This is the continuation of a previous topic "PC Is Using The Internet Beind My Back".
Rootkit has been successfully removed, however I still observe that my modem (ZyXel Prestiqe Series 600) shows activity even several hours after my PC is switched off ("ACT" led blinking at intervals of a few seconds, continually the whole day and night). How is it possible?
Any explanation (and subsequently help) is warmly welcome.
Full Version: Pc Is Using The Internet Beind My Back?
I'm assuming that it is a DSL modem?? which should work very similar to my cable modem and Ethernet router. as long as either is connected to the internet the connection lights will blink.
I was told that this is due to the always on connection and the router/modem sending and receiving little packets of data.
I was told that this is due to the always on connection and the router/modem sending and receiving little packets of data.
Either the rootkit wasn't fully removed, or it was removed, but installed some other program or such to continue, just in case it, itself (rootkit) was discovered.
No# 1. I would uninstall my modem drivers and then do a registry clean. Then reboot.
No# 2. I would do another rootkit scan after no# 1 was completed.
No# 3. I would disconnect my phone wire from my computer when I'm not using the Internet.
No# 4. I would use a firewall, and block the transmission.
No# 5. I would use PeerGuardian 2. I'm almost certain where the modem tries to connect to is probably on a banned ip list. My list right now has over 2.9 billion ip's that it blocks. That means.. anything from those ip's can't reach my computer, and anything on my computer can't reach those ip addresses. It gets no better than that.
No# 6. I would run a few different rootkit programs. Not just one. As many FREE ones I can find.
In case you haven't known it, but there had been a discovery some years back when people have noticed that Micr0$0ft had been connecting to peoples' computer, using a back-door method while they weren't using it. That method is still available and usable, but with the right protection, you can stop it in it's tracks. Your 1st order of priority is to disconnect your phone wire from the computer when you're not using the Internet.
Your other method of troubleshooting this is to use a tool that monitors all processes. Use more than one of them at the same time. I do when I need to see something.......... and believe it or not, one may show a certain amount of processes running at that time, but another one may show a different amount of processes running at that time. That may be your break if you see such.
But you need a tool that can monitor your ip connections going out. Trust me on this... I've used PeerGuardian for about 2 years now, and it's a GOD send program. I don't surf without it. And once you figure out the ip address your modem is connecting to, you can put that ip on a blocked list within that program, and no matter what, that connection will never reach it's destination.
And lastly...... any time your modem works while your computer is turned off..... something is transmitting information back and forth through your phone line.
It's a temporary fix, but pull the plug. There's no telling what, if any, damage is being done to your computer. The more it does what it does, the more it will embed code into your computer, and you'll simply have to reformat it then....... Don't let it get that far.
[Added info]
After reading post no# 2, something dawned on me. PeerGuardian has a blocked list of local ip addresses that are common to every computer user. My isp tries to send packets to my computer, and my computer tries to send packets back.... but my PeerGuardian blocks them..... yet, at the same time, I can surf.
Look at this IANA PRIVATE List:
IANA - Private Use [RFC1918]:10.0.0.0-10.255.255.255
IANA - Internet Host Loopback [RFC3330]:127.0.0.0-127.0.0.0
IANA - Internet Host Loopback [RFC3330]:127.0.0.2-127.255.255.255
IANA - Link Local Block [RFC3330]:169.254.0.0-169.254.255.255
IANA - Private Use [RFC1918]:172.16.0.0-172.31.255.255
IANA - TEST-NET [RFC3330]:192.0.2.0-192.0.2.255
IANA - Benchmark Tests of Network Interconnect Devices [RFC2544]:198.18.0.0-198.19.255.255
You can block them too. These are all common ip addresses to every computer user, especially those that connect to the Internet. Any malicious program can try to connect to the Internet using any of those ip addresses above. Make no mistake about it.
Read this thread:
Peerguardian 2 Users - Please Read
If You're Not A PeerGuardian 2 User - Please Read
http://www.bleepingcomputer.com/forums/ind...hl=PeerGuardian
The above is something every computer user should be made aware of. There are ways for programs to use your Internet connection to do whatever. And I don't believe in packets and pings when I'm not connected to the Internet. It's a form of monitoring your connection and inventorying what's on your computer too. You can send packets, and ping all you want while I'm on the Internet.... but when I'm not?.... and you're still doing it, that throws up my red flag instantly.
