Solved

Possible virus

Posted on 2003-11-17
25
2,677 Views
Last Modified: 2010-04-13
Hello,
I have a possible problem. About a month ago my browser was hijacked. I used HijackThis to get rid of it. I had Search and Destroy running at the time, but did not have the anti hijacking turned on :-(.
Since then I have bee getting an error message “runtime error 203” after leaving the computer alone for a few hours. Also the computer seems to have slowed down by at least 25%.
I have run Norton anti virus, nothing found. (I had it installed at the time of the hijack)
I have Zone Alarm, nothing strange seems to be trying to access the internet. (I installed it after the hijack)
If you cold look at the logfile from HijackThis and see if there is anything unusual I would really appreciate it.

Logfile of HijackThis v1.97.6
Scan saved at 01:28:58, on 17.11.2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.dell.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
Comment
Question by:wcubed
  • 10
  • 10
  • 3
  • +2
25 Comments
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
0
 
LVL 15

Expert Comment

by:Rob Stone
Comment Utility
Try running SFC /SCANNOW to check the integrity of the windows protected file systems.  If any of them are tampered with it could cause slow down and errors.

If that doesn't help then reapply SP4 and critical updates.

Go to www.symantec.com and do the online virus scan too just to double check you are clean.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
runtime error 203 is generally caused by some trojan

Have you checked using the trojan remover listed by Lucf.. Try that and see if it recognises the trojan and delete it ..

Also you may want to try this trojan hunter  http://www.misec.net/

Let me go over this hijack log again.. Nothing is very obvious for me at the moment


Sunray
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
When your done...
Install a firewall
http://www.kerio.com/kpf_download.html

its free for home users and has an active learning mode
you will be notified of all events going thru you system and have the opportunity to allow or disallow them.

wtrmk74
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Anything?
0
 

Author Comment

by:wcubed
Comment Utility
I am sorry it has taken me so long to get back to you all. I have been out of town.
I am running trojan hunter now and will run Trojan Remover next. If that does not solve the problem I will reinstall SP4 as recomended by stoner79.
I will let you know what the results are as soon as I get them.
Thank you all for sticking with me.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Ok, let us know how it goes.
0
 

Author Comment

by:wcubed
Comment Utility
Trojan Hunter  and Trojan Remover came up clean, as did Search and Destroy.. I re-applied SP4. Now I will wait to see if the error re-appears...
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Hope it works out.
0
 

Author Comment

by:wcubed
Comment Utility
The error just re-appeared… :-(
Something that my or may not be the cause was a piece of shareware I ran a while ago. It is called Xenu's Link Sleuth. I have removed it from the system. It is the only piece of software I can think of that I do not trust.
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Have you tried running "SFC /scannow" ?
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
on your next post supply the information that is diplayed after each of the entries please:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


I want to manually check for viruses

thanks
wtrmk74
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Oh Ya,
Start
Run
regedit

navigate to the keys described above
go to
the top navigaiton bar
under REGISTRY
select export file
make sure selected branch is selected
change the save as type to ALL FILES
save as RUN.TXT to your desktop
you will be able to copy and paste this info to this site on your next post
0
 

Author Comment

by:wcubed
Comment Utility
wtrmk74 Below I have included the information you asked for. Well most of it. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Is not there. I get as far as policies but there is no subfolder explorer...

LucF I will now run SFC /scannow and let you know what happens.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
PRPCMonitor=PRPCUI.exe
WLAN_Cfg.exe=C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
Zone Labs Client=C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
DadApp=C:\Program Files\DELL\AccessDirect\dadapp.exe
QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
THGuard="C:\Program Files\TrojanHunter 3.7\THGuard.exe"
TrojanScanner=C:\Program Files\Trojan Remover\Trjscan.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
\IMAIL]
Installed=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
\MAPI]
Installed=1
NoChange=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
\MSFS]
Installed=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe=ctfmon.exe
0
 

Author Comment

by:wcubed
Comment Utility
SFC /scannow ran without finding any problems.
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
OK
That looks good...

now can you post the output of this command:

Start
Run
command.com
at the blinking cursor type
mem /c
copy these contents by right clicking in the upper left corner
edit
select all
copy
and paste them here.

thanks
wtrmk74
0
 

Author Comment

by:wcubed
Comment Utility
wtrmk74 here are the results from mem /c   :-)

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-1999.

