philman310 Posted August 15, 2007 Report Share Posted August 15, 2007 For the past week now there has always been something constantly downloading/uploading on my computer. After a few virus scans using AVG and Spybot I removed some things but still couldn't fix the problem. I also took a look at a few hijackthis logs before and after the virus scans but i couldn't find anything that really stood out (i'm no pro but I can sometimes figure out whats going on, what should be there and what shouldn't) I just today downloaded a "bandwith watcher" called Netlimiter 2. it shows you what programs are using the internet to download and upload and at what speeds. I found the program to be constantly downloading and uploading to be services.exe. I don't beleive it to be a virus or anyhitng like that because i ran all those virus scans and the services.exe that is doing all the downloading/uploading is located in c:\windows\system32\services.exe. can someone help me with this. why is it dl/ul so much, what is it dl/ul, and how can i stop it.Thank you -Phil Quote Link to post Share on other sites
TheTerrorist_75 Posted August 15, 2007 Report Share Posted August 15, 2007 If this is XP do you have Windows Update set to automatically download the newest updates? They were just released last week for this month. There are several of them this time. Quote Link to post Share on other sites
Chappy Posted August 15, 2007 Report Share Posted August 15, 2007 First, be ABSOLUTELY CERTAIN that the only instance of "services.exe" is in your C:\WINDOWS\system32 directory, if you have one anywhere else as well, it's a bad guy and you'll need to post into our Malware Removal forum about it. A secondary services.exe or service.exe anywhere other than system32 can be any number of infections, including the MyDoom infection, so be ultra sure that you only have one of this and it's in the proper directory.Services.exe (the real one) is the Windows Service controller and is responsible for starting and stopping windows services as required by the system or user configuration. It does require Internet access at times but it shouldn't be constantly downloading. It's possible that what you're seeing are Broadcast packets from this and not actual TCP packets, what protocol are you seeing with this activity (TCP, UDP, ICMP..etc), and how much of it is there? Have you done a WHOIS on the IP addy it's connecting to, to see where it's connecting? Quote Link to post Share on other sites
philman310 Posted August 16, 2007 Author Report Share Posted August 16, 2007 First, be ABSOLUTELY CERTAIN that the only instance of "services.exe" is in your C:\WINDOWS\system32 directory, if you have one anywhere else as well, it's a bad guy and you'll need to post into our Malware Removal forum about it. A secondary services.exe or service.exe anywhere other than system32 can be any number of infections, including the MyDoom infection, so be ultra sure that you only have one of this and it's in the proper directory.Services.exe (the real one) is the Windows Service controller and is responsible for starting and stopping windows services as required by the system or user configuration. It does require Internet access at times but it shouldn't be constantly downloading. It's possible that what you're seeing are Broadcast packets from this and not actual TCP packets, what protocol are you seeing with this activity (TCP, UDP, ICMP..etc), and how much of it is there? Have you done a WHOIS on the IP addy it's connecting to, to see where it's connecting?There is only 1 instance running. I did do a WHOIS on the IP even though im not sure what a WHOIS really does but it gave me the location of the place and a website and a bunch of other info i don't really understand. it's anywhere from korea to russia to colorado. but heres the problem at any one time theres anyhwere from 3-35 IP's that services.exe is connecting too. I'm not sure what you mean by TCP packets or how to tell what protocol im seeing. i can tell you however that within 2 hrs services.exe has recieve 8,000 kb and sent 20,000 and it they increases anyhwere from .5-3 kb each second. i know for a fact that if i leave my connection on that it will continue to dl and ul. I did that last night and i checked my connection in the morning using the computer icon in the bottom right corner of my screen and its was at 900,00 packets sent and about 950,00 recieved. it is never that high even when im dling programs or music. i'm running XP as my OS. Quote Link to post Share on other sites
isteve Posted August 16, 2007 Report Share Posted August 16, 2007 Could be your torrent program running seeing you mentions you download music.But "Korea and russia and downloading music". All this sounds like your computer has been powned. I am by no means a expert, but your computer could be part of a zombie network and good chance your antivirus and spyware software can do nothing. First download Rootkit reveler this may find if a rootkit has been installed. If you have been compromised the only thing that is a sure thing is a reformat and reinstall. Then check all you data for virus, spyware and rootkits before installing. Quote Link to post Share on other sites
shanenin Posted August 16, 2007 Report Share Posted August 16, 2007 i also tend to recommend format and reinstall. It is such a clean good way of doing things. If you feel like investigating more, install an outgoing firewall. It should detect processes trying to send stuff out. You may then be able to pinpoint the offending bit of malware. Quote Link to post Share on other sites
Matt Posted August 16, 2007 Report Share Posted August 16, 2007 For assistance with malware, please read How To Post a Correct HijackThis Log in the Malware Removal Forum. Quote Link to post Share on other sites
rhema7 Posted August 18, 2007 Report Share Posted August 18, 2007 (edited) Internet Broadbandthis ones simple:this is for broad band connections. I didn’t try it on dial up but might work for dial up.1.make sure your logged on as actually "Administrator". do not log on with any account that just has administrator privileges.2. start - run - type gpedit.msc3. expand the "local computer policy" branch4. expand the "administrative templates" branch5. expand the "network branch"6. Highlight the "QoS Packet Scheduler" in left window7. in right window double click the "limit reservable bandwidth" setting8. on setting tab check the "enabled" item9. where it says "Bandwidth limit %" change it to read 0reboot if you want to but not necessary on some systems your all done. Effect is immediate on some systems. some need re-boot. I have one machine that needs to reboot first, the others didn't. Don't know why this is.This is more of a "counter what XP does" thing. In other words, XP seems to want to reserve 20% of the bandwidth for its self. Even with QoS disabled, even when this item is disabled. So why not use it to your advantage. To demonstrate the problem with this on stand alone machines start up a big download from a server with an FTP client. Try to find a server that doesn't max out your bandwidth. In this case you want a slow to medium speed server to demonstrate this. Let it run for a couple of minutes to get stable. The start up another download from the same server with another instance of your FTP client. You will notice that the available bandwidth is now being fought over and one of the clients download will be very slow or both will slow down when they should both be using the available bandwidth. Using this "tweak" both clients will have a fair share of the bandwidth and will not fight over the bandwidth.Found this at http://freepctech.com/pc/xp/xpindex.shtmlso not sure if it works.Preston Edited August 18, 2007 by rhema7 Quote Link to post Share on other sites
TheTerrorist_75 Posted August 18, 2007 Report Share Posted August 18, 2007 gpedit.msc only works with XP Pro. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.