We help IT Professionals succeed at work.

Possible Virus Infection - Can not connect to Internet, Max TCP connections reached.

I am working on a system which appears to have been hijacked via  a virus.  I can see in the logs that yesterday an error was reported that the maxiumum TCP limit was reached and today, we can not connect to the internet via IE-7 or FireFox.  I can PING yahoo and google, but can not brower to a site.

I also understand that Microsoft has recently announced that there is a 'hole' in the security in which a system can be taken over and used to send out Malware.

Has any one ran into this and has anyone come up with a Workaround or fix?
Comment
Watch Question

Commented:
Scan Your system with updated AV & Check security setting for IE
Commented:
Check the file C:\windows\system32\drivers\etc\hosts and make sure there is only 1 entry for
127.0.0.1 localhost
Also, in the services control panel, stop the DNS Client service.  See if that allows you to connect to the Internet, and then download the latest malwarebytes.org scanner and run it.
RojoshoRTCC-III Level-2 Support

Author

Commented:
Hey Alover and Mattvmotas,

Thank you - I am trying to run the Malwarebytes, but the def file is a few days old, so will have to find a later one and manually place it in the folder, not sure if that will work.

Another symptom I forgot to mention is that I have lost mouse functionality.  This happen once before, but when I went into Safe Mode as Admin, I reconfigured the Mouse and was able to get it back, but now it is pretty solid, not working - any ideas?  Virus related?
Top Expert 2009
Commented:
Run Combofix on machine.
Follow its instructions
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Install recovery console when running Combofix
You may have to manually install recovery console>
http://www.bleepingcomputer.com/tutorials/tutorial117.html

Post logfile here after
*** Hopeleonie ***IT Manager

Commented:
Try Combofix as optoma advised. Combofix has helped me in many cases, when i didn't have internet connection.

Commented:
After combofix, then do a scan with your malware/spyware programs in safe mode. Sometimes that's the only way to get rid of them. This is because the files will re-start themselves the next time you boot up. So you remove, then they come back.
To get into safe mode, when you start up your computer press F8 repeatedly, then choose "Safe Mode with Networking" at the next screen. They could be nothing, but better safe than sorry. Hope that helps. Best of luck to you.
If you can ping google that means you have internet connection. Try opening a command prompt and type "netstat -nbo" ... this will show you tha established connections and the application that is associated with the connection. Also, check the proxy settings on your internet browser. Try running IE in safe mode (with add-ons disabled).  To check for virus/malware, if you know the date that the computer got infected, start the computer in safe mode. Then check for *.exe and *.dll files in the most common places where a virus would be stored. You can do so by opening a command prompt and typing "dir /o-d /a /p *.exe" or "dir /o-d /a /p *.dll". This will show you *.exe and *.dll files in order by date with the latest ones at the top. You can hit the space bar to scroll down the list. Run these commands in \windows, \windows\system32, %userprofile% (and subfolders by adding the /s switch to the commabd) and in the \program files folder and subfolders. Delete any *.dll or *.exe file that looks suspicious. If you're not sure about a file you can google the name of the file.
RojoshoRTCC-III Level-2 Support

Author

Commented:
Hello Everyone,

Sorry for the delay in closing this case.

First, you all provided some very good suggestions; although reading the precautions for the 'Combofix' suggestion, seemed to be moving more into a path of calling in the Marines and getting outside help to interpret the Combofix reports; it was not clear if this was fee based or not.  Any way, I stepped away from that option.

I was able to find what virus hit our system and it was the 'From Russia with Love' virus.  From my research I decided to reinstall my clients OS and applications to ensure that this 'bug' was gone for good.  Yes, a bit drastic, but it allowed us to get to a know state and move forward from there without having to look back over our shoulders - A 'Peace of mind' thing.

But, having said that, the final solution does not negate the excellent suggestions that were made and therefore I am splitting up the points between:

mattvmotas
optoma
Precifijo

Thank you for your assistance.

Cheers,

Rojosho
RojoshoRTCC-III Level-2 Support

Author

Commented:
These were all good suggestions, but none of them really resolved the problem.  In hind sight, the suggestion from Previfijo would have helped me identify the virus module, which would have lead me to the decision to reinstall the OS - Therefore I awarded Precifijo the most points.

Cheers,