Solved Win 7 SYSTEM Process Uploading Large Amounts of Data

February 7, 2017 at 07:52:07
Specs: Windows 7 Pro 64-bit, Xeon E3-1240 3501 MHz
I have a PC at home with Windows 7 64-bit OS. I use NetBalancer to monitor network traffic. Netbalancer identifies a process called SYSTEM that is uploading a huge amount of data - e.g. 300 gb this week. My ISP reports my internet usage for the same period has been about 25 gb. How can I determine what the SYSTEM process is doing? Virus scans are clean.

message edited by Smolokom


See More: Win 7 SYSTEM Process Uploading Large Amounts of Data

Report •

#1
February 7, 2017 at 08:15:19
Just to clarify this statement, first...; before the pest and problem gurus kick in (they have more know how on some of these issues than I).

SYSTEM that is uploading a huge amount of data - e.g. 300 gb this week. My ISP reports my internet usage for the same period has been about 25 gb.

Are you saying that "normally" that figure is the region of 25GB, but this current week it's shot upto 300GB?


Report •

#2
February 7, 2017 at 09:29:33
✔ Best Answer
Yes, please give the info requested in #1.

There are three free programs we use on here to start a malware check as they often unearth what antivirus programs miss. Please run them in the order given and copy\paste the logs on here:

AdwCleaner:
https://toolslib.net/downloads/view...
(blue "Download Now" button on right).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Clean" button.

Junkware Removal Tool (JRT)
https://www.malwarebytes.org/junkwa...
(blue Download button).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
https://www.malwarebytes.org/
(use the "Free Download" button rather than the "Buy Now" button).
Install and Run the Threat Scan - quarantine anything it finds.

The ADW log is a text file in the ADWCleaner folder directly off the system drive root (usually C).

Always pop back and let us know the outcome - thanks


Report •

#3
February 7, 2017 at 10:32:43
trvlr - No that's not what I am trying to say....

Normally my internet usage is 50-150 gb/mo (info from my ISP). In Dec it jumped to 500 gb (100 gb/d beginning at xmas) and in Jan it was 1.1 tb for the first 15 days. Last month I reinstalled Windows 7 as I could not determine why internet usage was so high. I also purchased NetBalancer so I could monitor usage. Since Feb 1, NetBalancer reports I have uploaded 300 gb with the Windows process SYSTEM. NetBalancer has a filter to exclude LAN traffic and that shows about 29 gb of uploads to internet. For the same period, my ISP reports I have used 25 gb. I am interpreting that this means I have around 25 gb of internet access, plus another 275 gb of uploading contained on my network - is that right???? I have 3 external hard drives on my network - could that be the reason for all the traffic on the network (but not on the internet)? I am very lost, being a relative newbie. What is SYSTEM doing???

message edited by Smolokom


Report •

Related Solutions

#4
February 7, 2017 at 10:55:48
Derek - thanks, here are the logs:

1. AdWCleaner
# AdwCleaner v6.043 - Logfile created 07/02/2017 at 11:37:19
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-03.2 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : user - USER-HP
# Running from : G:\Downloads\adwcleaner_6.043.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****
***** [ Folders ] *****
***** [ Files ] *****
***** [ DLL ] *****
***** [ WMI ] *****
***** [ Shortcuts ] *****
***** [ Scheduled Tasks ] *****
***** [ Registry ] *****
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{8BF0126F-A5B7-4720-ABB2-2414A0AF5474}
***** [ Web browsers ] *****
*************************
:: "Tracing" keys deleted
:: Winsock settings cleared
*************************
C:\AdwCleaner\AdwCleaner[C0].txt - [844 Bytes] - [07/02/2017 11:37:19]
C:\AdwCleaner\AdwCleaner[S0].txt - [1193 Bytes] - [07/02/2017 11:36:40]
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [989 Bytes] ##########


2. JRT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Professional x64
Ran by user (Administrator) on Tue 02/07/2017 at 11:43:52.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 18
Successfully deleted: C:\ProgramData\esellerate (Folder)
Successfully deleted: C:\Users\user\AppData\Local\crashrpt (Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UZMR954 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\913RNATE (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ISPV88NT (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PULBSD02 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UZMR954 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\913RNATE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ISPV88NT (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PULBSD02 (Temporary Internet Files Folder)

Registry: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/07/2017 at 11:47:43.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3. MalwareBytes
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/7/17
Scan Time: 11:52 AM
Logfile: malware bytes.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1064
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: user-HP\user

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 355416
Time Elapsed: 1 min, 2 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

message edited by Smolokom


Report •

#5
February 7, 2017 at 11:33:47
OK thanks. In MalwareBytes go to "Settings > Protection". Under Scan Options move the "Scan for rootkits" slider over to On and run the scan again please. If anything is found please copy/paste the log on here again.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#6
February 7, 2017 at 11:51:00
In addition to #5 above:

1. Please make sure the Windows Firewall is On.

2. See if Remote Desktop is enabled. If so turn it off as given here:
https://www.lifewire.com/disable-wi...

Finally let us know if the large uploads are still going on.

Always pop back and let us know the outcome - thanks


Report •

#7
February 7, 2017 at 12:04:11
Derek - done. Nothing was detected by MalwareBytes.

Report •

#8
February 7, 2017 at 12:08:35
Derek - #6

Windows Firewall if OFF. I use McAfee Total Protection and the McAfee firewall is ON.

Remote Desktop is not enabled.


Report •

#9
February 7, 2017 at 12:10:35
p.s. I'll monitor NetBalancer for a few days this weekend to see if upload rates have changed. Unfortunately gotta go out of town for the rest of the week.

Report •

#10
February 7, 2017 at 12:13:17
OK. If necessary the malware check can be taken further but we'll see how you get on.

Always pop back and let us know the outcome - thanks


Report •

Ask Question