Frontier Frustrations

Frontier has a bandwidth problem in western North Carolina, where they provide DSL service. During peak hours, I no longer receive the 3Mbps bandwidth that I signed up for, and instead typically get less than 1Mbps. The problem is that Frontier (formerly Verizon) oversold the available bandwidth in the area and comes up short when many of its customers are online at once. I contacted Frontier about the situation, and received a nice reply from the General Manager for NC, and he assured me that they were working hard to improve their network.

Some time after this exchange, I performed a bandwidth test on my work internet connection (also 3Mbps Frontier DSL) due to what I thought was a bandwidth-related issue, and got back some surprising results. The bandwidth test said that I was getting an almost perfect 2.9Mbps connection. Ok, so everything was normal right? Not so. Loading Google News as a test took around 15 seconds. Something obviously wasn't right, but I didn't really have time to track it down.

Later the same day, I tried the same thing on my home computer, and got the same weird results -- slow internet, but normal bandwidth tests. I then decided to take a closer look at how I was testing my bandwidth. I had been using speedtest.net, and speakeasy.net to measure my bandwidth, but since these were returning that my internet connection was normal, it was time to try something different.

I decided to manually test out my available bandwidth by downloading large files from several sources to ensure total saturation of my connection. I began by downloading various large items from Microsoft, Google, Ubuntu, and Steam, and pretty soon I noticed that my connection peaked at around 1Mbps (averaging closer to .75) total download speed. Here's a visualization of my bandwidth at that time (using m0n0wall to measure my network's total bandwidth use):

However, when I simultaneously ran a bandwidth test with speedtest.net, my usage shot right up to 3Mbps!

Here are my results from that speedtest.net bandwidth test:

I checked my bandwidth at speakeasy.net and got the exact same result. Crazy!

This means that Frontier is actively attempting to hide their problem from the customer by prioritizing traffic to bandwidth test sites. I had a hard time believing that a large ISP such as Frontier would attempt such a cheap trick, but the results are pretty clear. It's not as if they could 'accidentally' handle traffic to the handful of connection testing sites differently.

For shame, Frontier, for shame. Your service has always been terrible, and now you resort to outright deception. I suppose the bottom line is that the vast majority of your customers won't know not to trust the bandwidth testing services, and your online ratings won't be blemished because you refuse to spend the money to upgrade your network.

_________________________________________________________________________________
These measurements in the above graphs were taken on 4/4/2012, and due to life being busy, haven't been posted before now. Just to illustrate how wrong the bandwidth tests can be, here is a bandwidth graph from later the same day at 9:40pm. I'm really getting about 100kbps while Speedtest.net is showing 2.8Mbps.

Using Process Explorer and Autoruns to Quickly Kill Viruses

In my last post, I covered great antivirus tools that I keep on my write-protected flash drive. Here I'll outline how to quickly kill viruses using two of those tools, Process Explorer (PE) and Autoruns.

1) Run Process Explorer (PE) from the flash drive, and use it to kill off active virus processes.
I recommend turning off "Confirm Kill" in the options of PE. This will speed up your ability to kill off processes before they can be respawned. Then, proceed to kill off (by selecting and pressing the 'delete' key) all virus processes. To identify these processes, look for ones that are running from packed images (PE will highlight them purple), or ones with suspicious names. Also, check the attached DLLs (press Ctrl+D if you aren't currently viewing them) for all other processes to look for similarly purple or suspicious DLL names. If you unfortunately find a core windows process (smss.exe, wininit.exe, services.exe, lsm.exe, lsass.exe, or winlogon.exe) that has infected DLLs attached, you can actually stop these processes without shutting down the computer. In order to terminate these processes, follow Mark Russinovich's guide for XP. The guide goes like this for Vista/7:

1. Kill Smss.exe
2. Suspend Wininit.exe
3. Right-click on Services.exe and kill its process tree
4. Kill in this order Lsm.exe, Lsass.exe and Winlogon.exe
5. Then you can kill all other processes except Csrss.exe processes

Note that you can't terminate Csrss.exe, so if it's infected, then you are out of luck. If you terminate all suspicious activity, and they don't pop back up after about a minute, then you can move on to the next step.

2) The next step can be dangerous, so make a registry backup using regedit or other tool. It should be noted that this next step can toast a Windows installation if you are not careful, and you may be forced to reinstall Windows.

3) Now that we have terminated the virus processes, launch Autoruns. If you had to take out Windows core processes in the last step, you may launch autoruns directly from PE. Click Options->Filter Options in the menu, and ensure that 'Verify code signatures' and 'Hide Microsoft entries' are checked. Refresh Autoruns (F5). Scan the list of startup items for suspicious entries, paying attention to whether or not an entry is signed by the publisher. Uncheck all suspicious entries, but be careful with Microsoft/Windows ones. If you disable the wrong item, it may prevent the computer from loading a necessary driver or service on boot. If you aren't sure, then leave it alone.

4) Trigger a system halt by terminating csrss.exe using PE. This step will prevent viruses with hooks on system shutdown from recreating their startup entries.

5) (optional) Perform an offline virus scan. There are plenty of offline scanners that can be run from a flash drive or CD. AVG, Avira both have this capability. More on this when I post about my offline flash drive tools.

That's it! You should be able to boot the computer normally and be virus-free. Please note that this guide does not cover rootkit detection. This is a rather in depth topic, so I'll cover that in a later post.

