidshare.com/files/2555001...


Report •

#24
July 13, 2009 at 15:20:51

Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
ExecuteRepair(1);
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(10);
RebootWindows(true);
end.

PS: You didn't runt he script in Response Number 3 step 1 correctly make sure you copy and paste the script as it is. Check if it made any difference in your problem. If not you will have to try microsoft support forums for better help.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#25
July 13, 2009 at 15:36:28

If you remember correctly, i could not open any documents
because i received the error from response 17. The only
reason i could open any programs up is because i would open
it up as an administrator. I typed it in as best as i could and
checked the script for any syntax errors.

However, since it rebooted, i can now open up documents.
Would you like me to redo the instructions from Response 3
step 1 before continuing on to the steps in Response 24? or
just continue on with Response 24?


Report •

#26
July 13, 2009 at 15:44:36

Continue with Response 24. Also Update you windows to service pack 2 if don't have any other malware problems.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#27
July 14, 2009 at 05:19:02

Finished response 24 and currently updating my windows to SP2. Anything else I need to do? I do not seem to have any bad symptoms anymore and the internet is working again.

Report •


Ask Question