C:\DOCUME~1\ADMINI~1>mem /c

Conventional Memory :

  Name                Size in Decimal       Size in Hex
-------------      ---------------------   -------------
  MSDOS              12048      ( 11.8K)       2F10
  KBD                 3280      (  3.2K)        CD0
  HIMEM               1248      (  1.2K)        4E0
  COMMAND             3792      (  3.7K)        ED0
  DOSX               34720      ( 33.9K)       87A0
  COMMAND             4512      (  4.4K)       11A0
  FREE                 112      (  0.1K)         70
  FREE              595408      (581.5K)      915D0

Total  FREE :       595520      (581.6K)

Upper Memory :

  Name                Size in Decimal       Size in Hex
-------------      ---------------------   -------------
  SYSTEM            212976      (208.0K)      33FF0
  DOSX                 128      (  0.1K)         80
  MOUSE              12528      ( 12.2K)       30F0
  MSCDEXNT             464      (  0.5K)        1D0
  REDIR               2672      (  2.6K)        A70
  NW16                2512      (  2.5K)        9D0
  VWIPXSPX             496      (  0.5K)        1F0
  FREE                 976      (  1.0K)        3D0
  FREE               29232      ( 28.5K)       7230

Total  FREE :        30208      ( 29.5K)

Total bytes available to programs (Conventional+Upper) :      625728   (611.1K)
Largest executable program size :                             594416   (580.5K)
Largest available upper memory block :                         29232   ( 28.5K)

   1048576 bytes total contiguous extended memory
         0 bytes available contiguous extended memory
    941056 bytes available XMS memory
           MS-DOS resident in High Memory Area

C:\DOCUME~1\ADMINI~1>
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
This looks good too...
what I was looking for is the difference between


Total Conventional Memory            - 595520

And Largest Available Executable      - 594416


Total conventional memory must always exceed the largest executable file.
So far everything looks good.

:)
I will keep thinking
wtrmk74
0
 

Author Comment

by:wcubed
Comment Utility
Thank you. I do appreciate your help.
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
It seem as if your system is clean.
you have ran all the diagnostics !

This is all I can think of , I have been racking my brain ~8-)

try this
open Internet Explorer
Tools
Internet Options
Advanced
go down the list and
add a checkmark next to "Disable Script Debugging"
and Uncheck the box next to "Diplay a notification about every script error"

thanks
wtrmk74

0
 

Author Comment

by:wcubed
Comment Utility
Hello wtrmrk74,
The settings were already set as you described.
It must be something else. I will start taking notes on what I am running when the errors show up. See if I can see a pattern.
I have noticed that Dreamweaver and Photoshop often open when the errors popup(these days they come in pairs). I may have installed a bad extension.
I am in the process of moving so the computer will have to suffer in silence for a while.
0
 
LVL 7

Accepted Solution

by:
wtrmk74 earned 500 total points
Comment Utility
Progress Report !
0
 

Author Comment

by:wcubed
Comment Utility
Hello wtrmk74
I have not had much time to do much testing, but I have notice that if either Photoshop or Dreamweaver are open I get the error.
I do know that sometimes I have been getting the error twice. That appear if both programs are running at the same time.
I have installed several extensions for Dreamweaver and some plugins for Photoshop.
I will have to go through and figure out if one of those are the cause of my sorrows…
Since it does not appear to be a virus I am going to award you the points for all your hard work making sure it was not.
I still can’t figure out why the machine is running so slow, but it could just be overloaded.
Anyway thank you again for all your help.
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
thank you for the response and the points...
on a different note these applications you are using are very processor intensive and utilize a lot of system ram !

Q?
is it faster when you initially start these programs ?
does it get slower as you are working and working ?

there is a slight chance that the hijack had nothing to do with your CPU usage dip
you could have at the same time had a module go bad in your ram !

by chance have you thought about upgrading your ram to see if this will help ?

just a thought !
thanks
wtrmk74
0
 

Author Comment

by:wcubed
Comment Utility
Unfortunately it is slow all the time.
Your memory idea is a good one. I will have to look into getting some more RAM. I have noticed extra HD activity. Could be a sign of RAM going bad...
Have a merry Christmas, and a supper new year.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now