Possible virus

I have a possible problem. About a month ago my browser was hijacked. I used HijackThis to get rid of it. I had Search and Destroy running at the time, but did not have the anti hijacking turned on :-(.
Since then I have bee getting an error message “runtime error 203” after leaving the computer alone for a few hours. Also the computer seems to have slowed down by at least 25%.
I have run Norton anti virus, nothing found. (I had it installed at the time of the hijack)
I have Zone Alarm, nothing strange seems to be trying to access the internet. (I installed it after the hijack)
If you cold look at the logfile from HijackThis and see if there is anything unusual I would really appreciate it.

Logfile of HijackThis v1.97.6
Scan saved at 01:28:58, on 17.11.2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.dell.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob StoneCommented:
Try running SFC /SCANNOW to check the integrity of the windows protected file systems.  If any of them are tampered with it could cause slow down and errors.

If that doesn't help then reapply SP4 and critical updates.

Go to www.symantec.com and do the online virus scan too just to double check you are clean.
runtime error 203 is generally caused by some trojan

Have you checked using the trojan remover listed by Lucf.. Try that and see if it recognises the trojan and delete it ..

Also you may want to try this trojan hunter  http://www.misec.net/

Let me go over this hijack log again.. Nothing is very obvious for me at the moment

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

When your done...
Install a firewall

its free for home users and has an active learning mode
you will be notified of all events going thru you system and have the opportunity to allow or disallow them.

wcubedAuthor Commented:
I am sorry it has taken me so long to get back to you all. I have been out of town.
I am running trojan hunter now and will run Trojan Remover next. If that does not solve the problem I will reinstall SP4 as recomended by stoner79.
I will let you know what the results are as soon as I get them.
Thank you all for sticking with me.
Luc FrankenEMEA Server EngineerCommented:
Ok, let us know how it goes.
wcubedAuthor Commented:
Trojan Hunter  and Trojan Remover came up clean, as did Search and Destroy.. I re-applied SP4. Now I will wait to see if the error re-appears...
Hope it works out.
wcubedAuthor Commented:
The error just re-appeared… :-(
Something that my or may not be the cause was a piece of shareware I ran a while ago. It is called Xenu's Link Sleuth. I have removed it from the system. It is the only piece of software I can think of that I do not trust.
Luc FrankenEMEA Server EngineerCommented:
Have you tried running "SFC /scannow" ?
on your next post supply the information that is diplayed after each of the entries please:


I want to manually check for viruses

Oh Ya,

navigate to the keys described above
go to
the top navigaiton bar
select export file
make sure selected branch is selected
change the save as type to ALL FILES
save as RUN.TXT to your desktop
you will be able to copy and paste this info to this site on your next post
wcubedAuthor Commented:
wtrmk74 Below I have included the information you asked for. Well most of it. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Is not there. I get as far as policies but there is no subfolder explorer...

LucF I will now run SFC /scannow and let you know what happens.

ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
WLAN_Cfg.exe=C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
Zone Labs Client=C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
DadApp=C:\Program Files\DELL\AccessDirect\dadapp.exe
QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
THGuard="C:\Program Files\TrojanHunter 3.7\THGuard.exe"
TrojanScanner=C:\Program Files\Trojan Remover\Trjscan.exe

wcubedAuthor Commented:
SFC /scannow ran without finding any problems.
That looks good...

now can you post the output of this command:

at the blinking cursor type
mem /c
copy these contents by right clicking in the upper left corner
select all
and paste them here.

wcubedAuthor Commented:
wtrmk74 here are the results from mem /c   :-)

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-1999.

C:\DOCUME~1\ADMINI~1>mem /c

Conventional Memory :

  Name                Size in Decimal       Size in Hex
-------------      ---------------------   -------------
  MSDOS              12048      ( 11.8K)       2F10
  KBD                 3280      (  3.2K)        CD0
  HIMEM               1248      (  1.2K)        4E0
  COMMAND             3792      (  3.7K)        ED0
  DOSX               34720      ( 33.9K)       87A0
  COMMAND             4512      (  4.4K)       11A0
  FREE                 112      (  0.1K)         70
  FREE              595408      (581.5K)      915D0

Total  FREE :       595520      (581.6K)

Upper Memory :

  Name                Size in Decimal       Size in Hex
-------------      ---------------------   -------------
  SYSTEM            212976      (208.0K)      33FF0
  DOSX                 128      (  0.1K)         80
  MOUSE              12528      ( 12.2K)       30F0
  MSCDEXNT             464      (  0.5K)        1D0
  REDIR               2672      (  2.6K)        A70
  NW16                2512      (  2.5K)        9D0
  VWIPXSPX             496      (  0.5K)        1F0
  FREE                 976      (  1.0K)        3D0
  FREE               29232      ( 28.5K)       7230

Total  FREE :        30208      ( 29.5K)

Total bytes available to programs (Conventional+Upper) :      625728   (611.1K)
Largest executable program size :                             594416   (580.5K)
Largest available upper memory block :                         29232   ( 28.5K)

   1048576 bytes total contiguous extended memory
         0 bytes available contiguous extended memory
    941056 bytes available XMS memory
           MS-DOS resident in High Memory Area

This looks good too...
what I was looking for is the difference between

Total Conventional Memory            - 595520

And Largest Available Executable      - 594416

Total conventional memory must always exceed the largest executable file.
So far everything looks good.

I will keep thinking
wcubedAuthor Commented:
Thank you. I do appreciate your help.
It seem as if your system is clean.
you have ran all the diagnostics !

This is all I can think of , I have been racking my brain ~8-)

try this
open Internet Explorer
Internet Options
go down the list and
add a checkmark next to "Disable Script Debugging"
and Uncheck the box next to "Diplay a notification about every script error"


wcubedAuthor Commented:
Hello wtrmrk74,
The settings were already set as you described.
It must be something else. I will start taking notes on what I am running when the errors show up. See if I can see a pattern.
I have noticed that Dreamweaver and Photoshop often open when the errors popup(these days they come in pairs). I may have installed a bad extension.
I am in the process of moving so the computer will have to suffer in silence for a while.
Progress Report !

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wcubedAuthor Commented:
Hello wtrmk74
I have not had much time to do much testing, but I have notice that if either Photoshop or Dreamweaver are open I get the error.
I do know that sometimes I have been getting the error twice. That appear if both programs are running at the same time.
I have installed several extensions for Dreamweaver and some plugins for Photoshop.
I will have to go through and figure out if one of those are the cause of my sorrows…
Since it does not appear to be a virus I am going to award you the points for all your hard work making sure it was not.
I still can’t figure out why the machine is running so slow, but it could just be overloaded.
Anyway thank you again for all your help.
thank you for the response and the points...
on a different note these applications you are using are very processor intensive and utilize a lot of system ram !

is it faster when you initially start these programs ?
does it get slower as you are working and working ?

there is a slight chance that the hijack had nothing to do with your CPU usage dip
you could have at the same time had a module go bad in your ram !

by chance have you thought about upgrading your ram to see if this will help ?

just a thought !
wcubedAuthor Commented:
Unfortunately it is slow all the time.
Your memory idea is a good one. I will have to look into getting some more RAM. I have noticed extra HD activity. Could be a sign of RAM going bad...
Have a merry Christmas, and a supper new year.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.