Continuous network usage by unknown process

[rudrax]

Lately, I've been observing that some process is using my bandwith countinuously even if I'm not running any app related to network usage. I also have all system processes like windows update and the live tiles are turned off. But the moment I connect my dial up connection and do nothing, the data counter starts ticking continuously and never stops leading my costly bandwidth to drain out.

Then I'm advised to use TCPview and using that I've found the culprit out and it's a svchost process. Below is the screenshot.

Turning that off, it disconnects the network connection. I wanna know if there is anything to get rid of the situation.

[mike.mt]

Turning that off, it disconnects the network connection. I wanna know if there is anything to get rid of the situation.

From a brief look you have the process connecting to a IP address in Malaysia mate.....

Have you run Malware Bytes to see if there are any hidden nasties around in your box?

Here are the results for that IP from Network-Tools.com

WhoisSecurity.com - security and privacy of whois records | Privacy.net reviews the free KeePass password safe.

IP address: 58.27.124.208

No host name is associated with this IP address or no reverse lookup is configured.Error:Host not found58.27.124.208 is from Malaysia(MY) in region Southern and Eastern Asia

TraceRoute from Network-Tools.com to 58.27.124.208

Hop (ms) (ms) (ms) IP Address Host name 1 0 0 0 8.9.232.73 8-1-18.ear1.dallas1.level3.net 2 111 111 111 4.69.145.254 vlan90.csw4.dallas1.level3.net 3 110 110 118 4.69.151.166 ae-92-92.ebr2.dallas1.level3.net 4 112 112 112 4.69.137.122 ae-3-3.ebr2.newyork1.level3.net 5 110 110 110 4.69.148.46 ae-92-92.csw4.newyork1.level3.net 6 110 110 110 4.69.134.77 ae-91-91.ebr1.newyork1.level3.net 7 110 110 110 4.69.137.69 ae-42-42.ebr2.london1.level3.net 8 111 111 111 4.69.143.81 ae-48-48.ebr2.amsterdam1.level3.net 9 110 110 110 4.69.153.202 ae-56-221.csw2.amsterdam1.level3.net 10 131 121 112 4.69.162.197 ae-230-3606.edge4.amsterdam1.level3.net 11 111 111 111 212.72.40.234 telekom-mal.edge4.amsterdam1.level3.net 12 Timed out Timed out Timed out - 13 Timed out Timed out Timed out - 14 Timed out Timed out Timed out - 15 305 304 305 58.27.124.208 -

Trace complete

Network IP address lookup:

Whois query for 58.27.124.208...

Results returned from whois.arin.net:

## ARIN WHOIS data and services are subject to the Terms of Use# available at: https://www.arin.net/whois_tou.html###'>https://www.arin.net/whois_tou.html### The following results may also be obtained via:# http://whois.arin.net/rest/nets;q=58.27.124.208?showDetails=true&showARIN=false&ext=netref2#NetRange:       58.0.0.0 - 58.255.255.255CIDR:           58.0.0.0/8OriginAS:       NetName:        APNIC-58NetHandle:      NET-58-0-0-0-1Parent:         NetType:        Allocated to APNICComment:        This IP address range is not registered in the ARIN database.Comment:        For details, refer to the APNIC Whois Database viaComment:        WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.plComment:        ** IMPORTANT NOTE: APNIC is the Regional Internet RegistryComment:        for the Asia Pacific region. APNIC does not operate networksComment:        using this IP address range and is not able to investigateComment:        spam or abuse reports relating to these addresses. For moreComment:        help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spammingRegDate:        2004-05-04Updated:        2010-07-30Ref:            http://whois.arin.net/rest/net/NET-58-0-0-0-1OrgName:        Asia Pacific Network Information CentreOrgId:          APNICAddress:        PO Box 3646City:           South BrisbaneStateProv:      QLDPostalCode:     4101Country:        AURegDate:        Updated:        2012-01-24Ref:            http://whois.arin.net/rest/org/APNICReferralServer: whois://whois.apnic.netOrgAbuseHandle: AWC12-ARINOrgAbuseName:   APNIC Whois ContactOrgAbusePhone:  +61 7 3858 3188 OrgAbuseEmail:  [email protected]:    http://whois.arin.net/rest/poc/AWC12-ARINOrgTechHandle: AWC12-ARINOrgTechName:   APNIC Whois ContactOrgTechPhone:  +61 7 3858 3188 OrgTechEmail:  [email protected]:    http://whois.arin.net/rest/poc/AWC12-ARIN## ARIN WHOIS data and services are subject to the Terms of Use# available at: https://www.arin.net/whois_tou.html#

