O late I hace been getting faint internet traffic, but I have pulled my hair out try to find it. I am pretty screwed down as far as firewalls and I am setting behind a business router with it’s own firewall. The past week or so I keep getting a start page from my provider regarding lots of open internet sessions and suggest that I my have a blaster style variant and that I should run a antiviris test, point is I run a virus check once every morning, nothing has shown up (avg free). I mustered

Any one have and ideas

Cheers

basel

sorry i forgot to ask, is there any programs out there that can indentify where the traffic is going or what programs or nasties are sending it etc


basel

sorry i forgot to ask, is there any programs out there that can indentify where the traffic is going or what programs or nasties are sending it etc


basel

Well to my suggestion...try using norton anti-virus 2oo6, norton is proberly a more power-ful program than the one you are using..but its better off to have 2 or more anit-virus program on your computer.

norton is a real system resource hogger, and i would'nt even go near it with my granddads let a lone mine, but thanks anyway


basel

Well to my suggestion...try using norton anti-virus 2oo6, norton is proberly a more power-ful program than the one you are using..but its better off to have 2 or more anit-virus program on your computer.I have to strongly disagree with this analysis. I won't go into my personal dislike for Symantec *anything*, but I will say that running multiple AV scanners on one machine is asking for trouble. Any virus scanner that is worth a flip is going to use heuristic technology to discover potential, as of yet undiscovered viruses. In other words, it will flag unusual activity on the system as possible viral activity. Heuristic activity by it's very nature is suspicious behaviour, so one AV packages heuristic activity will be flagged as viral activity by another AV package. What this means in simple terms is that one AV software package will be flagged as a virus by another AV package, and vice-versa. They will bang heads and bring your system to a crawl. Using multiple spyware packages is fine... in fact I recommend it. Anti-spyware packages are purely definition based, so you don't have the poblems that you run into with multiple AV packages.

Basel, as far as your problem goes, I'm not necessarily doubting viral activity here, but I'm leaning more towards spyware, or even worse, root kit activity. The approach needs to be sysematic and methodical, so work from the angle of a virus and eliminate that, then move on.

AVG free is a decent package, but it isn't always as up to date as a subscription based package would be. What I would recommend is to download trial versions of the paid versions of the top AV packages. Load them *one at a time* and run scans on the system. After running each one, uninstall it, re-boot, and run a registry cleaner before loading the next one. The ones I would use are AVG, NOD, Kaspersky and Panda. If these return no evidence of virus, then run full scans with multiple spyware packages. Spysweeper, Spybot Search & Destroy and Ewido (now owned by AVG) full packages should uncover any potential spyware activity on the system.

If none of this gives you any satisfactory answers, you may have picked up a root kit. These are particularly nasty infections, as they take over the OS itself and as such can hide themselves easily by returning whatever results they want to return to your AV and spyware scanning packages.

If you suspect root kit activity, go to grc.com and run the ShieldsUp test. This will help you determine what ports you have open to the internet and subsequently tell you where your vulnerabilities are. Close any unnecessary ports that ShieldsUP reports as open or vulnerable. Finally, set up your firewall to log *all* internet activity so that you can harvest IP addresses that your machine is visiting. Analyze a couple of days worth of logs and isolate the addresses that your machine is hitting without your knowledge or authorization, and immediately block these addresses through your firewall.

If it is a root kit, you may have a very difficult time removing it from your system without a complete HDD format and re-install of the OS... but it's imperative that you block the suspicious internet activity until you get the time to perform backups and do the re-install. DO NOT restore any system files from your backups when re-installing your system. Do clean installs of everything. Restoring from backups can re-introduce the root kit to your system putting you right back where you were.

Good luck with this, and please let us know what you find out during the discovery phase.

I would also add a program called ActivePorts to monitor what ports are open and what they are doing. They will tell you what connections are active and what they are doing. With the exception on the recommended AV programs, H20 was spot on with his advice. And I am not saying that the AV programs that he chose are wrong, just different than what I would choose. AV programs are a very touchy issue, and based as much on personal preference as on statistics, which can be made to say whatever the author wants. But I strongly agree with him about anything with the name Norton in it.

Spyware, Firewalls, Antivirus. These are the good ones. BigH20 is definitely correct about Norton AV. Trust us. Jaytee may want to pick up on this as well. I'm not going to harp on Antivirus and Spyware Scanners though.

