Virus Question

By lostinhere · 19 replies
Jul 9, 2008
  1. I started seeing signs of a virus I believe I got off a facebook group (computer slowing, weird things popping up, and things that I didn't download were on my desktop, etc). At one point I received a blue screen that crashed my last computer (I got out of it this time). I ran Norton antivirus and I think I caught it, and I also ran McAfee antivirus and antispyware, and whatever it is I think I got rid of most of it, but my computer is still slow, and once in a while I still get the blue screen. Is there anything else I can do, or is the damage that has been done permanent?

    Sorry if this isn't very understandable-I'm not very computer smart...
    Thanks for your help.
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Multiple Anti Virus programs:

    It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

    Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two or more anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

    Please remove all except one of them. Let me know which you want to keep and I will post a removal tool for the other


    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. lostinhere

    lostinhere TS Rookie Topic Starter

    I didn't run them at the same time. I ran McAfee antispyware, then antivirus, and at the moment I'm running Norton. I think in the long run, however, I'm going to stick with McAfee.
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Usually both of those include real-time protection and that is the biggest issue with multiple AV products.

    Get me the Hijackthis log and I can see more from there.
  5. lostinhere

    lostinhere TS Rookie Topic Starter

    Here ya go. Tell me if I'm giving you the wrong thing.
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You have an interesting infection on there that I would like to identify - we can remove easily but I would like more info.

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\Program Files\rhcj2aj0eaav\rhcj2aj0eaav.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
  7. lostinhere

    lostinhere TS Rookie Topic Starter

    I don't know if this is what you were looking for, but this is all I got.

    0 bytes size received / Se ha recibido un archivo vacio
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    hmm, I was hoping for more. Let's clean up a bit, and enable your registry editor which is disabled from this.

    Go to Start - Control Panel - Add/remove programs and uninstall anything to do with Viewpoint and rhcj2aj0eaav (if there)


    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
      O4 - HKLM\..\Run: [lphcn2aj0eaav] C:\WINDOWS\system32\lphcn2aj0eaav.exe
      O4 - HKLM\..\Run: [SMrhcj2aj0eaav] C:\Program Files\rhcj2aj0eaav\rhcj2aj0eaav.exe
      O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\Program Files\rhcj2aj0eaav

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt.

    If your computer does not restart automatically, please restart it manually.


    After reboot - run a fresh Hijackthis and attach here for me
  9. lostinhere

    lostinhere TS Rookie Topic Starter

    Here it is.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

    • Double-click FixPolicies.exe
    • Click the Install button on the bottom toolbar of the box that will open.
    • The program will create a new Folder called FixPolicies
    • Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
    • A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.


    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
      O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. lostinhere

    lostinhere TS Rookie Topic Starter

    The entries you told me to remove in hijackthis weren't there, and I'm having trouble with Malwarebytes' Anti-Malware. It started running fine, and then I got one of those messages that said it encountered an error and had to close. I tried restarting the program but I got another message that says "Malwarebytes' Anti-Malware is already running."
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    try hitting ctrl+alt+del then stop the process for malwarebytes, then relaunch the program

    you can also try running it from safe mode - to get to safe mode tap F8 when your computer boots and select safe mode from the list
  13. lostinhere

    lostinhere TS Rookie Topic Starter

    I restarted my computer and it still gives me a message saying that it has encountered an error (about 30 seconds into the scan).

    All the other problems I was having seem to have cleared up though. I'm not getting any more popups saying my computer is infected, my computer has sped up, and my desktop background has gone back to normal as well. Should I still be worried or is it possible this is off my computer?
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Lets have a deeper look - first we need to disable real time protection

    Disable McAfee VirusScan ScriptStopper feature by:
    1. Right-mouse click the McAfee VirusScan icon in the system tray.
    2. Select VirusScan then click Options.
    3. Click the Advanced button and then click the ScriptStopper tab.

      Note: McAfee VirusScan 10 users, click the Exploits tab.
    4. Make sure Enable ScriptStopper (recommended) option is de-selected.
    5. Click OK and then click OK to complete disabling McAfee ScriptStopper feature.


    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  15. lostinhere

    lostinhere TS Rookie Topic Starter

    Alright, here it is.
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    In Windows Explorer, click Tools|Folder Options|View tab|check the box "Show hidden files and folders", uncheck the box "Hide protected operating system files"|Apply|OK

    rightclick on -> C:\WINDOWS\system32\user32.dll and rename it to user32.old

    Then navigate to and right click -> copy ->C:\WINDOWS\system32\dllcache\user32.dll and paste it to -> C:\WINDOWS\system32 folder

    Reboot the computer

    Run combofix again and attach the new log here
  17. lostinhere

    lostinhere TS Rookie Topic Starter

    Can I just ask if you think there is something there? Or do you think it's clear and you're just making sure? Every symptom I was experiencing before is gone and my computer is working completely normally again, and maybe this is just my naive thinking, but is it possible it's all ok at this point?
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    There is a difference between removing symptoms and removing malware.

    If I had you copy and paste your log instead of attach it - then you would see this (notice whats in red) =

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2008-07-09 18:50 --------- d-----w C:\Documents and Settings\Sarah\Application Data\LimeWire
    2008-07-09 16:36 --------- d-----w C:\Program Files\Norton Security Scan
    2008-07-09 16:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-07-09 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-07-09 13:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-09 13:11 --------- d-----w C:\Documents and Settings\Sarah\Application Data\DNA
    2008-07-09 12:49 577,536 ----a-w C:\WINDOWS\system32\user32.DLL
    2008-07-09 10:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-07-09 03:51 --------- d-----w C:\Program Files\AIMTunes
    2008-07-02 22:30 106,496 ----a-w C:\WINDOWS\system32\ATL71.DLL
    2008-07-02 22:23 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-06-23 21:03 --------- d-----w C:\Program Files\AIM6
    2008-06-18 20:59 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-18 20:49 --------- d-----w C:\Documents and Settings\Sarah\Application Data\U3
    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-24 23:16 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
    577,024 2005-03-02 18:09:30 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
    577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
    578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
    561,152 2005-03-02 18:20:03 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
    577,024 2004-08-04 07:56:46 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
    560,128 2003-03-31 12:00:00 C:\WINDOWS\$NtUninstallKB890859_0$\user32.dll
    577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
    577,024 2004-08-04 07:56:46 C:\WINDOWS\ServicePackFiles\i386\user32.dll
    577,536 2008-07-09 12:49:29 C:\WINDOWS\system32\user32.DLL
    577,536 2008-07-09 12:49:29 C:\WINDOWS\system32\dllcache\user32.dll

    ------- Sigcheck -------

    2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
    2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
    2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
    2005-03-02 14:20 561152 74202eb1bd67e8be9509e38c8d2234b0 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
    2004-08-04 03:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
    2003-03-31 08:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\$NtUninstallKB890859_0$\user32.dll
    2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
    2004-08-04 03:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
    2008-07-09 08:49 577536 786df2a8f9676625ef37a5a008136f81 C:\WINDOWS\system32\user32.DLL
    2008-07-09 08:49 577536 786df2a8f9676625ef37a5a008136f81 C:\WINDOWS\system32\dllcache\user32.dll
  19. lostinhere

    lostinhere TS Rookie Topic Starter

    Sorry. The combofix thing just made me really nervous =/. I'll be the first to admit it, I know next to nothing about fixing computers.
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I would be more nervous about what corrupted your system files than what is fixing them

    or the fact that you use Limewire (P2P) and you download software from undocumented sources
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...