Between friends, neighbors and relatives, I run into people that are not running anti-virus programs or haven`t stayed up to date. Also, some viruses, worms, trogans and spyware can infect your system, before the antidote is available. So, some viruses aware of Norton will infect Norton itself and remain invisible. This article will detail a few methods built into the operating system to reveal unusual activity. In some cases, they are running older systems (Win95) that can`t run the lastest protection software.
The key program is "netstat" and you run it from the command line (the DOS- prompt). This program shows you to which sites you are connected and which ports are in use. The output shows you the ipaddressort. Here is a small sampling from running "netstat -an" (all ports, numeric values) after I surfed to majorwager.com.
Proto Local Address Foreign Address State
TCP 126.96.36.199:1259 188.8.131.52:80 ESTABLISHED
TCP 184.108.40.206:1260 220.127.116.11:80 ESTABLISHED
TCP 18.104.22.168:1267 22.214.171.124:80 ESTABLISHED
TCP 126.96.36.199:1268 188.8.131.52:80 ESTABLISHED
TCP 184.108.40.206:1269 220.127.116.11:80 ESTABLISHED
TCP 18.104.22.168:1272 22.214.171.124:80 TIME_WAIT
Proto is short for protocol. 126.96.36.199 represents my connection, and the foreign addresses are from MW and some advertisers. Port 80 is the standard web port (along with 443 for https). Other interesting ports are: 25 (send mail), 110 (pop mail), 137 (microsoft netbios/file sharing) and 5190 (AIM). Netstat has several options and I recommend netstat -h or netstat /? to view the list and experiment. If you see "127.0.0.1", don`t worry. That is a dummy address used internally by your machine.
You should run netstat as soon as you connect to Internet, and BEFORE you start browsing. A few months ago a friend of mine`s computer was acting very slowly as soon as she dialed into AOL. Even after reinstalling newer AOL from a CD, the problem persisted. I decided to dial into a different ISP using Dial-Up Networking (another free built-in). Netstat revealed communication to IP addresses beginning with 82.x.x.x (Russian IP`s). Fortunately, for my friend, the virus used an unusual port, and I was able to identify the particular virus on the symantec.com site. For some viruses, you can download (for free) a one-shot program for that single virus (or learn the name of the files to remove). This trick worked because the virus used the available Internet Protocol functions just like all your legitimate Internet programs.
http://www.sans.org/y2k/ports.htm Is one of many site that lists ports commonly probed to break into your machine or used/exploited once you`ve been hacked. WinXP users should be using the free built-in firewalling software to block some of the probing.
BTW, how did I know the 82.x.x.x address was in Russia? Another built-in called "tracert" (trace route) will follow the internet path from you to the destination. You can type "tracert ipaddress" or "tracert majorwager.com". Many of the connection points along the path contain city or country abbreviations.
Sometimes, you have annoying adware slowing down the machine as much as a virus. Since some of this adware installs without your knowledge, I`d thought I`d include it in this discussion. Though there are many programs out there you can download, there is a very useful command that was added in Win98 called "msconfig". It shows you the programs that run during startup. Most of the ones listed, are print drivers and other good programs, however, the adware is listed as well. You can expand the column with the path to see if the directories belongs to programs you recognize. You can uncheck the programs you don`t like and reboot. Be careful you don`t delete something important.
Finally, there is a good (and FREE) anti-virus program out there: AVG Free (at grisoft.com).
Next Week: A look at Teaser Odds and Hold Percentages.