The port scanner is a good Idea. If, for some reason you don't want to play with a port scanner, you should at least use what windows has on board. Launch a command prompt, and type "netstat -a -b" without the quotes. This will give you a list of all the open ports on your system and will tell you if they are listening or established, as well as tell you what executable is using it.

Another resource I use to secure my lan is a program called network magic. Do an internet search for it. They have a free version and a pro version. The free version will give you all kinds of data about your lan, and identify all nodes. You will then beable to tell if someone has breeched your firewall.

But once again. Scan Scan Scan, with your AV scanner and spyware scanner. If you haven't downloaded avg for a while, try uninstalling it and downloading a newer version of it. (I know it sounds redundant, but I've seen it catch things differently) If not try AntiVir. It's similar to AVG.
Do full scans in safe mode. And then scan again. Also once again, take BigH20, and Burfords advice. Get different full price packages and try them. And personally, not only stay away from norton, but mcaffee as well. OK?


Oh yeah, one more thing. Check your firewall logs and see whats been trying to get past you.
Good luck Basel

One more thing about netstat. If you use netstat -a -n it will not only give you the open ports, but it'll also tell the the PID (Process ID) Then you can fire up task manager and goto the process tab and look for the ID. If task manager doesn't show the PID, then go to view>choose columns>PID. Check it and then find the offending app and kill it.

Thought this may help.

all the main computer dudes in one day!!!! what more can i ask, think think lol


thanks gents i will try all suggested and will report back with findings


basel

one small break through since stopping processes

snmp.exe
tcpsvcs.exe

things seem to be somewhat more quietier, but i will continue to investigate

shieldsup reported this

GRC Port Authority Report created on UTC: 2007-01-30 at 16:56:17

Results from scan of ports: 0-1055

0 Ports Open
71 Ports Closed
985 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be CLOSED were: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10,
11, 12, 13, 14, 15, 16, 17, 18,
19, 20, 21, 22, 23, 24, 25, 26,
27, 28, 29, 30, 31, 32, 33, 34,
35, 36, 37, 38, 39, 40, 41, 42,
43, 44, 45, 46, 47, 48, 49, 50,
51, 52, 53, 54, 55, 56, 57, 58,
59, 60, 61, 62, 63, 64, 65, 66,
67, 68, 69, 70, 71

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED

so not all rosey

more later

That's not bad at all.

Set ping to be allowed on your lan, disallowed on your internet connection. That should clear up that problem. Only enable ping over the internet if you are suspecting problems with your host or DNS, and only then just long enough to ping it for connectivity.

Closed ports are not going to pass traffic, so that *shouldn't* be a problem, but your system is announcing there existence opening up the reality that your computer exists to hackers. Ideally, you should have all ports completely hidden except for the ports you need open. Sounds like it's time to dig into your firewall(s) and play around with your settings.

Also, snmp and tcpsvcs are required services for reliable networking. Don't disable them in an attempt to diagonse problems or you will get false results. Tcpsvs can be disabled only if you are not using DHCP and not using any shares on the network. Snmp is a required layer for almost anything you do on a network.

thanks for the promt reply, all things noted, still working

The process called snmp.exe is used by Windows applications when communicating with network devices using SNMP (Simple Network Management Protocol). SNMP is used to perform remote administration of network hardware such as Routers and Hubs. Snmp.exe is required for your system to remain stable, you should not terminate this process.

If you're not doing any remote admin. You can lose it

tcpsvcs.exe is a part of Microsoft Windows networking components. This essential system process is initiated when the computer uses special TCP/IP networking services such as DHCP, Simple TCP and print services. This program is important for the stable and secure running of your computer and should not be terminated.

if you have a static IP you can lose it.

This was the geek portion of the show

You may not be a geek in real life, but you play one well on the board. Thanks vantim ;)

I'm a geek that looks like a hippie!

Well thanks for the suggestions...but i now, really want to un-install Norton because im also using AVG, but i do not know if its a good idea or not ? but really Norton is a rally laggy program but i also heard its a really good program to have..such confusions ahaha...Though im tempting to delete Norton and DL the ones u suggested.

Cheers
Jaytee

my advice, you should never run 2 anti-virus programs together, period

if you are going to get rid of one, uninstall norton you will see a vast difference on you computer

Oks...Ill start deleting Norton right away..Thanks guys

cheers
Jaytee