11-28-2010 07:38 PM - last edited on 11-28-2010 07:48 PM by Tim_Lopez
About four weeks ago I noticed that even when I wasn't searching webpages or downloading content, the connection icon was flashing merrily away and downloading data. I experimented by disconnecting and re-connecting to the internet but not opening internet explorer and sure enough something begins to download as soon as I connect and continues downloading for hours if I let it. (it's not Windows updates or Virus definitions as they are all up to date).
After I do these experiments I have done a Windows search and checked all the files modified within that period but it just seems to be Windows files modified. I've tried to Block everything possible via Norton Program Control but end up just blocking myself from the internet. I've tried turning on Advanced Events Monitoring but nothing unusual pops up apart from when I try to access the internet, which is what I would expect.
I've also checked security history and the only "Medium" severity block relates to a Norton Internet Security file - \Engine\220.127.116.11\ccSvcHst.exe
I am guessing there must be a way to find out what site it is connecting to and blocking it, but I don't know how. Anybody got any ideas cos it's making my slow dial up even slower having to compete with a constant background download. There are no other ill effects from this problem that I have noticed.
Thanks heaps, Paul
[edit: changed subject from "ghost download" as to not confuse with Norton Ghost]
11-28-2010 08:53 PM
It is very likely one or more programs updating, and I would suspect that Norton is in there somewhere. To figure out who's doing what, download Sysinternal's free TCPView program from Microsoft. It will show you all the endpoint connections as they occur, which programs are connecting to which sites. It's a very handy little application to keep around.
11-30-2010 04:44 PM
Great tip. I downloaded the TCPView program and was able to see the remote address that was constantly connecting. I added a rule in Norton to block it and reconnected. The remote address appeared again but had incremented the second last digit so I blocked that one too and so far so good......makes a huge difference to my web browsing!
It was using a file called svchost.exe. From all the hits on google it looks like a file that often gets tampered with. Still not sure who, what and why it was connecting to but glad to see the back of it.
Thanks a lot for the tip!
11-30-2010 05:07 PM - edited 11-30-2010 05:09 PM
Svchost is a WIndows process that normally has multiple instances running at the same time. It is normal to see several entries of svchost.exe in TCPView. You can right-click each and select "Process properties..." to see the file path, which should be C:Windows\system32\. I'm sure some of these connections may not be strictly necessary, but I am always a little reluctant to block a Windows process unless I know exactly what the activity is doing (and I never do). Be discerning in what you choose to block.