No# 1. I would uninstall my modem drivers and then do a registry clean. Then reboot.
No# 2. I would do another rootkit scan after no# 1 was completed.
No# 3. I would disconnect my phone wire from my computer when I'm not using the Internet.
No# 4. I would use a firewall, and block the transmission.
No# 5. I would use PeerGuardian 2. I'm almost certain where the modem tries to connect to is probably on a banned ip list. My list right now has over 2.9 billion ip's that it blocks. That means.. anything from those ip's can't reach my computer, and anything on my computer can't reach those ip addresses. It gets no better than that.
No# 6. I would run a few different rootkit programs. Not just one. As many FREE ones I can find.
In case you haven't known it, but there had been a discovery some years back when people have noticed that Micr0$0ft had been connecting to peoples' computer, using a back-door method while they weren't using it. That method is still available and usable, but with the right protection, you can stop it in it's tracks. Your 1st order of priority is to disconnect your phone wire from the computer when you're not using the Internet.
Your other method of troubleshooting this is to use a tool that monitors all processes. Use more than one of them at the same time. I do when I need to see something.......... and believe it or not, one may show a certain amount of processes running at that time, but another one may show a different amount of processes running at that time. That may be your break if you see such.
But you need a tool that can monitor your ip connections going out. Trust me on this... I've used PeerGuardian for about 2 years now, and it's a GOD send program. I don't surf without it. And once you figure out the ip address your modem is connecting to, you can put that ip on a blocked list within that program, and no matter what, that connection will never reach it's destination.
And lastly...... any time your modem works while your computer is turned off..... something is transmitting information back and forth through your phone line.
It's a temporary fix, but pull the plug. There's no telling what, if any, damage is being done to your computer. The more it does what it does, the more it will embed code into your computer, and you'll simply have to reformat it then....... Don't let it get that far.
[Added info]
After reading post no# 2, something dawned on me. PeerGuardian has a blocked list of local ip addresses that are common to every computer user. My isp tries to send packets to my computer, and my computer tries to send packets back.... but my PeerGuardian blocks them..... yet, at the same time, I can surf.
Look at this IANA PRIVATE List:
IANA - Private Use [RFC1918]:10.0.0.0-10.255.255.255
IANA - Internet Host Loopback [RFC3330]:127.0.0.0-127.0.0.0
IANA - Internet Host Loopback [RFC3330]:127.0.0.2-127.255.255.255
IANA - Link Local Block [RFC3330]:169.254.0.0-169.254.255.255
IANA - Private Use [RFC1918]:172.16.0.0-172.31.255.255
IANA - TEST-NET [RFC3330]:192.0.2.0-192.0.2.255
IANA - Benchmark Tests of Network Interconnect Devices [RFC2544]:198.18.0.0-198.19.255.255
You can block them too. These are all common ip addresses to every computer user, especially those that connect to the Internet. Any malicious program can try to connect to the Internet using any of those ip addresses above. Make no mistake about it.
Read this thread:
Peerguardian 2 Users - Please Read
If You're Not A PeerGuardian 2 User - Please Read
http://www.bleepingcomputer.com/forums/ind...hl=PeerGuardian
The above is something every computer user should be made aware of. There are ways for programs to use your Internet connection to do whatever. And I don't believe in packets and pings when I'm not connected to the Internet. It's a form of monitoring your connection and inventorying what's on your computer too. You can send packets, and ping all you want while I'm on the Internet.... but when I'm not?.... and you're still doing it, that throws up my red flag instantly.
Walkman,
Many thanks for your very precious post.
Could you kindly help me with your No#1 and #6? I am not particularly good at eliminating viruses.
No# 1. I would uninstall my modem drivers and then do a registry clean
Registry clean, does it mean that I should use a specific program?
No# 2. I would do another rootkit scan after no# 1 was completed.
Ok.
No# 3. I would disconnect my phone wire from my computer when I'm not using the Internet.
Ok, easy.
No# 4. I would use a firewall, and block the transmission.
I use ZoneAlarm.