Portable USB Flash Drive Live Anti-Virus Toolkit

Here's an up-to-date list of my anti-virus toolkit. Many tools have improved since my last writeup, so the usage has changed a bit.

1) Process explorer - The most useful application on the planet for virus removal. When running procexp, make sure to view attached DLL's in the bottom pane (Ctrl + D). Then sort the listed DLL's by company name, then description. Having done this, the attached DLL's that don't have a listed provider (viruses usually won't) will appear at the top of the list for each process. Another thing to look for is packed images. Any file running a packed image will appear with purple highlighting (by default) in process explorer. Viruses will often use this technique to hide from heuristics based virus scanners, but be aware that harmless installers also will be packed. Process explorer also has the ability to rapidly kill processes by first disabling the 'Confirm Kill' option from the 'Options' dropdown, then using the arrow keys and the delete key to navigate the process tree and kill processes.

2) Autoruns - The best autostart management program available. First, cancel the initial scan using the escape key. Then go to Options->Filter Options in the menu. Check 'Verify code signatures' and 'Hide Microsoft entries' and click Ok. Autoruns will now verify the code signatures of startup entries and only display third party and unverified entries. This shortens the list you have to look through greatly, and tells you whether or not an entry is legitamately signed. Not all valid entries will be correctly signed, but again, this will limit what you need to check.

3) Spybot S&D - A good spyware scanner. Make sure that it is up to date before you run it, and on Vista that it is run with administrator priviledges (If you don't, it will get all the way to the end of the scan and *then* tell you that you needed to run it as an administrator). I haven't had much experience with it, but there is now a portable version of Spybot available from http://portableapps.com.

4) CCleaner - Removes temporary files and other (probably) unwanted data. I run this utility first to minimize the number of files that virus scanners have to look through. Download the portable version from Piriform's website: http://www.piriform.com/ccleaner/download/portable.

5) SFC - Not really an app, but a tool included with Windows (from XP onward) that you may not know about. Running 'sfc /scannow' from command line will cause windows to verify and replace core Windows files. The Vista version of this tool can be run 'offline' from a Vista DVD by running 'sfc /scannow /offbootdir=c:\ /offwindir=c:\windows' where 'c:\' and 'c:\windows' are your operating system's drive and directory. SFC is usefull when you suspect that Windows files have been corrupted. In most cases, SFC will not run from safe mode.

6) SDFix - A script that removes viruses and repairs many Windows registry hacks. I would run this if I get a "... has been disabled by your administrator" message or if control panels or tabs are missing or disabled. This utility must be run from safe mode. Windows XP only.

7) ComboFix - A powerfull all purpose virus deleting script. This is very good at eliminating tough-to-remove-via-conventional-means viruses. There was a widely distributed infected copy of it a few months back, so make sure you get it from a legitamate source. I run combofix mostly as a last resort to remove viruses as it is very powerful and there is a certain risk involved when running it. It is effective though. Windows XP only

8) IceSword - An anti-rootkit tool. Icesword was designed to detect/remove rootkits, but I haven't had much success using it on them. Instead, I mainly use Icesword's file and registry editor features. Icesword has the ability to see and delete folders and files even if they are completely hidden from Windows. Icesword's 'Force Delete' can delete files/folders even if they are currently in use! The drawback is that IceSword only seems to run on about 3/4 of computers due to what I assume is a Windows incompatibility. There is a separate version of IceSword for Vista.

9) NoNav 2.49 - Gets rid of older NAV/SAV installs if normal uninstallers fail (this happens about 1/4 the time in my experience).

10) Rootkit Unhooker - Another anti-rootkit tool. I've had some success using this tool against rootkits. It has the ability to scan for and unhook code hooks.

11) Process Monitor - I haven't used this tool much, but it is useful if you need to see *everything* that is happening on a computer. It will monitor registry, process/thread, and file-system activity with many advanced options.

12) KillBox - A file deletion utility. I haven't used this utility recently, as IceSword is much better (if it works at all that is), but it has a good array of options for removing hard-to-remove files.

13) MalwareBytes - Another spyware scanner. I'm not entirely convinced of its usefulness, but it does have a very thorough anti-malware scan (I've seen it take 5 hours on a slow computer). Other IT people I've worked with seem to think it's great though. :) YMMV.

14) Recuva - Also available from Piriform in portable format, this tool will attempt to recover deleted files.

15) Clamwin Portable - A portable lightweight antivirus scanner.

16) Other PortableApps. I'm currently trying out a bunch more utilities from PortableApps.com, including:

CrystalDiskInfo Portable - disk health monitoring tool

CrystalDiskMark Portable - disk benchmark utility

HDHacker Portable (Freeware) - MBR and boot sector manager

Regshot Portable - registry and file comparison

WinMerge Portable - file comparison and merging

7-Zip Portable - Multilingual file archiver and compressor

Explorer++Portable - multi-tab file manager

Ant Renamer Portable - Advanced file renaming utility

IObit Uninstaller Portable (Freeware) - uninstaller and cleaner

Command Prompt Portable - Simple link to a customizable command prompt

WinMTR Portable - network diagnostic tool

All these utilities can be run from directly from your flash drive. To protect your flash drive from viruses, I recommend getting a flash drive with a read-only switch. There's a good list of flash drives with this capability here. l these utilities can be run from directly from your flash drive.

These tools are all intended to be run in a live (possibly virus-compromised) Windows environment. I have another toolkit meant to be run in offline mode (without booting to Windows normally) that I will write about in a future post.

Let me know what you're using in your toolkits!