TechSpot - PC Technology News and Analysis

So, the other day, I was experimenting with online storage sites, and somewhere along there I think I picked up a nasty little bug.

When I restart my computer, I keep getting a message that says during startup, the computer couldn't find

C:Windows\system32\mljgg.exe.

And, it gets worse. Now, I'm being greeted with this when I turn on the computer, in addition to the above:

"Important – Potential errors found in the system

During a scan of files at system startup, potential errors in the system registry were found. P-07-0100 irql: 1F SYSVER 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED"

I know registry problems are BIG problems, so I'm loathe to do anything unless I have some expert advice at the ready. Anyone able to help?

Ah, the plot thickens. Now, my computer slows to a crawl, then I get the following pop-up:

"You system could become unstable

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer
****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)"

What the hell is THAT? The language is weird, and the wording sounds... off. Don't know what to make of it.

What does one need to post in order to get help with a trojan spyware? I'm new to all this

tom, the second post. what kind of popup do you mean? is it the BSOD (blue screen of death) or a popup? if that is the exact wording of the popup, it doesnt sound right to me either. "...Windows has been shutdown buggy application..." if that is exactly what it says, i think it could be a virus. could you please post a screenshot of any of these errors ou are recieving?

if you dont know how, when one pops up, press the "Print Screen" button on your keyboard (maybe something along the lines of "Prnt Scrn") then, click start and either find your paint program or click start>run> and type in "mspaint" and hit enter. past the picture into the program, save it, and upload it to photobucket or something along those lines and put a link to it.

Confirm your AntiVirus software is up to date

Download Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
And remove any mljgg.exe instances

Restart

Download Ad-Aware and run a update then a full scan
http://www.lavasoftusa.com/products/ad_aware_free.php

Download Spybots Search & Destroy and run a update then a full scan
http://www.safer-networking.org/en/mirrors/index.html

Restart

Reply back with more info after that

You may also need to read:
Viruses/Spyware/Malware, preliminary removal instructions
http://www.techspot.com/vb/topic58138.html

Thanks, Kim. I followed up on all that you mentioned. The Startup control panel is a useful tool, but nothing labeled mljgg was showing up in there. After running the Ad-aware and Spybot S&D, most of it seems under control.

But now I'm still getting a warning similar to the first one I posted, except the mljgg has been replaced with a jkkjk.exe file.

I did a search in my registry, and I found both the mljgg and jkkjk file in the registry under windows/MUIcache. Should I delete these files, or are they legit? I found a ton of stuff in that folder that looks suspect.

Also, something has happened to my temporary folders file apparently, because now when I go into My Documents, I have a TON of TMP Files that came from seemingly nowhere. They're all labeled from pos1A00 through posFFF. There's literally thousands of them, and I'm not sure what to do about that now.

And to answer your question, plasma, no, I'm not getting the Blue screen. It's a regular popup that occurs randomly. I do believe it's been neutralized by the ad-aware and spyware combos I just used, but I have a feeling this isn't over, either.

Edit: Great. I'm still getting that grammatically-incorrect Windows warning, and am greeted with that same:

"During a scan of files at system startup, potential errors in the system registry were found. P-07-0100 irql: 1F SYSVER 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED"

warning.

Wow this is a really tricky one....... im getting the same thing and i have tried sys restore, recovery console. And none of my virus programs can find a problem. I also have the thousands of .tmp files in my documents

Someone PLEASE help!!!

You both need to follow
Viruses/Spyware/Malware, preliminary removal instructions
http://www.techspot.com/vb/topic58138.html

And then provide HijackThis logs (as stated in the above link

You can also do an online scan with:
http://www.kaspersky.com/virusscanner

Yes you can remove all those mljgg and jkkjk files (By the wy do you have Trend installed)

jrdrag1052 I prefer you make a new thread, as Hijack This reports are usually big, and there will be confusion if there are two of you !

Okay, I think I'm 99% in the clear. I just need to be able to go to the part that's responsible for those mljgg files and remove them from the startup registry. Of course, I've forgotten how to do this. Anyone remember?

if you want to edit startup entries, start>run, type in "msconfig" and hit enter (without the quotes of course). go to the "Startup" tab, find what you want to remove. make sure though that it is the right thing!!!!! once youre sure it is, uncheck it. click "Apply" at the bottom, then "Ok" at the bottom. when it asks to restart, click restart now. and cross your fingers and hope you didnt mess anything up lol

good luck

Did you mean how to get to the registry editor since you mentioned "startup registry" and not just 'startup' by itself? If so, start>run, type "regedit" (without the quotes). I do not know exactly what might need to be edited in the registry to resolve your issue, but I do know that you need to be extremely careful doing anything to the registry, as it can affect your ability to boot as well as render your system unrecoverable if you mess with the wrong things.

Well, that part did the trick. I had to remove the mlljg file from both the regedit and the msconfig startup directories.

So, now I'm back to normal - if only I could figure out what to do with those thousands of TMP files that have mysteriously shown up in the My Documents folder. Will deleting them cripple something?

These TMP files also might show up in the C:\ root and are usually safe to delete. I had a similar trojan and I had to delete a lot of similar files as well as registry entries in order to clean the system fully. I recommend asking momok for help, since he's the expert around these parts AFAIK in Howard's absence. Only if he tells you to delete them should you delete them.

This bug is starting to show up everywhere.
It's spreading like the plague and moving at the rate of the internet hi on light speed.

Definitely a Hijack virus.

... let the re-installation begin

I'm happy that it didn't happen to my designer system... only to the gamer system.

imicinos please start your own thread, I think (ie I'm not sure if you're trying to help here or not?)

yes this was in relation to the thread or I would have...

can't seam to please anyone, start a new thread and I get told to search for the topic at hand then I find exactly what I'm having issues with then I get told to start my own thread....

WTF?

Anyway, whatevs, laters.

we ask for unique threads per person so that the instructions for one do not conflict
or damage the original poster.

btw: if you want help, then learn to be polite otherwise we may well choose to ignore you and leave you stranded

caveat emptor.

Well, thanks tons for the help everyone. System normal, everything's fine here. We're fine. Here. Now. How are you?

I loved that line in Star Wars, and then Hans Solo shoots the control (He was definately the star)

Anyway, thanks for the update.

Harrison Ford was originally hired to READ the lines for other actors, while George Lucas looked for a suitable actor for the Hans Solo character. After many auditions and no good actor found..George had eureka moment and realized Harrisonn was perfect for the job (after all he had been reading the character's lines for many weeks by now).