I have some viruses!

Hi, I think i've recently got some viruses from somewhere. I receive a message each time I boot up my pc which says that something is trying to change my Internet Explorer settings (which I can't reject but instead just have to close the window). I'm also getting quite a few popups when i'm using my browser (firefox).

I'd appreciate any help to get rid of them.

 

Thanks Halo,

I've gone through the thread and completed all of the steps. However I couldn't connect to the internet in safe mode for a couple of the scans so I had to do them in normal mode.

I still have the same problems, I'll try and explain them:

When I boot up my pc I sometimes get an error about there being no disk in drive A:. I can cancel this and then get into Windows. Upon loading windows I always get this message:

The following BHO has been added to your system:
{24599ED-3603-4D0B-8BE0-5BF924F989DB}
ProgID: n/a
File Location: C:\WINDOWS\System32\mljgd.dll

Apart from this I also get pop up windows in both Firefox and I.E. Firefox usually randomly opens blank windows whereas I.E usually has popup windows that trys to get me to download WinAntiVirus Pro 2006 from a site at amaena .com which does try to occur in Firefox but the page gets blocked from loading properly. When using I.E i now regularly receive this error:

Microsoft Visual C++ Runtime Library
Runtime Error!
Program: C:\WINDOWS\Explorer.exe

I have attached the log files from the scans. Any help would be greatly appreciated.

 

Here's the other 3 attachments.

Thanks again

 

Before beginning the fix, any programs such as the Ewido and CounterSpy, if you did not purchase them and installed them per the READ ME, uninstall before running this fix.

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

First...
Click Start > Run > type services.msc and Click OK

Locate netutil and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Second:
Click Start -> Run -> Type the below:

sc delete netutil

Please look in Add/Remove Programs for the following and uninstall them if found:

Instant Buzz

Blotter
(If your familiar, you can keep it)

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

netutil.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {EA8C698E-3130-400C-9D3C-726D4030BE4E} - C:\WINDOWS\System32\mljgd.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\ipujibiu.dll

O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O3 - Toolbar: Blotter toolbar - {4c4f19db-01b5-4f89-a509-f3f1d849e69b} - C:\Program Files\Blotter\tbBlot.dll
O3 - Toolbar: Article_Blotter toolbar - {589af12b-da03-4f60-9c5c-f34bfea3552f} - C:\Program Files\Article_Blotter\tbArt0.dll

O4 - HKLM\..\Run: [HostSVC syse] HostSVC.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O15 - Trusted Zone: http://www.articleblotter.com

O20 - Winlogon Notify: mljgd - C:\WINDOWS\System32\mljgd.dll

O23 - Service: netutil - Unknown owner - C:\WINDOWS\netutil.exe

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Instant Buzz ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Next, we need to Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.


Once you complete this long fix, reboot once more and attach a fresh HJT log from normal mode.

 

Thanks for the instructions bjgarrick. I've followed them the best I can but had a coupld of problems:

I couldn't stop the netutil service as it already was stopped. However I still went ahead and disabled it on startup type. I also couldn't find this is in HijackThis:

O2 - BHO: (no name) - {EA8C698E-3130-400C-9D3C-726D4030BE4E} - C:\WINDOWS\System32\mljgd.dll

I did however find this and selected it instead:

O2 - BHO: (no name) - {4856D9C7-4F41-4A7B-A936-3C0C5E62F541} - C:\WINDOWS\System32\mljgd.dll

I'm still receiving the a message on boot up similar to the one I was receiving previously (the long set of numbers and letters are different though). I now get this:

The following BHO has been added to your system:
{5E215B78-83BF-4477-8350-2334616700E4}
ProgID: n/a
File Location: C:\WINDOWS\System32\mljgd.dll

I'm not sure whether I'll receive the other problems I was having such as popups as I haven't tried using my browser extensively yet.

Thanks for your help. I've attached a HijackThis log.

 

Okay let's start by downloading two tools we will need:

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of \mljgd.dll once and then click the kill button. After you have killed all of the \mljgd.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of \mljgd.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5E215B78-83BF-4477-8350-2334616700E4} - C:\WINDOWS\System32\mljgd.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll (file missing)

O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll (file missing)

O20 - Winlogon Notify: mljgd - C:\WINDOWS\System32\mljgd.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\dgjlm.ini
C:\WINDOWS\SYSTEM32\dgjlm.ini2
C:\WINDOWS\SYSTEM32\dgjlm.bak
C:\WINDOWS\SYSTEM32\dgjlm.bak1
C:\WINDOWS\SYSTEM32\dgjlm.bak2
C:\WINDOWS\SYSTEM32\dgjlm.tmp
C:\WINDOWS\System32\mljgd.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Okay, I've done that. The only problem I had was that O2 - BHO: (no name) - {5E215B78-83BF-4477-8350-2334616700E4} - C:\WINDOWS\System32\mljgd.dll wasn't in HijackThis but this file was instead:

O2 - BHO: (no name) - {E9F400A8-3469-43C0-AEF5-111C82FD960C} - C:\WINDOWS\System32\mljgd.dll

It seems to change the numbers and letters each time. I selected and fixed the file above instead though.

When I rebooted my pc I didn't receive the message regarding the BHO being added.

I've attached my new HJT log.

Thanks again.

 

Your log looks good, are you having any current problems?

Are you familiar with this entry below? If so, you can leave it, if you do not know it then have HJT fix it.

 

I haven't had any other problems yet, fingers crossed I won't.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qwikezine.com/

This is one of my sites so that's ok.

Thanks for helping, I really appreciate it .

 

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

Thank you, I'll have a read through.

 

Your Welcome!