Help! Data lost a huge rate!

Dolby

Dolby

Honorary Master
Joined
Jan 31, 2005
Messages
39,123
Reaction score
6,138
Hi ... I have Vodacom 3G & Windows XP.

I've just spent the about an hour installing various items, playing settings etc etc and I've now seen when I connect I download around a few MB every minute. In fact, I've connected for 2 minutes to post & lost 5MB of data. Guess I may have installed or activated a spybot, updates etc by mistake.

How can I see WHAT it actually is?!

/disconnects
 
Try getting something like netmonitor that'll show you exactly what's sending data.
 
Download Netlimiter 2 Monitor (link should be in the FAQ) and check what is using all of your bandwidth :)
 
Yes, and run Spybot Search & Destroy... and monitor it CAREFULLY... I lost 2 Gigs in one day once...

And install a decent firewall like Comodo, you can see what is connecting and what is attacking the firewall.
 
timgaul said:
And install a decent firewall like Comodo, you can see what is connecting and what is attacking the firewall.
Click to expand...
+1 Then you can even see to what IP the data is going. Then do a WhoIs lookup via that IP.
 
Dolby said:
Hi ... I have Vodacom 3G & Windows XP.

I've just spent the about an hour installing various items, playing settings etc etc and I've now seen when I connect I download around a few MB every minute. In fact, I've connected for 2 minutes to post & lost 5MB of data. Guess I may have installed or activated a spybot, updates etc by mistake.

How can I see WHAT it actually is?!

/disconnects
Click to expand...

Sounds like an SMTP mass mailing worm...
Go to the command prompt, connect to the net, then enter:
netstat /b
And take note of whats talking on the web... mass mailing worms talk on SMTP (port 25) constantly and chew up bandwidth like nothing else.

I sorted one out by running a full virus scan in SAFE MODE...

You can also install comodo firewall and you will have full control over what is able to talk on the net or not... (it's free)

Lastly, but certainly not least, this proggie was the first to identify the bug on my system (before the safe mode scan):
http://www.malwarebytes.org/mbam.php
Needless to say i have huge respect for malwarebytes anti-malware!
 
Last edited:
Right ... seems to svchost.exe. Googled it's a genuine file, but sometimes there are dummies etc made. How do I know how to stop it, now that I know what it is ?

How do I copy/paste netstat results for you ? :/
 
Dolby said:
Right ... seems to svchost.exe. Googled it's a genuine file, but sometimes there are dummies etc made. How do I know how to stop it, now that I know what it is ?

How do I copy/paste netstat results for you ? :/
Click to expand...
Click on icon in Top left corner for menu.
 
Dolby said:
Right ... seems to svchost.exe. Googled it's a genuine file, but sometimes there are dummies etc made. How do I know how to stop it, now that I know what it is ?

How do I copy/paste netstat results for you ? :/
Click to expand...

When my Windows XP downloads updates I see network traffic via svchost.exe so I'd hazard a guess that your Windows is busy downloading updates :)
 
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Grant>netstat /b

Active Connections

Proto Local Address Foreign Address State PID
TCP grant:1155 cds155.lon.llnw.net:http ESTABLISHED 968
c:\windows\system32\WS2_32.dll
c:\windows\system32\WINHTTP.dll
[svchost.exe]

TCP grant:1212 dedi88a.your-server.co.za:http ESTABLISHED
840
[IEXPLORE.EXE]

TCP grant:1213 dedi88a.your-server.co.za:http ESTABLISHED
840
[IEXPLORE.EXE]

TCP grant:1214 dedi72.cpt2.host-h.net:http ESTABLISHED 840

[IEXPLORE.EXE]

TCP grant:1216 dedi88a.your-server.co.za:http ESTABLISHED
840
[IEXPLORE.EXE]

TCP grant:1217 dedi88a.your-server.co.za:http ESTABLISHED
840
[IEXPLORE.EXE]

TCP grant:1220 gv-in-f127.google.com:http ESTABLISHED 840
[IEXPLORE.EXE]

TCP grant:1215 dedi72.cpt2.host-h.net:http CLOSE_WAIT 840

[IEXPLORE.EXE]

TCP grant:1218 dedi72.cpt2.host-h.net:http CLOSE_WAIT 840

[IEXPLORE.EXE]

TCP grant:1219 dedi72.cpt2.host-h.net:http CLOSE_WAIT 840

[IEXPLORE.EXE]


C:\Documents and Settings\Grant>
 
Oh - and when I type that netstat command, I get errors now :(
 
You'll need to tell us what windows where open in the internet explore/FF when you did that.

dedi88a=MyBB afaik

First item on the list looks dodgy. But thats just the interface dlls (Winsock2)...so it still doesn't tell us what exactly it is. Winsock can potentially be used by nasty stuff.

I'd say install a firewall asap. One that gives you lots of info & control.
 
*noob question*
Why is IE showing up so many times? [different tabs connected to different sites?]
:p
 
Ok ... ran AVG (found 3 things) and Malware (found another 1). Removed them and everything seems good again ... yay! Thanks!

killa - I thought it wouldn't have been that because Netlimiter showed the data was definatley the svchost.exe file :/

Thanks though!
 
That worm uses scvhost.exe (system file) to send mail on port 25... yep seems u have the same thing i had for 3 months before I was able to sort it... I had to proxify my system to use the net (bleah)...
 
Bradbowlllama said:
That worm uses scvhost.exe (system file) to send mail on port 25... yep seems u have the same thing i had for 3 months before I was able to sort it... I had to proxify my system to use the net (bleah)...
Click to expand...

Yup been there with svhost, I limit the process to only known ports.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X