[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Possible virus

Posted on 2003-11-17
25
Medium Priority
?
2,689 Views
Last Modified: 2010-04-13
Hello,
I have a possible problem. About a month ago my browser was hijacked. I used HijackThis to get rid of it. I had Search and Destroy running at the time, but did not have the anti hijacking turned on :-(.
Since then I have bee getting an error message “runtime error 203” after leaving the computer alone for a few hours. Also the computer seems to have slowed down by at least 25%.
I have run Norton anti virus, nothing found. (I had it installed at the time of the hijack)
I have Zone Alarm, nothing strange seems to be trying to access the internet. (I installed it after the hijack)
If you cold look at the logfile from HijackThis and see if there is anything unusual I would really appreciate it.

Logfile of HijackThis v1.97.6
Scan saved at 01:28:58, on 17.11.2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.dell.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
Comment
Question by:wcubed
  • 10
  • 10
  • 3
  • +2
25 Comments
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9763015
Try running SFC /SCANNOW to check the integrity of the windows protected file systems.  If any of them are tampered with it could cause slow down and errors.

If that doesn't help then reapply SP4 and critical updates.

Go to www.symantec.com and do the online virus scan too just to double check you are clean.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9763560
runtime error 203 is generally caused by some trojan

Have you checked using the trojan remover listed by Lucf.. Try that and see if it recognises the trojan and delete it ..

Also you may want to try this trojan hunter  http://www.misec.net/

Let me go over this hijack log again.. Nothing is very obvious for me at the moment


Sunray
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 7

Expert Comment

by:wtrmk74
ID: 9784433
When your done...
Install a firewall
http://www.kerio.com/kpf_download.html

its free for home users and has an active learning mode
you will be notified of all events going thru you system and have the opportunity to allow or disallow them.

wtrmk74
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9821751
Anything?
0
 

Author Comment

by:wcubed
ID: 9827117
I am sorry it has taken me so long to get back to you all. I have been out of town.
I am running trojan hunter now and will run Trojan Remover next. If that does not solve the problem I will reinstall SP4 as recomended by stoner79.
I will let you know what the results are as soon as I get them.
Thank you all for sticking with me.
0
 
LVL 32

Expert Comment

by:LucF
ID: 9827154
Ok, let us know how it goes.
0
 

Author Comment

by:wcubed
ID: 9828722
Trojan Hunter  and Trojan Remover came up clean, as did Search and Destroy.. I re-applied SP4. Now I will wait to see if the error re-appears...
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9829390
Hope it works out.
0
 

Author Comment

by:wcubed
ID: 9831076
The error just re-appeared… :-(
Something that my or may not be the cause was a piece of shareware I ran a while ago. It is called Xenu's Link Sleuth. I have removed it from the system. It is the only piece of software I can think of that I do not trust.
0
 
LVL 32

Expert Comment

by:LucF
ID: 9831484
Have you tried running "SFC /scannow" ?
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9832686
on your next post supply the information that is diplayed after each of the entries please:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


I want to manually check for viruses

thanks
wtrmk74
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9832718
Oh Ya,
Start
Run
regedit

navigate to the keys described above
go to
the top navigaiton bar
under REGISTRY
select export file
make sure selected branch is selected
change the save as type to ALL FILES
save as RUN.TXT to your desktop
you will be able to copy and paste this info to this site on your next post
0
 

Author Comment

by:wcubed
ID: 9834161
wtrmk74 Below I have included the information you asked for. Well most of it. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Is not there. I get as far as policies but there is no subfolder explorer...

LucF I will now run SFC /scannow and let you know what happens.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
PRPCMonitor=PRPCUI.exe
WLAN_Cfg.exe=C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
Zone Labs Client=C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
DadApp=C:\Program Files\DELL\AccessDirect\dadapp.exe
QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
THGuard="C:\Program Files\TrojanHunter 3.7\THGuard.exe"
TrojanScanner=C:\Program Files\Trojan Remover\Trjscan.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
\IMAIL]
Installed=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
\MAPI]
Installed=1
NoChange=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
\MSFS]
Installed=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe=ctfmon.exe
0
 

Author Comment

by:wcubed
ID: 9834213
SFC /scannow ran without finding any problems.
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9835195
OK
That looks good...

now can you post the output of this command:

Start
Run
command.com
at the blinking cursor type
mem /c
copy these contents by right clicking in the upper left corner
edit
select all
copy
and paste them here.

thanks
wtrmk74
0
 

Author Comment

by:wcubed
ID: 9836966
wtrmk74 here are the results from mem /c   :-)

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-1999.

