My Internet has been pretty slow lately, and I thought it was Comcast but now I've determined it's my Windows 7 desktop computer maxing out all my upload bandwidth.

I installed a bandwidth monitor and found that my machine was uploading something at about 200 KB/s continuously, and when I shut the computer off my Internet speeds return to normal. Is there any good way to identify which programs are hogging my bandwidth? I thought it was Mozy but I killed that process and the uploads are still going.

TCPView is only showing me some of the processes that I'm guessing are because of the Windows 7 access control? I tried running it as an administrator, but still looked the same and was inconclusive.

Are there any other programs out there that work like nethogs on linux that show which applications are using bandwidth?

5/23/2010 9:55:55 AM

oops.. read that wrong. thought you were looking for linux programs. nvm.



[Edited on May 23, 2010 at 10:15 AM. Reason : .]

5/23/2010 10:14:30 AM

Sounds almost like youve got a bot. Im not sure on programs, but wireshark might help. Also it should use some CPU so get the machine at idle and look for something using cpu still.

5/23/2010 6:01:16 PM

Look up the PID on the Task Manager Services tab.

Also, use netstat -o from the command line. It'll tell you where the other end of the connection is.

[Edited on May 23, 2010 at 7:06 PM. Reason : ]

5/23/2010 7:04:58 PM

totally agree on that bot comment... i'd be looking at running some virus and malware cleanup tools first.

5/23/2010 10:47:44 PM

What's recommended nowadays for malware cleanup? Is Spybot still a good one to use?

I have the ESET smart security (antivirus + firewall) with an up-to-date subscription

5/23/2010 10:49:44 PM

http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=windows+bandwidth+monitor

:shrug:

5/23/2010 11:03:10 PM

If you have two computers (which is sounds like you do) the best way is to remove the infected drive and scan it from a clean computer. This ensures the program can't hide itself during a self scan.

SpyBot is still a good choice, as is any good antivirus program. Avast makes a decent scanner for Ubuntu/Debian/Fedora but I haven't tested it on other flavors. It will have a problem the first time you update - google will fix it. The downloaded virus definitions break some size limit in Ubuntu but is easily fed through a script to change the value, run, change it back.

As for network monitoring, I used to use Ethereal all the time. Not a lot of experience in that department.

5/23/2010 11:05:41 PM

the person who recommended putting an infected drive into a clean computer must be joking. All you are doing is allowing the virus/bot to take on another clean computer and then you have to fix it too.

that is all

5/23/2010 11:11:19 PM

Check if your router is DD-WRT or Tomato compatible.

Malwarebytes, Super-Antispyware and ComboFix (when things get hairy) are all that I really use anymore.

http://ninite.com/ for the first two and http://www.bleepingcomputer.com/combofix for the third. Though I'm willing to bet you probably have 64bit and wouldn't really be able to take advantage of Combofix.

5/23/2010 11:12:27 PM

I actually am running dd-wrt on my router (Linksys WRT54g V2). The desktop is running Windows 7 Ultimate 64-bit. I'll check out the ^ software you mentioned. Thanks.

5/23/2010 11:23:03 PM

Quote :

"If you have two computers (which is sounds like you do) the best way is to remove the infected drive and scan it from a clean computer. This ensures the program can't hide itself during a self scan."

that's what i always do too. i actually have a machine set up to perform this very task...at least 5-6 malware scanners installed with most of them running actively. works great.

Quote :

"the person who recommended putting an infected drive into a clean computer must be joking. All you are doing is allowing the virus/bot to take on another clean computer and then you have to fix it too."

not so much. if you set it up right, the risk of infecting the computer doing the scanning is crazy low. i say this because i've scanned at least 20-30 infected hard drives and have only once infected the scanning computer, and that was when i only had 2-3 scanners installed, with only 1 running actively, and that was a long time ago...no problems since then. and just in case, i imaged the hard drive after i rebuilt it last time, so it wouldn't take more than 30 minutes to fix it if it did get infected.

granted i wouldn't plug an infected hard drive into a computer i actually use, but if you have a purpose built machine for the task, and image it after setting it up, it's not a problem at all.

5/24/2010 12:16:47 AM

http://www.dd-wrt.com/wiki/index.php/Using_RFlow_Collector_and_MySQL_To_Gather_Traffic_Information

This may help.

5/24/2010 12:43:58 AM

Windows 7 has a resource monitor that shows all programs and their bandwidth consumption. It was Mozy after all

5/26/2010 9:55:16 PM

Quote :

"I thought it was Mozy but I killed that process and the uploads are still going."

So how was it that then? Secondary process?

5/26/2010 11:16:18 PM

I have no idea. I think it's a bug... First when I tell Mozy to stop the backup, it says it stopped but still runs in the background.

There also are three additional background processes related to Mozy, and apparently when you kill them they immediately start back up again. Probably because Mozy runs as a system service?

Anyways I'm going to file a bug report since the new 2.0 client is essentially brand new.

5/27/2010 12:19:52 AM