comp/net virus protection

[mbpark]

Morethanpretty,

You get all of that with AVG as well (and they also publish an anti-rootkit utility).

Like I said, a toss-up.

[tw]

Quote:

Originally Posted by mbpark

You get all of that with AVG as well (and they also publish an anti-rootkit utility).

Has anybody seen a root virus? I don't believe I have but then I am not entirely sure what its symptoms are.

[Shawnee123]

I don't know, but I have been having problems with my computer and I don't know if it's the computer or the wireless or bad software...or what.

It just stops acting like it's even connected yet the icon at the bottom says 54.0 Mbps...which is good, right?

I'm going to have to call geek squad or something.

[mbpark]

TW,

A rootkit is a type of virus/malware that uses "cloaking" techniques to hide itself from the OS and end user. If you've read what I've mentioned, the Windows API makes it really easy to create one.

And, yes I have seen them. Rootkits are the reason why I scan machines with a bootable CD that has the latest virus definitions and tools I can use to determine what loads when a machine boots up. The only effective way to get rid of a rootkit is to scan the machine with a known good alternate OS, not the OS itself. When you have a rootkit, the only way to be sure is to use an alternate OS.

Anti-rootkit technology is nothing more than AV technology that scans for the API hooks that rootkits use to cloak themselves. It's effective a good portion of the time, but I've seen rootkits get past the Sysinternals tool (Rootkit Revealer).

UNIX, Linux, and Windows have this issue, as does any other OS that runs on a Von Neumann architecture where the OS and program data are loaded into the same memory banks and intermingle.

The best way to rid yourself of a rootkit is the same on UNIX, Linux, Windows, or any other OS. Boot into an alternate OS and scan that way, because you cannot be sure that the OS that has been compromised has any integrity.

[mbpark]

Shawnee,

Open a command prompt, and type in:

netsh winsock reset

Then reboot. Make sure you have the latest Wireless drivers as well.

Quote:

Originally Posted by Shawnee123

I don't know, but I have been having problems with my computer and I don't know if it's the computer or the wireless or bad software...or what.

It just stops acting like it's even connected yet the icon at the bottom says 54.0 Mbps...which is good, right?

I'm going to have to call geek squad or something.

[Shawnee123]

Thanks. I'll try that later. It seems to be OK right now.

[tw]

Quote:

Originally Posted by mbpark

Anti-rootkit technology is nothing more than AV technology that scans for the API hooks that rootkits use to cloak themselves. It's effective a good portion of the time, but I've seen rootkits get past the Sysinternals tool (Rootkit Revealer).

Other than appropriate software, any symptoms to detect or suspect that rootkit? For example, IP activity? Unexplained processes? Excessive CPU time? Unexplained disk activity? Disabled functions? Registry entries?

Never looked at Systeminternals Rootkit Revealer because I never saw any reason to need it.

[tw]

Quote:

Originally Posted by Shawnee123

It just stops acting like it's even connected yet the icon at the bottom says 54.0 Mbps...which is good, right?

First the wireless connects to the wireless router. When that happens, your have a digital connection; in your case 54 Mbps.

Next, your machine must ask for an IP address. The router's DNS server provides (leases) an IP address to your wireless card.

I have seen some routers make the connection (ie 54 Mbps), but the DNS server refuses to lease an IP address. The solution was to power cycle the wireless router.

Don't know why. Never had sufficient time to learn why. But if you are having the same problem, the Geek squad would never see the problem and still charge you.

First suggestion: determine if the problem is in the router. IOW any computer that has not connected wirelessly to that router in over a day would demonstrate the same problem. (Any computer connected wirelessly in less than a day may not see the problem.) If both connect at some speed but will not talk, then you have saved yourself a payment to the Geek Squad.

A second suggestion: enter "IPCONFIG /ALL" in the same command window where "netsh winsock" was entered. If the IP address for your "Wireless Network Connection" does not start with 192.168.xxx.xxx or 10.xxx.xxx.xxx, then an IP address is not provided by the router.

A computer can connect. But without an IP address, it still will not communicate. Later in the day, that routers DNS server can fail. But your computer would continue to work for the next 24 hours - when the lease for the IP address expires and it was ask the router's DNS server for an new address lease. No new lease from a failed DNS server means it would again connect only to the router at 54 Mbps, but not connect to the network.

