Home > Ask the Enterprise Desktop Experts > Questions & Answers > Virus may be blocking access to antivirus sites
Ask The Enterprise Desktop Expert: Questions & Answers
EMAIL THIS

Virus may be blocking access to antivirus sites

Roberta Bragg EXPERT RESPONSE FROM: Roberta Bragg

Pose a Question
Other Enterprise Desktop Categories
Meet all Enterprise Desktop Experts
Become an Expert for this site
>
QUESTION POSED ON: 02 March 2004
I used to be able to surf the Internet fine after booting my WinXP Home. But recently, I've been getting the "cannot find server" error on MSIE6sp1 on every site I try to visit. When running netstat-a, I find a syn_sent on those sites. Rebooting would enable me to visit any site once again, but not for long as it would happen again after a few minutes of use. This never happened before. I first suspected a DoS affect of the MyDoom worm, but my antivirus and standalone fixes available from several virus sites say negative infection on my machine. However, the ports the syn_sent happens seems to be within the range the Trend Micro said it would: 3127 to 3198. What do I do? My OS and antivirus software are all updated.

>
You may need to inspect your system and manually remove the virus yourself. It can be blocking access to antivirus sites. Here's how:

1. Search for the file ctfmon.dll. If this file is found, the computer is infected. (ctfmon.dll is the proxy server it can be used to allow attackers to use the computer for a spam forwarder. )

2. You can also look on your network for traffic to specific ports on a computer that shouldn't be receiving traffic on that port. The virus attempts to download and execute files. It uses TCP port 80, 1080, 8080, 10080 and 3128.

3. Look for the file explorer.exe in the %system%. by default or winntsystem32 folder. (explorer.exe in the %windir% or windows folder is a legitimate file.).

4. Look for the value "(default)" = "%system%ctfmon.dll in the registry key HKEY_CLASSES_ROOTCLSID(E6Fb5220-DE35-11CF-987-00AA005127ED)InProcServer32, look for the value "Explorer" = "%system%explore.exe" in the registry keys:
HKEY_CURRENT_USERSoftwareWindowsCurrentVersionRun and
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun.

According to Microsoft.com, if you can't get to the antivirus site and need to disinfect the computer (Windows XP, Windows 2000 or Windows Server 2003) you need to enter the following commands at a command prompt:

del /F %systemroot%system32driversetchosts

echo # Temporary HOSTS file > %systemroot%system32driversetchosts

attrib +R %systemroot%system32driversetchosts

ipconfig /flushdns

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Desktop Solutions - Windows for Enterprise
HomeTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts