MMORPG Gamer Community

Light · 06-13-2010

As of late I'm noticing a very strong spike in upload and download speeds.

Something as simple as loading a webpage will increase download speed to 800kbps, but load just as slow if not slower than 11kbps as it used to be before.
Upload also spikes to 40, instead of 1.

The problem is very serious when running a download, or P2P software.
Upload will skyrocket to 313 (over my isp limit) and will hang/crash my network, making disconnections and causing firefox to fail responding when loading a new page.

Even when nothing is running it varies from 0~61kbps on upload which is unacceptable, when nothing should be going on.

This is a very serious problem.

I've tried a few scans, but I notice nothing abnormal.
I leave it to the HJT Pros to figure it out

Spoiler!

Miyuki · 06-13-2010

Check these files
C:\Windows\winkeylogon.exe
C:\Users\Light\AppData\Local\Apps\F.lux\flux.exe

Send it to
VirusTotal - Free Online Virus and Malware Scan
Jotti's malware scan

And have to fix this entry in your hjt
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

There's other entries about "missing file", but for safety reason, leave it first.

And where's your antivirus? I don't see any entry of it.

Simpler way to clean it
- Get Malwarebytes
- Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com
- Install, update and scan.

A guide and tutorial on using ComboFix
- Run, follow instructions, restart if needed.

Also, close down Vuze if you're not using it.

At least get an antivirus as well.
http://www.avast.com/index

Light · 06-13-2010

flux is a software for tinting the monitor red when the sun sets (you showed me)
winkeylogin is required for my file security software so it detects the proper sequence of keys to start up.

Removed the BHO file.

Malwarebytes came up clean.

Light · 06-13-2010

Putting more research into my network connectivity, I find that two addresses constantly running on software, most notably on firefox.

6d.2d.84ae.static.theplanet
www.007guard.com

The second one is in the host file

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com

whatever that means.
--

I'm using this to track what's going on

but it's kind of pointless, since the address using the most data is the address of the site I'm browsing.

Still, having 372KB/s Up and 3.4MB/s Down sends me a really big red flag, since I am now starting to bypass my ISP plan..

But that makes me wonder if the ISP broke a switch and the limits just lifted? Because I notice anything and everything which uses the network spikes the down/up and interestingly loads up around the same speed as before.

kag · 06-13-2010

do a Start -> Run -> cmd -> netsh winsock reset

Start -> Enter "adapter" and select view network connections
Right click your network Interface -> Properties
What's in the whole list of "This connection uses the following items:"

Start -> Enter "Resource Monitor"
Check if there's any weird software in the network activity
Try recreating the problem while monitoring the Network activity speed (you can use TCP Connections as well, just add columns)

EDIT: Look like i was late >.<
Are you using wireless and happened to switch on afterburner or some speed burst settings?

SilentSaber · 06-13-2010

It might be on your ISP side. They could have their network equipment set to allow you to burst to a higher speed. Maybe try with another computer if you can?

And depending on the router you have, a patch fix would be to setup firewall rules to stop connections to those particular places. Though as suspicious as those look, they still shouldn't be able to bypass a bandwidth cap set on a distribution switch.

Light · 06-13-2010

Quote:

Originally Posted by kag

Are you using wireless and happened to switch on afterburner or some speed burst settings?

Wired Connection

Quote:

Originally Posted by SilentSaber

It might be on your ISP side. They could have their network equipment set to allow you to burst to a higher speed. Maybe try with another computer if you can?

And depending on the router you have, a patch fix would be to setup firewall rules to stop connections to those particular places. Though as suspicious as those look, they still shouldn't be able to bypass a bandwidth cap set on a distribution switch.

Even though the readings are off the charts, it still seems to act like before.

If the ISP truly did smack the switch, I should be torrenting at insane speeds.
There shouldn't be any reason why the system says Vuze is using 404kb/s, when the software itself claims to be using only 40kb/s.

So I'm now doubting the computer readings are accurate anymore.

kag · 06-13-2010

Try switching off your monitoring softwares or any software firewall if you have.

Light · 06-13-2010

Quote:

Originally Posted by kag

Try switching off your monitoring softwares or any software firewall if you have.

The monitoring softwares are the OS, and no software firewall is active.

kag · 06-14-2010

rainmeter?

Light · 06-14-2010

Quote:

Originally Posted by kag

rainmeter?

whether on or off, that doesn't change the readings coming from the system.

Miyuki · 06-14-2010

Get wireshark, set to your ethernet card, and start it.
Wireshark · Download

Light · 06-14-2010

What exactly am I looking for with this?
The details of each packet make little sense to me unless it's English.

Miyuki · 06-14-2010

It should list something like this, for example.

Code:

Application          Port            HostIP          Destination IP            Packet

Use that to trace which application actually transmitting data, and locate it. Also, why don't you enable at least Windows Firewall?

Light · 06-14-2010

SilentSaber · 06-14-2010

Quote:

Originally Posted by Light

Wired Connection

Even though the readings are off the charts, it still seems to act like before.

If the ISP truly did smack the switch, I should be torrenting at insane speeds.
There shouldn't be any reason why the system says Vuze is using 404kb/s, when the software itself claims to be using only 40kb/s.

So I'm now doubting the computer readings are accurate anymore.

At least with some of the cisco equipment, caps can be set to burst higher if bandwidth was available (So you may occasionally get miraculously fast speeds if there is spare bandwidth available). The caps, depending on the setup, can really just be a soft cap to knock the tops off huge bandwidth users (e.g. torrents).

Wireshark may be a little harder to use for this scenario. As far as I know, it can't track individual processes, so you'll need to look up the connections each process created and create filters for them to look at what they're doing, for whatever good that does. So if you want to continue, you'd want to set your capture interface to your wired network card.
And for the filter, you'd want to have something like

Code:

ip.dest==[suspicious stuff you saw] && ... && ip.src==[suspicious stuff you saw] && ...  (Repeating for each ip destination/source you want to look at.)

(You probably need to convert the domain names to IPs using something like nslookup [suspicious stuff you saw] in command prompt.)
So if I want to look at traffic to and from ggftw (174.132.45.109) and ijji.com (206.82.212.79), I'd set a filter of:

Code:

ip.dest==174.132.45.109 && ip.dest==206.82.212.79 && ip.src==174.132.45.109 && ip.src==206.82.212.79

Click on each packet to see what's inside. If the packet is encrypted, you'll just see a bunch of random stuff. If it's not, you may see actual information, and from that, you might be able to reach a conclusion about whether or not it's a problem or not, I guess..

Windows firewall doesn't actually do much against malware, but I suppose it helps to have it on.

Quote:

Just for fun, here's a quick description of each heading.
Packet #:
The packet position in the sequence of captured packets. So 1 is the first, 2 is second, 53 is fifty third.

Time Sent/Received:
Just as it says

Source:
Where the packet originated from. If it came from you and you're using a router, it should be something starting with "192.168."

Destination:
Where the packet is going. It will give you the IP or physical (MAC) address of the destination, depending on what type of traffic it is. If it is going to 255.255.255.255, it is broadcast traffic, and will be read by all devices on your network (Typically used to map MAC addresses to IP addresses, or vice versa).

Protocol:
This is the protocol the packet is sent with. So posting a forum message here would generate a bit of TCP (Handles data transport), HTTP (Data to and from here), and DNS (So your computer can find where ggftw is) traffic.

Info:
Brief summary of what the packet is. Just poke around on google or post here to find out what a particular packet might be doing.

Port:
It's the port on your computer that the packet is heading out from or coming in to. HTTP traffic from you to the server would be bound for port 80. From the server to you would come from 80.

Here's a list of ports and potential things that may use them. http://www.iana.org/assignments/port-numbers

kag · 06-14-2010

Start -> Run -> cmd
netstat -a -b -v > C:\output.txt

copy and paste the things in C:\output.txt (Note that this doesn't show the bw usage)

SilentSaber · 06-15-2010

Try to see if you still get that (active connections while doing nothing) if you start the computer with diagnostic startup. That'd get rid of a lot of the clutter of information you might have right now. (msconfig: diagnostic startup)

And if you have active connections even while doing nothing in diagnostic startup, just use the program you had before to isolate the problem and see what you want to do from there.

MMORPG Gamer Community

Hot MMO Wikis