Results returned from whois.apnic.net:

% [whois.apnic.net]% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html% Information related to '58.27.100.0 - 58.27.127.255'inetnum:        58.27.100.0 - 58.27.127.255netname:        INFRA-TMNETcountry:        MYdescr:          TMNETadmin-c:        TA35-APtech-c:         TA35-APstatus:         ASSIGNED NON-PORTABLEchanged:        [email protected] 20070907mnt-by:         TM-NET-APsource:         APNICrole:           TMNET IP Administratorsaddress:        Telekom Malaysiaaddress:        Jalan Pantai Baru, Kuala Lumpur.country:        MYphone:          +6-1800-88-2646phone:          +603-83185434fax-no:         +603-22402126remarks:        [email protected]:        [email protected] [TMDirect]remarks:        [email protected] [Streamyx]remarks:        [email protected]:         [email protected]:        AS115-APtech-c:         SM135-APnic-hdl:        TA35-APmnt-by:         TM-NET-APchanged:        [email protected] 20070209changed:        [email protected] 20110325source:         APNIC% Information related to '58.27.64.0/18AS4788'route:          58.27.64.0/18descr:          TMnet route objectorigin:         AS4788mnt-by:         TM-NET-APchanged:        [email protected] 20090220source:         APNIC% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS3)

[sirri]

many possible :

1. try disable your AV /Firewall temporarily

2. stop BITS service

then see what it goes.

or you firstly run scan your lovely AV / Anti Malware.

good luck

cheers :wub:

[masterupc]

I think you should use a real firewall, other than windows firewall (comodo/agnitum) in order to control the processess accessing internet.

If you kill the process (svchost.exe) you probably will disable a bunch of services running.

GL!

[majithia23]

svchost could be a legitimate system file or a disguised malware .

Check the particular svchost with this svchost look up tool -- http://www.tweaking.com/content/page/tweaking_com_svchost_exe_lookup_tool.html

and

also check the hash of the svchost file in the Virustotal database to verify if it is a malware or simply use the VT uploader and scan it .

And use a firewall !

[clubhouse]

You could try this... A program to see what all those svchost.exe are running. Ever wondered what all those svchost.exe processes are running ?? Well here is an app to tell you. It gives you some basic information like the Name and description. - No installation required. - Only requirement is that you have .net installed (ver 2.0 or newer). - Work in Windows XP (sp2) and Vista and Windows 7. - Coded in C#

http://svchostviewer.codeplex.com/

Edited February 26, 2014 by clubhouse

[kn_andre]

I have been Noticing exactly the same thing going on my System for a while but i never took it Seriously .. But now that you have Actually mentioned it, i think i will take time out to find out who or What is really using up my Bandwidth ... I will be following this Thread Closely to see the best way to Solve this Issue .. Cheers Guys ....

[rudrax]

Stopping and then disabling BITS service as suggested by sirri, seems working and the data counter isn't ticking when the connection is idle.

Special thanks to sirri :)

I will take the security measures suggested by other members though. Thank you all for replying. :D

VT says it completely safe, 0/50. So I don't think there is something to worry about.

Edited February 26, 2014 by rudrax

[SnakeMasteR]

rudrax, the most "riddled-by-spyware" member nsane has ever seen. Congratulations, buddy. Need update? :tehe: :lmao:

[rudrax]

rudrax, the most "riddled-by-spyware" member nsane has ever seen. Congratulations, buddy. Need update? :tehe: :lmao:

:spank:

[sirri]

good to know..friend.

[avmad]

If you see lots of different IP adds using Svchost then you are infected and many people are using your computer as a vpn/proxy.

Not a good thing as who knows what they'll be doing on the net.

[geeteam]

Not only you... Its this the first time you are noticing this svchost process thing? man forget it, It has been there since the day of Windows XP. And the most annoying thing is when you close the process it then starts again, unless you shutdown your PC. Well its good you've raised this. Some experts will help. I will also have to do more research on it.

[rudrax]

So it's concluded that if you are not attacked by such malwares and spywares, the cause of the phenomenon is the BITS (Background intelligent transfer) service. Disabling you will fix the bug for you temporarily for the logged in session but it restarts again automatically whenever necessary. So this is a heck of a bandwidth hungry monster.

Can someone kick the cr@p out of BITS's butts? :angry:

[SnakeMasteR]

If you have less or limited bandwidth, the best option would be to

Limit the maximum network bandwidth for BITS background transfers

Limit the maximum network bandwidth used for Peercaching