Something is stealing my bandwidth

[AndreLi]

Every time I downlaod form a one of my accout from a filehosting site like rapidshare netload.net or hotfile my download speed gets slower and slower then to regain by bandwith back I have to toogle on and off the windows firewall and I temporaroly get my band with back then after a variable amount of time the bandwidth slowly goes to somthing elase and after I close all my programs both that make an internet connection and the ones that don't the bandwith still get consomed by somthing and I don't know what.

I do a netstat after all programs are closed and it too confusing to point out what port I need to block.

 

[JackMDS]

These sites do not give you fast download of illegal software unless you pay them the premium price.

 

[Pantlegz]

even sites like fileshack will limit your l unless you pay. upload speed and amount are gold to isp's. the downloads will start at regular speed but after a few seconds it will drop to >100k

 

[AndreLi]

I said I have an account on those site of my account meaning (I payed for them) I'm not talking about my download speed I'm saying when I download form those site my speed slowly gets taken from me and at one point I'm downloading 300K then about 5-10 min later it gets down to 15 -30 K. all because my bandwith is being used for something elase that I as the user did not start.

 

[kevnich2]

Load up a free program on your computer that tracks your bandwidth and while not downloading anything, see what it says. I doubt there's anything on your computer that's "stealing" your bandwidth.

 

[AndreLi]

I've done that now I have two meters that show my bandwidth being used - one that tracks my download speed from my download manager and another that tracks my over all speed from my pc. When my download manager says its done downloading my file the meter shows nothing and My Over all bitmeter is sill showing bandwidth being used. Thats my problem

O'yea I forgot to add this - I've had the broadband Co down to my house about 5-6 times to track my bandwidth and they saw notheing wrong with it and thats when I downloaded that software that track my overall bandwith to and from my pc and discovered that problem.

 

[JackMDS]

This would show you what does what.

http://technet.microsoft.com/e...nternals/bb897437.aspx

 

[Modelworks]

If what JackMDS suggested doesn't solve the problem, then download Hijack this and see what is running , disable everything but the basics until you find the culprit.
http://download.cnet.com/Trend...353.html?tag=mncol;lst

I run hijack this at least once a week just to keep an eye on things.
Also consider getting a firewall that blocks all outgoing connections except for what you allow, unlike the windows one, which will allow most programs.

 

[Fardringle]

Does the same thing happen when you download from a legitimate (non-warez) site like Microsoft.com?

 

[AndreLi]

I've done a hijack and posted it up at the spaywary site and got no answer I trying to learn how to read those but its hard to find something to help me read it.

Begin---Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:13 AM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\ClipMate7\ClipMate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows7\Analog Clock\AnalogClock.exe
C:\Program Files\Windows7\UberIcon\UberIcon Manager.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\Program Files\Marvell\61xx\tray\zRaidTray.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\WinRar\WinRAR.exe
C:\Program Files\Windows7\UltraExplorer\UltraExplorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Moleskinsoft File Sync 1.8\FileSync.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java? Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [FlashGet] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [Hard Disk Sentinel] "C:\Program Files\Hard Disk Sentinel\HDSentinel.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [ClipMate7] C:\Program Files\ClipMate7\ClipMate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AnalogClock] C:\Program Files\Windows7\Analog Clock\AnalogClock.exe
O4 - HKCU\..\Run: [TransBar] C:\Program Files\Windows7\TransBar\TransBar.exe /s
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\Windows7\UberIcon\UberIcon Manager.exe"
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: MarvellTrayStartup.lnk = C:\Program Files\Marvell\61xx\tray\RaidTray.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe (User 'Default user')
O4 - .DEFAULT Startup: MarvellTrayStartup.lnk = C:\Program Files\Marvell\61xx\tray\RaidTray.bat (User 'Default user')
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Startup: MarvellTrayStartup.lnk = C:\Program Files\Marvell\61xx\tray\RaidTray.bat
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.co...urces/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia....shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe---end

This was done weeks ago

When I doing standard browsing I don't consum enough bandwidth for the bandwidth to be taken from me, but I have had it taken right at the level I'm browsing at and it hard to see that cause my bandwidth is constanly being active while browsing.

 

[Modelworks]

You got a lot of stuff running on there that could be interfering with the connection.
Go to run or search and type msconfig


In the program that pops up select diagnostic startup . Reboot and see if anything improves.




Do you know what program installed this ?

Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

That is only needed if you are trying to capture traffic off a network connection. It usually works with programs like wireshark, but can also be installed by spyware/virus to capture your network traffic for things like passwords and then forward it to another pc.


The other question I have is are you running a web server on purpose ?
You have Apache installed and running. That could easily be used to allow anyone to connect to your pc and install and remove things at will if it isn't properly configured.

I would NOT use that pc for banking or other sensitive information sites until you find out what is using the bandwidth.

 

[AndreLi]

Originally posted by: Modelworks
Do you know what program installed this ?

Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

That is only needed if you are trying to capture traffic off a network connection. It usually works with programs like ethershark, but can also be installed by spyware/virus to capture your network traffic for things like passwords and then forward it to another pc.


The other question I have is are you running a web server on purpose ?
You have Apache installed and running. That could easily be used to allow anyone to connect to your pc and install and remove things at will if it isn't properly configured.

I would NOT use that pc for banking or other sensitive information sites until you find out what is using the bandwidth.

I had that insltall but I uninstalled it 'I was looking for a good bandwidth meter program'
Show me where Apache is and I'll uninstall it 'I just do regular browsing of the internet is not any type of web server or purpose for serving the internet.

 

[AndreLi]

Oh I c it that C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe Is marvell software that allows me to run sata drive without rebooting my machine. http://www.marvell.com/products/storage/sata/index.jsp

 

[Modelworks]

Originally posted by: AndreLi
Oh I c it that C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe Is marvell software that allows me to run sata drive without rebooting my machine. http://www.marvell.com/products/storage/sata/index.jsp

Do you do any configuring of the interface through the web browser ?
If not then I would disable that as it isn't necessary for SATA. Its just a web server sitting there waiting for a connection.

 

[AndreLi]

Originally posted by: Modelworks

Originally posted by: AndreLi
Oh I c it that C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe Is marvell software that allows me to run sata drive without rebooting my machine. http://www.marvell.com/products/storage/sata/index.jsp

Its just a web server sitting there waiting for a connection.

How do I do that

 

[JackMDS]

It looks like every time you d or try something you do not bother to close the program.

There is No way to find out any thing with all of this programs running (especially the few Spyware etc.).

Use a Start and process programs (like this) reduce the amount of program running to minimum needed for running the computer and maintaining Internet connection and then look at the status of the Bandwidth.

http://www.ezlan.net/infestation.html#startup

If all of it is too much get professional help.

 

[AndreLi]

That just a prety way of doning the msconfig run command right