Q

Virus may be blocking access to antivirus sites

I used to be able to surf the Internet fine after booting my WinXP Home. But recently, I've been getting the "cannot find server" error on MSIE6sp1 on every site I try to visit. When running netstat-a, I find a syn_sent on those sites. Rebooting would enable me to visit any site once again, but not for long as it would happen again after a few minutes of use. This never happened before. I first suspected a DoS affect of the MyDoom worm, but my antivirus and standalone fixes available from several virus sites say negative infection on my machine. However, the ports the syn_sent happens seems to be within the range the Trend Micro said it would: 3127 to 3198. What do I do? My OS and antivirus software are all updated.
You may need to inspect your system and manually remove the virus yourself. It can be blocking access to antivirus sites. Here's how:

1. Search for the file ctfmon.dll. If this file is found, the computer is infected. (ctfmon.dll is the proxy server

it can be used to allow attackers to use the computer for a spam forwarder. )

2. You can also look on your network for traffic to specific ports on a computer that shouldn't be receiving traffic on that port. The virus attempts to download and execute files. It uses TCP port 80, 1080, 8080, 10080 and 3128.

3. Look for the file explorer.exe in the %system%. by default or winnt\system32 folder. (explorer.exe in the %windir% or windows folder is a legitimate file.).

4. Look for the value "(default)" = "%system%\ctfmon.dll in the registry key HKEY_CLASSES_ROOT\CLSID\(E6Fb5220-DE35-11CF-987-00AA005127ED)\InProcServer32, look for the value "Explorer" = "%system%\explore.exe" in the registry keys:
HKEY_CURRENT_USER\Software\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

According to Microsoft.com, if you can't get to the antivirus site and need to disinfect the computer (Windows XP, Windows 2000 or Windows Server 2003) you need to enter the following commands at a command prompt:

del /F %systemroot%\system32\drivers\etc\hosts

echo # Temporary HOSTS file > %systemroot%\system32\drivers\etc\hosts

attrib +R %systemroot%\system32\drivers\etc\hosts

ipconfig /flushdns

This was first published in March 2004

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close