PDA

View Full Version : Why my connection became so slow??



kenghoong
08-22-2003, 12:22 PM
Helo,
i wanna know why suddenly my connection became so slow?? The sent data is more than the received data...It is a pain waiting even for this page to load up...anyone have any idea?

Budfred
08-22-2003, 12:52 PM
Sure, it could be that your ISP is under attack by the latest crop of worms and other nasties. It could be that it is just a busy day on the web in your area. It could be that there is something wrong with your modem. It could be that your local phone/cable company is having a problem. It could be that you are surfing really slow sites today. It could be that there is something wrong with your computer. It could be that you have one of the worms or a virus or spyware that is interfering with your connection. And so on....

To narrow it down you need to give us more info. How long has this been true? What type of modem and connection do you use? Have you recently installed any new hardware/software. And so on. The more you tell us, the more likely we can help...

killercow
08-22-2003, 05:01 PM
Also every so often you are supposed to clear your cookies and temporary internet files. Thats what the tech support for my isp say. I doubt it changes it THAT much but I have noticed speed ups occasionally in doing this. To do it go to:

Tools > Internet Options > Delete Files, Delete Cookies, clear history

kenghoong
08-22-2003, 09:41 PM
Erm, yeah..This only been going within 2 days...I have a 56 Kbps modem...Although, it used to b slow, it had not been THIS slow...

I have Norton Antivirus, Norton Internet Security so I would have kill off the possibility of virus attack, however, just for today, the Norton Internet Security had given me 3 security alert details, saying that it has stopped an intrusion(??) from an invalid IP address..I also recently installed a freeware SpyBot- Search and Destroy, which I use to destroy these spyware, n it had working on well...

No recently installed hard/soft ware...But I'm still confuse with why my data being sent is 6 times more than received...Still, I try to download things, which is useless by the speed of 0.9Kbps

Budfred
08-22-2003, 09:52 PM
I would do what killercow suggests and do a clean up of old cookies, caches and such. Spybot can actually do most of that for you or you can do it manually.

If you are uploading at full speed, it is probably not your system, however. That new worm is apparently doing a major assault on many parts of the web and it may be a effecting your area badly. If you haven't updated Norton lately, you may be in more trouble than you think as well. Even if you have, an online virus scan might not be a bad idea. Almost everybody is getting unwanted intrusions today, it is part of the major assault and will probably be going on for a while, read some of the threads in the Applications and Security Forum for more details...

You could also run Hijack This and post the log here to make sure that you don't have some other garbage in your system, but one of the experts with that will have to read it, I can only recognize some of the most obvious stuff....

kayofcircles
08-23-2003, 11:43 AM
Do cleanups and checks, but also be aware that Budfred may be correct. My "slowdown" was sporatic, but lasted so long...over a month..that I was thinking of changing ISPs. But, I do think they were having some kind of problems with nasties and some upgrading stuff they said they were doing because in the last week or so..speed back to "normal" slow and not getting bumped. Getting pinged terribly..149 in just the hour and 15 minutes have been online this morning..and that might slow loading down too. If you get lucky, might only last a week or less. :)

kenghoong
08-23-2003, 12:01 PM
ok, i had tried to access the net from my sis laptop(same ISP) but everything seems to go well on her computer, no ultra uploads or whatever, just run smooth...cleared the cache and history, updated Norton...all done...what now??

Hijack This? What is it, and how to use it??

Budfred
08-23-2003, 12:06 PM
Go to mjc's security thread (http://www.pcguide.com/vb/showthread.php?s=&threadid=15179) and download both HiJack This and the tutorial. It scans your system for what you have running background and produces a log that you can copy and paste here. The experts read it and tell you what might be the cause of your problem and then HiJack This will remove it for you.....

kenghoong
08-23-2003, 12:36 PM
Logfile of HijackThis v1.96.1
Scan saved at 23:35:54, on 23/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\wins\DLLHOST.EXE
D:\PROGRA~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\Program Files\GetRight\getright.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\ICQ\ICQ.exe
D:\WINDOWS\System32\wins\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
D:\Documents and Settings\keng hoong\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.whazit.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [PE2CKFNT SE] D:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZGUCM] D:\WINDOWS\ZGUCM.exe
O4 - HKLM\..\Run: [OYGQ] D:\WINDOWS\OYGQ.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [winpopup] D:\WINDOWS\winupie.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Program Files\GetRight\getright.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DAB0E2-8AAD-402A-9798-F151E8DBDCD1}: NameServer = 202.188.0.132 202.188.0.133

Budfred
08-23-2003, 01:47 PM
Keeping in mind that I am not at all expert in this, these 2 look particularly suspicious to me:

O4 - HKLM\..\Run: [ZGUCM] D:\WINDOWS\ZGUCM.exe
O4 - HKLM\..\Run: [OYGQ] D:\WINDOWS\OYGQ.exe

Do you have any idea what these might be?? I couldn't find them in the Startup List listings or Task List Programs. They look like the kind of files that can be generated by one virus out there that creates random sets of letters for names of files.

Hopefully an expert will be along soon to check it out.

david eaton
08-23-2003, 04:46 PM
Inaddition to the ones Budfred mantioned, also fix these entries in Hijack this.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.whazit.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKCU\..\Run: [winpopup] D:\WINDOWS\winupie.exe

Before fixing them, ensure that all other windows are closed.

After fixing, reboot, and delete

D:\windows\winupie.exe
D:\WINDOWS\ZGUCM.exe
D:\WINDOWS\OYGQ.exe
The files may be "hidden" so if necessary enalbe the option to see hidden files.