[Shawnee123]

Quote:

Originally Posted by mbpark

Shawnee,

Open a command prompt, and type in:

netsh winsock reset

Then reboot. Make sure you have the latest Wireless drivers as well.

I did the first part. Still had trouble.

I don't know how to check the wireless drivers?

Quote:

Originally Posted by tw

First the wireless connects to the wireless router. When that happens, your have a digital connection; in your case 54 Mbps.

Next, your machine must ask for an IP address. The router's DNS server provides (leases) an IP address to your wireless card.

I have seen some routers make the connection (ie 54 Mbps), but the DNS server refuses to lease an IP address. The solution was to power cycle the wireless router.

Don't know why. Never had sufficient time to learn why. But if you are having the same problem, the Geek squad would never see the problem and still charge you.

First suggestion: determine if the problem is in the router. IOW any computer that has not connected wirelessly to that router in over a day would demonstrate the same problem. (Any computer connected wirelessly in less than a day may not see the problem.) If both connect at some speed but will not talk, then you have saved yourself a payment to the Geek Squad.

A second suggestion: enter "IPCONFIG /ALL" in the same command window where "netsh winsock" was entered. If the IP address for your "Wireless Network Connection" does not start with 192.168.xxx.xxx or 10.xxx.xxx.xxx, then an IP address is not provided by the router.

A computer can connect. But without an IP address, it still will not communicate. Later in the day, that routers DNS server can fail. But your computer would continue to work for the next 24 hours - when the lease for the IP address expires and it was ask the router's DNS server for an new address lease. No new lease from a failed DNS server means it would again connect only to the router at 54 Mbps, but not connect to the network.

I found the IP address with 192...

For the first part, are you saying check with another computer? I don't have another, but maybe I misunderstood.

Guys, thanks so much. I know that irl folks like you get paid to help people like me, so I appreciate the free advice. You don't have to keep helping if it seems I am taking advantage.

I am just amazed at IT people...you speak a whole other language. :p

Thanks again.

[mbpark]

Tom,

It's DHCP server .

There are many issues with the IP stack in Windows. When certain pieces of malware "attach" to your Windows installation, one of the first things many of them do is attack to the TCP/IP stack to subvert DNS and redirect name lookup traffic to a DNS server that will return erroneous (i.e. more malware, advertisements, bad Windows Updates) traffic to it.

Running "netsh winsock reset" restores the TCP/IP stack to a known good state without malware or the "hooks" that would point to the DLL files and executables that malware uses to redirect traffic.

If you don't run this after removing malware, your TCP/IP stack may be broken due to those hooks existing and pointing to nowhere.

Quote:

Originally Posted by tw

First the wireless connects to the wireless router. When that happens, your have a digital connection; in your case 54 Mbps.

Next, your machine must ask for an IP address. The router's DNS server provides (leases) an IP address to your wireless card.

I have seen some routers make the connection (ie 54 Mbps), but the DNS server refuses to lease an IP address. The solution was to power cycle the wireless router.

Don't know why. Never had sufficient time to learn why. But if you are having the same problem, the Geek squad would never see the problem and still charge you.

First suggestion: determine if the problem is in the router. IOW any computer that has not connected wirelessly to that router in over a day would demonstrate the same problem. (Any computer connected wirelessly in less than a day may not see the problem.) If both connect at some speed but will not talk, then you have saved yourself a payment to the Geek Squad.

A second suggestion: enter "IPCONFIG /ALL" in the same command window where "netsh winsock" was entered. If the IP address for your "Wireless Network Connection" does not start with 192.168.xxx.xxx or 10.xxx.xxx.xxx, then an IP address is not provided by the router.

A computer can connect. But without an IP address, it still will not communicate. Later in the day, that routers DNS server can fail. But your computer would continue to work for the next 24 hours - when the lease for the IP address expires and it was ask the router's DNS server for an new address lease. No new lease from a failed DNS server means it would again connect only to the router at 54 Mbps, but not connect to the network.

[mbpark]

tw,

I've seen rootkits that have patched Windows DLL files and caused functions which other programs depend upon to be disabled.

