1. Search for the file ctfmon.dll. If this file is found, the computer is infected. (ctfmon.dll is the proxy server it can be used to allow attackers to use the computer for a spam forwarder. )
2. You can also look on your network for traffic to specific ports on a computer that shouldn't be receiving traffic on that port. The virus attempts to download and execute files. It uses TCP port 80, 1080, 8080, 10080 and 3128.
3. Look for the file explorer.exe in the %system%. by default or winnt\system32 folder. (explorer.exe in the %windir% or windows folder is a legitimate file.).
4. Look for the value "(default)" = "%system%\ctfmon.dll in the registry key HKEY_CLASSES_ROOT\CLSID\(E6Fb5220-DE35-11CF-987-00AA005127ED)\InProcServer32, look for the value "Explorer" = "%system%\explore.exe" in the registry keys:
HKEY_CURRENT_USER\Software\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
According to Microsoft.com, if you can't get to the antivirus site and need to disinfect the computer (Windows XP, Windows 2000 or Windows Server 2003) you need to enter the following commands at a command prompt:
del /F %systemroot%\system32\drivers\etc\hosts
echo # Temporary HOSTS file > %systemroot%\system32\drivers\etc\hosts
attrib +R %systemroot%\system32\drivers\etc\hosts
ipconfig /flushdns
This was first published in March 2004
Join the conversationComment
Share
Comments
Results
Contribute to the conversation