Help me, please.

bjuarbe

So yea, all the sudden when i browse web pages some pictures dont show up, or the page times out, or is REALLI slow, I use DSL/Wireless Router all in one.... HELP!!! I reset the router to make sure it was nothing in there, made sure my pc has no spyware, made sure updates are in, ran winsock etc.etc. I even called Verizon DSL tech support and they basically said its on there end, that i should contact my virus protection software. I use AVG free editon and never had a problem prior. For some reason this problem is realli killing me I have no idea what to do or remedy.
HELP MEEEEEEEEEE

janmike

If you're running Windows, have you looked at tabs in Task Manager. See how much CPU usage you have. If a lot, then there's something in your PC. Also look at processes tab to see if you have something running in the background that you can do an "End Process" on. And, of course, see if you have any unwanted Apps running and "End Task" it.

Well, that's where I would start, but maybe you already did all that.

If you have had any pop-ups in the past that you got stopped, you might run a search in regedit for names related to those pop-ups and delete them. I've had to do that.

Good luck!

RussS

First up - don't trust ANY AV or Spyware product 100% - there is always something new out there that most will miss. I suggest that you run a range of scans before you do anything else.

http://housecall.trendmicro.com/

http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

That should take care of most nasties. After you are finished report back and let us know if it is better.

keatron

Also I would suggest using the microsoft antispyware program in conjunction with the others RussS posted. Several times it's found stuff that adaware and spybot both missed.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

JDMurray

I've heard that the M$ spyware tool identifies a lot of trivial files as "possible" spyware, and also throws a lot of false positives too. I believe that it is only beta software, and they still have a bug to work out.

I use AdAware (free), SpyCop (pay), and SpyBot Search & Destroy (free). Those three along with several different virus scanners keep my network hosts free from malware.

RussS

The MS tool might be called a beta by MS, but it is basically the Giant tool that I have used for a while now. I consider it to be one of the better ones, but I wish it could be used on 9x systems too.

JDMurray

Well, I guess it's a "beta" to Microsoft, but it is actually a finished product that M$ purchased from another company. I've been looking for the story on the tool, but all I've seen so far is speculation.

Have you tried infecting a test machine with spyware and testing how well the M$ tool detects and repairs the machine? I've seen very large collections of Trojans and virii, but not of spyware. Somebody must have a distribution somewhere.

keatron

Well actually I haven't noticed false positve problems. It typically automatically blocks only the stuff that's known to be malicious. If it's a known good product (for example installation of norton, adobe, etc etc) it just notifies you that the change was allowed and tells you where the change took place. If it's unidentifiable, it'll ask if you want to allow the installation. It's no more pain than certificate questions you have to answer when viewing certain websites, or the new blocking features in XP SP2. I've found that for the typical end user, it's a lot more user friendly and understandable than spybot, or adaware.

Also, once you allow a program or file to be installed, it gives you the option to allow it to "remember" that action so it will always treat it the same way.

JDMurray

Adaware has a very nice user interface, but it has a lot of options, so it can look confusing. However, they really did a good with the layout and flow of their GUI. The SpyBot S&D GUI is just just plain amateurish. The engine may be great, but the interface is ugly and confusing. SpyCop's GUI is in between the two, and has fewer options to change making it easier to use. I like M$' spyware scanner GUI; you can tell that M$ didn't design it .

The only questionable thing I've run across so far is that I did have to tell M$' scanner that VNC wasn't a Trojan, but it didn't identify pcAnywhere in the same way. I've not seen any features in the scanner that are not in any other other spy/ad/malware scanners, so the real usefulness will be the accuracy of the signature/definition file. I have no idea what company maintains the definitions for them.

fondue

Just a thought.
Verify that your hosts file isn't messed up. Some of the adware/spyware and anti spyware programs add questionable and sometimes valid sites to your hosts file and set the IP to 127.0.0.1. You may even find a few valid sites being redirected to bogus ones

Example
127.0.0.1 localhost
127.0.0.1 www.myfavoritesite.com

The localhost entry should be there the other is redirecting you to localhost instead of taking you to your favorite site.

JDMurray

Spware scanners already check the hosts file for redirections.

keatron

You're right JD, and Adaware is my favorite of all the ones out there currently. But you hit it right on the head, all of the options tend to scare the crap out of a lot of end users...

RussS

JD - the problem I have with Adaware is that they have been pressured to drop their ability to identify certain 'spyware'. The company in question has Adaware in court and I think at the moment it is a 'discretion is a better course of valor' type approach. Unfortunately my clients can not have that trash on their systems so I need to advise them of other tools to do the job.
The VNC thing is a carryover from Giant I think. However rightly or wrongly in the corporate world VNC is seen as a dangerous tool that is not secure. Personally I use it if necessary, but prefer other options.

