Need Help With Bandwidth Problem


Recommended Posts

For the past week now there has always been something constantly downloading/uploading on my computer. After a few virus scans using AVG and Spybot I removed some things but still couldn't fix the problem. I also took a look at a few hijackthis logs before and after the virus scans but i couldn't find anything that really stood out (i'm no pro but I can sometimes figure out whats going on, what should be there and what shouldn't) I just today downloaded a "bandwith watcher" called Netlimiter 2. it shows you what programs are using the internet to download and upload and at what speeds. I found the program to be constantly downloading and uploading to be services.exe. I don't beleive it to be a virus or anyhitng like that because i ran all those virus scans and the services.exe that is doing all the downloading/uploading is located in c:\windows\system32\services.exe. can someone help me with this. why is it dl/ul so much, what is it dl/ul, and how can i stop it.

Thank you -Phil

Link to post
Share on other sites

First, be ABSOLUTELY CERTAIN that the only instance of "services.exe" is in your C:\WINDOWS\system32 directory, if you have one anywhere else as well, it's a bad guy and you'll need to post into our Malware Removal forum about it. A secondary services.exe or service.exe anywhere other than system32 can be any number of infections, including the MyDoom infection, so be ultra sure that you only have one of this and it's in the proper directory.

Services.exe (the real one) is the Windows Service controller and is responsible for starting and stopping windows services as required by the system or user configuration. It does require Internet access at times but it shouldn't be constantly downloading. It's possible that what you're seeing are Broadcast packets from this and not actual TCP packets, what protocol are you seeing with this activity (TCP, UDP, ICMP..etc), and how much of it is there? Have you done a WHOIS on the IP addy it's connecting to, to see where it's connecting?

Link to post
Share on other sites
First, be ABSOLUTELY CERTAIN that the only instance of "services.exe" is in your C:\WINDOWS\system32 directory, if you have one anywhere else as well, it's a bad guy and you'll need to post into our Malware Removal forum about it. A secondary services.exe or service.exe anywhere other than system32 can be any number of infections, including the MyDoom infection, so be ultra sure that you only have one of this and it's in the proper directory.

Services.exe (the real one) is the Windows Service controller and is responsible for starting and stopping windows services as required by the system or user configuration. It does require Internet access at times but it shouldn't be constantly downloading. It's possible that what you're seeing are Broadcast packets from this and not actual TCP packets, what protocol are you seeing with this activity (TCP, UDP, ICMP..etc), and how much of it is there? Have you done a WHOIS on the IP addy it's connecting to, to see where it's connecting?

There is only 1 instance running. I did do a WHOIS on the IP even though im not sure what a WHOIS really does but it gave me the location of the place and a website and a bunch of other info i don't really understand. it's anywhere from korea to russia to colorado. but heres the problem at any one time theres anyhwere from 3-35 IP's that services.exe is connecting too. I'm not sure what you mean by TCP packets or how to tell what protocol im seeing. i can tell you however that within 2 hrs services.exe has recieve 8,000 kb and sent 20,000 and it they increases anyhwere from .5-3 kb each second. i know for a fact that if i leave my connection on that it will continue to dl and ul. I did that last night and i checked my connection in the morning using the computer icon in the bottom right corner of my screen and its was at 900,00 packets sent and about 950,00 recieved. it is never that high even when im dling programs or music. i'm running XP as my OS.

Link to post
Share on other sites

Could be your torrent program running seeing you mentions you download music.

But "Korea and russia and downloading music". All this sounds like your computer has been powned. I am by no means a expert, but your computer could be part of a zombie network and good chance your antivirus and spyware software can do nothing. First download Rootkit reveler this may find if a rootkit has been installed.

If you have been compromised the only thing that is a sure thing is a reformat and reinstall. Then check all you data for virus, spyware and rootkits before installing.

Link to post
Share on other sites

i also tend to recommend format and reinstall. It is such a clean good way of doing things. If you feel like investigating more, install an outgoing firewall. It should detect processes trying to send stuff out. You may then be able to pinpoint the offending bit of malware.

Link to post
Share on other sites

Internet Broadband

this ones simple:

this is for broad band connections. I didn’t try it on dial up but might work for dial up.

1.make sure your logged on as actually "Administrator". do not log on with any account that just has administrator privileges.

2. start - run - type gpedit.msc

3. expand the "local computer policy" branch

4. expand the "administrative templates" branch

5. expand the "network branch"

6. Highlight the "QoS Packet Scheduler" in left window

7. in right window double click the "limit reservable bandwidth" setting

8. on setting tab check the "enabled" item

9. where it says "Bandwidth limit %" change it to read 0

reboot if you want to but not necessary on some systems your all done. Effect is immediate on some systems. some need re-boot. I have one machine that needs to reboot first, the others didn't. Don't know why this is.

This is more of a "counter what XP does" thing. In other words, XP seems to want to reserve 20% of the bandwidth for its self. Even with QoS disabled, even when this item is disabled. So why not use it to your advantage. To demonstrate the problem with this on stand alone machines start up a big download from a server with an FTP client. Try to find a server that doesn't max out your bandwidth. In this case you want a slow to medium speed server to demonstrate this. Let it run for a couple of minutes to get stable. The start up another download from the same server with another instance of your FTP client. You will notice that the available bandwidth is now being fought over and one of the clients download will be very slow or both will slow down when they should both be using the available bandwidth. Using this "tweak" both clients will have a fair share of the bandwidth and will not fight over the bandwidth.

Found this at

http://freepctech.com/pc/xp/xpindex.shtml

so not sure if it works.

Preston

Edited by rhema7
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...