No# 5. I would use PeerGuardian 2. I'm almost certain where the modem tries to connect to is probably on a banned ip list. My list right now has over 2.9 billion ip's that it blocks. That means.. anything from those ip's can't reach my computer, and anything on my computer can't reach those ip addresses. It gets no better than that.
Ok. I will install it.
No# 6. I would run a few different rootkit programs. Not just one. As many FREE ones I can find.
Could you recommend Internet addresses of good rootkit scanners?
My sincere thanks in advance.
Many thanks for your very precious post.
Could you kindly help me with your No#1 and #6? I am not particularly good at eliminating viruses.
No# 1. I would uninstall my modem drivers and then do a registry clean
Registry clean, does it mean that I should use a specific program?
No# 2. I would do another rootkit scan after no# 1 was completed.
Ok.
No# 3. I would disconnect my phone wire from my computer when I'm not using the Internet.
Ok, easy.
No# 4. I would use a firewall, and block the transmission.
I use ZoneAlarm.
No# 5. I would use PeerGuardian 2. I'm almost certain where the modem tries to connect to is probably on a banned ip list. My list right now has over 2.9 billion ip's that it blocks. That means.. anything from those ip's can't reach my computer, and anything on my computer can't reach those ip addresses. It gets no better than that.
Ok. I will install it.
No# 6. I would run a few different rootkit programs. Not just one. As many FREE ones I can find.
Could you recommend Internet addresses of good rootkit scanners?
My sincere thanks in advance.
For no# 1. Use these programs:
CAUTION: BACK UP YOUR REGISTRY BEFORE USING PROGRAMS LIKE THOSE 2 BELOW.
I put that there just so you'll know, because I've heard that cleaning the registry with registry programs can be damaging to your computer. Of all the years I've dealt with computers, I've never, not once in my life had any problems at all using any registry cleaners. But others may have different opinions. Oh well!... I guess I'm the luckiest person in the world, or I simply know alot about computers.
Eusing Registry Cleaner
http://www.eusing.com/free_registry_cleane...try_cleaner.htm
Eusing registry cleaner is a fast and FREE, and most importantly, very good at cleaning out bad registry entries. Even if you use other registry cleaners, you should definitely add this one to your list.
Replendent Registrar Advanved Registry Manager
http://www.resplendence.com/registrar
Replendent Registrar is yet, another very good registry cleaner and manager. The latest version checks for hidden registry entries and can be used as a CLSID lookup utility. This has many advanced features, which makes it needed even more. Although this is not actually a FULL FREE product, I'm listing it because the lite version is FREE, but some features are disabled. But for the average joe, this will be a very useful tool.
The 1st one above is the most basic one you should start with. Before cleaning your registry, just to be safe, use the function that says Backup Full Registry. you'll find it when you click on the File menu. After you do the backup, Select the Scan registry issue, and it will scan for all bad registry entries. After it does that, click on the Repair registry issue. After doing the above, you will need to reboot.
Just watch how many invalid/bad registry entries it will find. The 1st time I used it, it found over 1,400 bad entries, even though I had used other registry cleaners. The 1st one will find bad entries that other registry cleaners just don't find. And, as always, if anything goes wrong, you can click on the Restore previous registry, and your registry will be back to where it was before you used it.
For no# 6. I have Rootkit Revealer, and I have another one... (can't remember the name.. I think it's called F-Secure) but it's on another one of my computers. But the Rootkit Revealer can be found here:
RootkitRevealer v1.71
http://www.microsoft.com/technet/sysintern...itRevealer.mspx
And also, to answer you as to no#6, I would always do my best to test anything without having to be on the Internet to do such. I don't use any scanners, or other computer analyzing that has to be specifically done online. I always look for something that I can download and use. Suppose I am having Internet connection problems, to add to my other problems? What good would a web site scanning do for me?.. nothing? Besides... web site scanning programs are programs that are installed on their servers, which means it's a program that I can download and install myself. Worse comes to worst, I'll use one. But for the searching and research that I'm good for doing, I see no reason to have to go to a web site just to have it scanning my computer. And no... I don't know what they may be embedding on my computer either, so I don't trust online scanners at all. Again, I may use one,, (if that ever happens), but I don't trust them.