I must also say that Pest Patrol is becoming a favourite as a second opinion tool. I love their corporate edition and the ability to scan users machines over the network and then read the logs and decide what course of action to take. However I have had occasions when I cursed it as I was not able to get the $share to be recognised. I guess a bit more experience and I might have it sorted

keatron

Yeah concerning VNC, I know that a lot of hackers use VNC to carry out several exploits using tools such as Metasploit etc. Maybe that's got something to do with it. I think we spent an entire 2 days and 2 capture the flag exercises on VNC exploits in the last ethical hacking seminar attended.

JDMurray

VNC is just a remote access tool. There are many remote access tools available. There is nothing special about any of the implementations of VNC. In fact, it gets criticism because it lacks features commonly found in commercial remote access apps, like pcAnywhere.

You should be fearing NetBus and GotoMyPc far more than VNC. They are far more dangerous because of their stealth and ease of use.

As for the Adaware concern, I always tell people that you need to use multiple virus and spyware scanners because there is no single product that will catch everything.

Also, all you guys should check out the information in the security forum at broadbandreports.com: http://www.dslreports.com/forum/security,1?r=360

keatron

True, I guess they all have their downsides. I do know with VNC installations we experimented with the fact that more than one remote session can be going on at one time, whereas with applications such as Gotomypc don't allow this by default. For example me and my partner in the class were able to hi-jack our another students VNC session and seeing everything he saw on the exploited workstation without him ever knowing (until we told him). With go to my pc if a session is in progress, any new sessions are denied. Not exactly sure about PC Anywhere, because I stopped using it around Version 7.0. I do have some clients, about 4 small businesses (about 20 employees each) who insist on using gotomypc because it's "so cool". I've warned them and shown them several possible compromise scenarios, but you know the story, coolness and ease of use typically out rank security, especially with small and uninformed businesses.

By the way, the dslreports link looks pretty good. I'll check out in detail later tonight.

JDMurray

RealVNC (www.realvnc.com) has a setting that en/disables multiple sessions. Multiple active sessions will degrade the performance of both the clients and the host.

GoToMyPc is just plain sneaky because it uses port 80 rather than its own defined ports, like VNC (5800 and 5900). Their advertisements openly solicited people to install it as a back door at their place of business so they can (insecurely) access their work PC from home. Anyone doing that without authorization could be fired ("but in the commercial they said I could do it!!" ).

If you are scared by VNC, then you need to download and play with a copy of NetBus. It is probably the most fun piece of non-game software I've ever used. Hours of nefarious, surreptitious, torture-your-fellow-cubical-dwellers enjoyment! ("Why does my CD tray keep opening by itself??" )

keatron

I downloaded NB, and when putting the server part (needed on the machine being controlled) it set off every bell and whistle even remotely related to security on that computer. (Of course this is my home/personal test network ). So it seems that antivirus and spyware programs are as sensitive to it as they are VNC, or maybe even more so. However, it will be a good tool to add to my "You really need to secure your network" package that I've put together for some of my new clients. Thanks JD!!!

I just came back from a 2 week Sarbarnes Oxley and HIPAA training class. The clients of mine who are accounting firms, insurance firms, and medical firms are in for a rude awakening.

JDMurray

NetBus has been around for a long time, and all the scanners are aware of it. I always make sure to do a netstat -a on any Windows machine that I am using to see if NetBus is active and has opened ports 12345 and 12346.

SOX and HIPAA in the same class? They are two very different sets of regulations/guidelines for two very different industries. IT people mostly worry about HIPAA, while software developers need to worry more about SOX. HIPAA has no real enforcement or penalties. ISO9000 has more teeth!!

RussS

So true JD - I checked out NetBus and BackOrrifice about 5 years ago ansd was shocked at how easy it was to infect someone and check their usage. Dang you are one sneaky fella

hehehehe - keatron. If you think your clients are in for a shock, some of mine are going to crap their pants when they get hit with some regulations.
I was at a site last week disinfecting their network - the 'server' was an XP machine with C drive shared completely with no restrictions. The network is a workgroup and their internet access is ADSL with no - I repeat NO firewall at all. To make matters worse the XP firewall was turned off on all machines The server had a rather nice rootkit installed when I first viewed it and most of the other machines had trojans one them

keatron

Yes JD they are very different domains of "worry". This was put on by CNA (one of the top 5 insurance companies in the world). For the most part it was all pretty general stuff. There were basically several different tracks, one for IT, one for business owners/executives etc etc etc. Most of the lectures were geared towards awareness and things like where to find the resources you might need.

RussS, the sad thing is that what you are describing is typically the case with small businesses. They usually don't have a qualified IT person, so they take their most "computer literate" employee and designate them as being in charge of the computers. I've seen mirror setups like you described enough to make me scream. I know we've all been to a site where no one is "on the internet" and the little dsl modem activity lights are going nuts with activity across the web. I had a client to tell me that his son told him that " the need for firewalls was over-rated, similar to the Y2K thing" Some people are hopeless until they get popped.