If a rootkit is going to infect your system, it's going to patch the Win32 APIs for IP Activity, Unexplained Processes, CPU Time, and Registry Entries, and patch other functions as needed. This is what rootkits do via APIs on Windows, and via APIs or trojaned copies of ls, ps, and other file utilities on Linux or UNIX variants.

Your average user will not be running Wireshark on another PC and scanning their network to see the unexplained IP traffic. If they did, chances are that they are smart enough to not get rooted.

I caught one because it didn't patch functions well enough and I was able to use Rootkit Revealer to figure out its existence due to that.

Quote:

Originally Posted by tw

Other than appropriate software, any symptoms to detect or suspect that rootkit? For example, IP activity? Unexplained processes? Excessive CPU time? Unexplained disk activity? Disabled functions? Registry entries?

Never looked at Systeminternals Rootkit Revealer because I never saw any reason to need it.

[tw]

Quote:

Originally Posted by Shawnee123

I found the IP address with 192...

If the problem is with the wireless router (not with your computer's wireless card), then the other computer also would not lease an address. It was an attempt to isolate which component is causing problems so that the Geek Squad does not try to fix a perfectly good computer.

If after 24+ hours, you always have the 192.168.xxx.xxx address and the computer does not connect over that 24 hours, then then your wireless card has connected to the router. Then the DHCP (not DNS) servers is working. Move on to other suspects.

IOW the "IPCONFIG /all" does not report anything useful if the computer is working. It only reports useful facts when the computer will not connect.

And you have also manually started and executed the long anti-virus software scan?

"No problem found" does not say your wireless is working. It just says it is working at a lower level. Malware can exist at higher levels. Or other problems exist.

Proper drivers: depends on the machine. Better machines (ie Dell or HP) mean you go to their web site and check for updates. Sometimes, www.windowsupdate.com will download a corrected driver - not always.

Further information is found in Device Manager and in the System (event) logs. If you don't know where these are (and it cannot be told here because even the OS was not listed), then use Windows' Start>Help and Support - or whatever the help is called on your machine.

Well, maybe it has been connected all along. But your firewall (or anti-virus software) is blocking access to some site.

Time to better define what you mean by no connection.

Using that command prompt, enter
PING 192.168.1.1
It should ping your router and report echoed back replies.

PING cellar.org
It will also report useful facts.

From the browser (ie Internet Explorer), enter as the address:
192.168.1.1 or
192.168.2.1

That should talk to the server inside the router. What happens.

If Windows puts up a screen about no connection and has somewhere to diagnosis a connection, well do that. Windows should report if the computer is not connected, why, and may even correct it. But again. What computer? What OS?

Just some ideas. None are intended to fix anything. Every one is only to report the minute detail that actually says what is wrong. First and more important - identify the problem. Fixing comes later.

[tw]

Quote:

Originally Posted by mbpark

Your average user will not be running Wireshark on another PC and scanning their network to see the unexplained IP traffic. If they did, chances are that they are smart enough to not get rooted.

I routinely see unsolicited probing lately of port 445 - a file download port and what is used by Microsoft Download Service. Don't recall seeing these many months ago. These unsolicited probes are now numerous - more numerous than the constant message from China that attempts to pop up and says, "Your computer is corrupted. Click on this to download a cleaner." I once would see (and block) that one maybe every 40 minutes.

Is there somewhere to look at a currently stored DNS table? Is that where a rootkit would corrupt DNS? (Had not thought about that type of corruption).

Popups are supposed to be blocked on my machine. However zedo.com does get their advertisement pop up when I access one web site. I have their IP address blocked in the firewall. However that has always bothered me that that their popup gets through.

[mbpark]

TW,

Port 445 has been scanned for since 2000, since Windows 2000 and up use it for file sharing, instead of ports 137-139.

The Messenger service, which is the reason for many pop-ups, has been disabled by default since Windows XP Service Pack 2 in August, 2004.

[tw]

Quote:

Originally Posted by mbpark

Port 445 has been scanned for since 2000, since Windows 2000 and up use it for file sharing, instead of ports 137-139.

Still see, every so often, attempts to access ports 139 and 135. Never saw so many post 445 requests previously and wonder if this has something to do with Cornficker.

Still don't know how that web site permits c5.zedo.com to open a popup. But the popup enters on a new window using port 80.

Meanwhile, you have roused my curiousity. I must try that Rootkit Revealer.