And finally, if you're gonna use an online scanner, make sure you use a program that monitors your installations of programs, because most online scanners have to download files/programs to your computer before it can scan it. At least with a monitoring program, when the scanning is done, I can simply uninstall it and at the same time, wipe it out of my registry.
All of this is from my personal experience, using common sense, trial & error, process of elimination, and the right tools.
CAUTION: BACK UP YOUR REGISTRY BEFORE USING PROGRAMS LIKE THOSE 2 BELOW.
I put that there just so you'll know, because I've heard that cleaning the registry with registry programs can be damaging to your computer. Of all the years I've dealt with computers, I've never, not once in my life had any problems at all using any registry cleaners. But others may have different opinions. Oh well!... I guess I'm the luckiest person in the world, or I simply know alot about computers.
Eusing Registry Cleaner
http://www.eusing.com/free_registry_cleane...try_cleaner.htm
Eusing registry cleaner is a fast and FREE, and most importantly, very good at cleaning out bad registry entries. Even if you use other registry cleaners, you should definitely add this one to your list.
Replendent Registrar Advanved Registry Manager
http://www.resplendence.com/registrar
Replendent Registrar is yet, another very good registry cleaner and manager. The latest version checks for hidden registry entries and can be used as a CLSID lookup utility. This has many advanced features, which makes it needed even more. Although this is not actually a FULL FREE product, I'm listing it because the lite version is FREE, but some features are disabled. But for the average joe, this will be a very useful tool.
The 1st one above is the most basic one you should start with. Before cleaning your registry, just to be safe, use the function that says Backup Full Registry. you'll find it when you click on the File menu. After you do the backup, Select the Scan registry issue, and it will scan for all bad registry entries. After it does that, click on the Repair registry issue. After doing the above, you will need to reboot.
Just watch how many invalid/bad registry entries it will find. The 1st time I used it, it found over 1,400 bad entries, even though I had used other registry cleaners. The 1st one will find bad entries that other registry cleaners just don't find. And, as always, if anything goes wrong, you can click on the Restore previous registry, and your registry will be back to where it was before you used it.
For no# 6. I have Rootkit Revealer, and I have another one... (can't remember the name.. I think it's called F-Secure) but it's on another one of my computers. But the Rootkit Revealer can be found here:
RootkitRevealer v1.71
http://www.microsoft.com/technet/sysintern...itRevealer.mspx
And also, to answer you as to no#6, I would always do my best to test anything without having to be on the Internet to do such. I don't use any scanners, or other computer analyzing that has to be specifically done online. I always look for something that I can download and use. Suppose I am having Internet connection problems, to add to my other problems? What good would a web site scanning do for me?.. nothing? Besides... web site scanning programs are programs that are installed on their servers, which means it's a program that I can download and install myself. Worse comes to worst, I'll use one. But for the searching and research that I'm good for doing, I see no reason to have to go to a web site just to have it scanning my computer. And no... I don't know what they may be embedding on my computer either, so I don't trust online scanners at all. Again, I may use one,, (if that ever happens), but I don't trust them.
And finally, if you're gonna use an online scanner, make sure you use a program that monitors your installations of programs, because most online scanners have to download files/programs to your computer before it can scan it. At least with a monitoring program, when the scanning is done, I can simply uninstall it and at the same time, wipe it out of my registry.
All of this is from my personal experience, using common sense, trial & error, process of elimination, and the right tools.
Also, just to muddy the waters a bit, there are programs on your system that will access the internet for legitimate reasons. For example, Windows Update will want to check itself. Windows Time will go out to get the correct time for you. Other programs will autoupdate or periodically update over the web.
QUOTE(usasma @ Feb 12 2007, 07:03 PM) 
Also, just to muddy the waters a bit, there are programs on your system that will access the internet for legitimate reasons. For example, Windows Update will want to check itself. Windows Time will go out to get the correct time for you. Other programs will autoupdate or periodically update over the web.
Very true.
Frankly, there is no proper way to completely protect yourself, while keeping legitimate connections. You have to strike a balance between the two. Maybe my firewall is obtrusive sometimes, but that way I know its getting the job done. . .
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.