C:\DOCUME~1\ADMINI~1>mem /c

Conventional Memory :

  Name                Size in Decimal       Size in Hex
-------------      ---------------------   -------------
  MSDOS              12048      ( 11.8K)       2F10
  KBD                 3280      (  3.2K)        CD0
  HIMEM               1248      (  1.2K)        4E0
  COMMAND             3792      (  3.7K)        ED0
  DOSX               34720      ( 33.9K)       87A0
  COMMAND             4512      (  4.4K)       11A0
  FREE                 112      (  0.1K)         70
  FREE              595408      (581.5K)      915D0

Total  FREE :       595520      (581.6K)

Upper Memory :

  Name                Size in Decimal       Size in Hex
-------------      ---------------------   -------------
  SYSTEM            212976      (208.0K)      33FF0
  DOSX                 128      (  0.1K)         80
  MOUSE              12528      ( 12.2K)       30F0
  MSCDEXNT             464      (  0.5K)        1D0
  REDIR               2672      (  2.6K)        A70
  NW16                2512      (  2.5K)        9D0
  VWIPXSPX             496      (  0.5K)        1F0
  FREE                 976      (  1.0K)        3D0
  FREE               29232      ( 28.5K)       7230

Total  FREE :        30208      ( 29.5K)

Total bytes available to programs (Conventional+Upper) :      625728   (611.1K)
Largest executable program size :                             594416   (580.5K)
Largest available upper memory block :                         29232   ( 28.5K)

   1048576 bytes total contiguous extended memory
         0 bytes available contiguous extended memory
    941056 bytes available XMS memory
           MS-DOS resident in High Memory Area

C:\DOCUME~1\ADMINI~1>
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9838811
This looks good too...
what I was looking for is the difference between


Total Conventional Memory            - 595520

And Largest Available Executable      - 594416


Total conventional memory must always exceed the largest executable file.
So far everything looks good.

:)
I will keep thinking
wtrmk74
0
 

Author Comment

by:wcubed
ID: 9841925
Thank you. I do appreciate your help.
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9864052
It seem as if your system is clean.
you have ran all the diagnostics !

This is all I can think of , I have been racking my brain ~8-)

try this
open Internet Explorer
Tools
Internet Options
Advanced
go down the list and
add a checkmark next to "Disable Script Debugging"
and Uncheck the box next to "Diplay a notification about every script error"

thanks
wtrmk74

0
 

Author Comment

by:wcubed
ID: 9878978
Hello wtrmrk74,
The settings were already set as you described.
It must be something else. I will start taking notes on what I am running when the errors show up. See if I can see a pattern.
I have noticed that Dreamweaver and Photoshop often open when the errors popup(these days they come in pairs). I may have installed a bad extension.
I am in the process of moving so the computer will have to suffer in silence for a while.
0
 
LVL 7

Accepted Solution

by:
wtrmk74 earned 2000 total points
ID: 9961757
Progress Report !
0
 

Author Comment

by:wcubed
ID: 9962457
Hello wtrmk74
I have not had much time to do much testing, but I have notice that if either Photoshop or Dreamweaver are open I get the error.
I do know that sometimes I have been getting the error twice. That appear if both programs are running at the same time.
I have installed several extensions for Dreamweaver and some plugins for Photoshop.
I will have to go through and figure out if one of those are the cause of my sorrows…
Since it does not appear to be a virus I am going to award you the points for all your hard work making sure it was not.
I still can’t figure out why the machine is running so slow, but it could just be overloaded.
Anyway thank you again for all your help.
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9969638
thank you for the response and the points...
on a different note these applications you are using are very processor intensive and utilize a lot of system ram !

Q?
is it faster when you initially start these programs ?
does it get slower as you are working and working ?

there is a slight chance that the hijack had nothing to do with your CPU usage dip
you could have at the same time had a module go bad in your ram !

by chance have you thought about upgrading your ram to see if this will help ?

just a thought !
thanks
wtrmk74
0
 

Author Comment

by:wcubed
ID: 9980726
Unfortunately it is slow all the time.
Your memory idea is a good one. I will have to look into getting some more RAM. I have noticed extra HD activity. Could be a sign of RAM going bad...
Have a merry Christmas, and a supper new year.

0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Tech giants such as Amazon and Google have sold Alexa and Echo to such an extent that they have become household names. And soon they are expected to be used by commoners in their homes, ordering takeout, picking out a song, answering trivia questio…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question