David

kenghoong
08-24-2003, 01:21 AM
erm, ok done the thing I should...but after fixing n reboot the three files in D:\windows are gone...

But, i'm still suffering from this low speed...I'm sorry coz i'm bothering u all...but, is there any other way??

Budfred
08-24-2003, 02:06 AM
Probably would be a good idea to post a fresh HiJack This log so that it can be checked for anything else that might linger after what you removed. It seems likely that you have something running that is interfering and you may even be broadcasting garbage for one of the worms or hijackers.

mjc
08-24-2003, 02:14 AM
Post a follow up log and we'll see if the is anything else that needs to go.

kenghoong
08-24-2003, 03:15 AM
Logfile of HijackThis v1.96.1
Scan saved at 14:14:58, on 24/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\wins\DLLHOST.EXE
D:\PROGRA~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\Program Files\GetRight\getright.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\wins\svchost.exe
D:\Program Files\Creative\SBLive\PlayCenter2\CTPlay2.exe
D:\Program Files\ICQ\Icq.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
D:\Documents and Settings\keng hoong\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [PE2CKFNT SE] D:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Program Files\GetRight\getright.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DAB0E2-8AAD-402A-9798-F151E8DBDCD1}: NameServer = 202.188.0.133 202.188.1.5

mjc
08-24-2003, 03:54 AM
Other than a bunch of startups that could probably be started when you need them, I don't see any nasties there.

You could look over www.blackviper.com for taming XP and http://www.pacs-portal.co.uk/startup_content.htm for taming the startups.

kenghoong
08-24-2003, 09:21 AM
erm, does that mean that theres nothing i can do bout the slow-down?

killercow
08-24-2003, 11:33 AM
Sorry if you've said this before but what internet connection do you have (DSL, Dial-UP, Cable, T1, etc.) and through what company/isp (bellsouth, verizon, etc.)?
Then go to toast.net and run their internet connection speed test.

PS. I just ran one on my computer several times and through several different site's speed tests and mine is running at 1/3 the speed it should:eek: :confused: . BELLSOUTH WILL PAY, by me switching to cable:D !

Budfred
08-24-2003, 11:53 AM
It means that it is a good idea to tweak your system to run as lean as possible, but if the problem is with your ISP, it will stay slow until they fix it. The other possibility is that there is something wrong with your line. I would call/email the ISP and describe what is going on and ask what is happening on their end. If that doesn' seem to be the problem, check with your phone company.

kenghoong
08-24-2003, 12:41 PM
Yep, I have told ya that the connection runs just fine with my sister's laptop(same connection)...I'm using a diap-up and haven't suffer from this before...

If there's really no other way, I'm thinking of formatting my hard drive...Thanks for all ya help,Budfred, mjc n of coz Killercow:(

Budfred
08-24-2003, 01:05 PM
When you ran from your sister's laptop, did you use the same phone jack?? If not, that would be something to check.

Also, since you are running WinXP, you might want to run the Repair feature from the CD rather than doing a full uninstall and reinstall. The Repair feature does seem to work a lot of the time. You could also try System Restore back to before it slowed down, but you would lose settings and installs made since then...

david eaton
08-24-2003, 04:11 PM
There are two items in your Hijack This log that look odd.

In the running processes list:-
D:\WINDOWS\System32\wins\DLLHOST.EXE

D:\WINDOWS\System32\wins\svchost.exe

Svchost.exe is a valid winXP filename,but the file is in windows/system32.
Could you find those files, right click on them, and select properties>version. That might explain what they are associated with.

I suggest that you stop both these running in task manager, and see how your connection behaves. If it is improved then the files can be renamed in case you find that something else does not work.


David

killercow
08-24-2003, 05:49 PM
Ah yes, Budfred reminded me. My house is really strange. There is one original part of the house and one 4-5 year old addition. ANY internet connection in the new portion is EXTREMELY slow. However up in my room (the old portion) it is 2-3 times faster. Kinda strange but apparently with all the phone jacks the signal is distributed so much that it slows me down. On my DSL line they attached a filter that brings ALL the signal to one jack and it speeds up. See if it's any faster on another jack. I don't know if there is any signal filter for dial-up though.:rolleyes:

david eaton
08-24-2003, 07:52 PM
D:\WINDOWS\System32\wins\DLLHOST.EXE

D:\WINDOWS\System32\wins\svchost.exe

A quick look through Google search results turned up these two links.http://www.computing.net/windows2000/wwwboard/forum/50905.html

http://www.computing.net/security/wwwboard/forum/6128.html

makes it look as if both those processes are trojans!

For a trojan scanner, have a look at

MJC's post (http://www.pcguide.com/vb/showthread.php?s=&threadid=15179)

David

mjc
08-25-2003, 12:47 AM
Good spot Dave......I missed them entirely.

Follow Dave's advice because he is probably right on those......

kenghoong
08-26-2003, 03:44 AM
BINGO!! got it...really stop the massive uploading after ending its process, SVCHOST and DLLHOST..the thing is SwatIT(demo) didn't detect it as a trojan, so I didn't delete it first..Is it okay to delete it HijackThis

david eaton
08-26-2003, 02:56 PM
This is actually the Welchia worm. Instructions fro removal can be found
HERE (http://www.pchell.com/virus/welchia.shtml)

Ensure both files are deleted afterwards.

David

kenghoong
08-27-2003, 10:02 AM
Yeah...sorry, forgot to post reply that i got it alright now!! I didn't read it fully the link u gav the first time!

thanks a lot lads!