Windows – How to Restrict Programs from Accessing the Internet

1. Not exactly an answer, but conceptually relevant:

Your ISP is selling you a speed from your house to their border router situated at the edge of The Internet. Your ISP has no control over what happens to your packets once they're out 'mongst the tubes.

The metrics you're describing are actually tracking latency between servers well outside your provider's network. Information like that is not at all relevant to the speed your provider is selling you, and can easily be obtained at places like internettrafficreport.com.

I assume the software you're describing was always meant for people managing networks, and not for end users who would confuse latency with last mile speed performance as you have.

2. Not a software solution, but still a way to get the information you want:

To test the health of your connection, run a tracert to some random server on the internet. Find the last hop on your provider's network: that's their border router, and the last point over which they have any control. Run a ping -t to that IP for up to a week: there's your real last mile performance metric.

If you're on a shared resource like cable, expect packet loss during peak hours (when everyone's online) and bursts of awesome performance when all your neighbors are at work or asleep. If you're on a private connection like DSL, expect a fairly uniform response over time.

3. A way to approach your provider with information they'll listen to:

If you think you're not getting the speed you're paying for, find your provider's own speed test (it will be on a server on their network and not out on the internet like the speed tests you mention). Perform this test ten or fifteen times over the course of a week. Calculate the average of all these tests.

Your final number should be roughly ten percent under the speed your provider sold you. (The missing 10% is protocol overhead.) If the end result is much lower, contact your provider and have them fix the problem.

If you click on the "Static Analysis" link for the file on the Comodo Valkyrie page, you will see that one of the reasons for flagging the file was because "TLS callback functions array detected". There may be a legitimate reason for the inclusion of that code within the executable you uploaded to the site, but TLS callback code can be used by malware developers to thwart the analysis of their code by antivirus researchers by making the process of debugging the code more difficult. E.g., from Detect debugger with TLS callback:

TLS callback is a function that called before the process entry point executes. If you run the executable with a debugger, the TLS callback will be executed before the debugger breaks. This means you can perform anti-debugging checks before the debugger can do anything. Therefore, TLS callback is a very powerful anti-debugging technique.

TLS Callbacks in the Wild discusses an example of malware using this technique.

Lenovo has a bad reputation in regards to the software it has distributed with its systems. E.g., from the February 15, 2015 Ars Technica article Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections:

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

A man-in-the-middle attack defeats the protection you would otherwise have by visiting a site using HTTPS rather than HTTP allowing the software to snoop on all web traffic even traffic between the user and financial institutions such as banks.

When researchers found the Superfish software on Lenovo machines, Lenovo initially claimed "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns." But the company had to retract that statement when security researchers revealed how the Superfish software made Lenovo systems open to compromise by malfactors.

In response to that debacle, Lenovo's Chief Technical Officer (CTO), Peter Hortensius, then stated "What I can say about this today is that we are exploring a wide range of options that include:creating a cleaner PC image (the operating system and software that is on your device right out of the box)..." Perhaps that option was discarded. E.g., see the September 2015 article Lenovo Caught Red-handed (3rd Time): Pre-Installed Spyware found in Lenovo Laptops by Swati Khandelwal a security analyst at The Hacker News, that discusses the "Lenovo Customer Feedback Program 64" software you found on your system.

Update:

In regards to legitimate uses for Thread Local Storage (TLS) callbacks, there is a discussion TLS in the Wikipedia Thread Local Storage article. I don't know how often programmers use it for legitimate uses. I've only found one person mentioning his legitimate use for the capability; all the other references to it I've found have been to its usage by malware. But that may simply be because the usage by malware developers is more likely to be written about than programmers writing about their legitimate usage. I don't think its usage alone is conclusive evidence Lenovo is trying to hide functions in the software that its users would likely find alarming if they knew everything the software did. But, given Lenovo's known practices, not just with Superfish, but subsequently with its use of the Windows Platform Binary Table (WPBT) for the "Lenovo System Engine" to ensure the OneKey Optimizer (OKO) software would be installed on a system even if a user attempted to create a "clean" installation of Windows, as described in Lenovo used Windows anti-theft feature to install persistent crapware, I think there is reason to be somewhat wary and am far less likely to give Lenovo the benefit of the doubt than I might other companies.

Unfortunately, there are a lot of companies which try to make more money off their customers by selling customer information or "access" to their customers to other "partners". And sometimes that is done through adware, which doesn't necessarily mean the company is providing personally identifiable information to those "partners". At times a company may want to collect information on its customers' behavior just so it can provide more information to marketers on the type of customer the company is likely to attract rather than information identifying an individual.

If I upload a file to VirusTotal and find just one or two of the many antivirus programs it uses to scan uploaded files flagging the file as containing malware, I often regard those as false positive reports, if the the code has obviously been around for quite some time, e.g., if VirusTotal reports it previously scanned the file a year ago, and I otherwise have no reason to distrust the software developer and, to the contrary, some reason to trust the developer, e.g., because of a longstanding good reputation. But Lenovo has already tarnished its reputation and 12 out of 53 antivirus programs flagging the file you uploaded is about 23%, which I regard as a worryingly high percentage.

Though, since most antivirus vendors usually provide little, if any, specific information on what leads to a file being flagged as a particular type of malware and exactly what a particular malware description means in terms of its operation, its often hard to ascertain exactly what you need to worry about when you see a particular description. In this case it could even be that most of them are seeing a TLS callback and flagging the file on that basis alone. I.e., it is possible that all 12 are making a false positive claim on the same mistaken basis. And sometimes different products share the same signatures for identifying malware and that signature may also occur in a legitimate program.

As for the "W32/OnlineGames.HI.gen!Eldorado" result reported by a couple of the programs on VirusTotal being a name similar to PWS:Win32/OnLineGames.gen!B without specific information on what led to the conclusion that the file is associated with W32/OnlineGames.HI.gen!Eldorado and what behavior is associated with W32/OnlineGames.HI.gen!Eldorado, i.e., what registry keys and files should one expect to find and how software with that particular description behaves, I wouldn't conclude that the software steals gaming credentials. Without any other evidence, I think that is unlikely. Unfortunately, a lot of the malware descriptions you will see are just similarly named generic descriptions that are of little value in determining how worried you should be when seeing that description attached to a file. "W32" is often attached to the beginning of a lot of names by some antivirus vendors. The fact that they share that and "OnlineGames" and "gen" for "generic" in the names wouldn't lead me to conclude that files given those names operate in the same manner.

I'd remove the software, since I'd judge it to use system resources with no benefit to me, and, if you play online games you could reset your passwords as a precaution, though I doubt the Lenovo sofware has stolen online gaming credentials or is doing keystroke logging. Lenovo doesn't have a stellar reputation for the software they include on their systems, but I've seen no reports that they've distributed any software that would operate in such a manner. And the periodic loss of network connectivity could even be outside of your PC. E.g., if other systems at the same location also periodically experience a loss of connectivity, I'd think there is more likely an issue at a router.