• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

Something keeps downloading and its really starting to bother me.

I'm on a dial-up connection, so any sort of download like this really brings my connection to a halt.  I'm a very paranoid person and I keep my computer very clean, I have AVG anti-virus, Ad-Aware SE, Zone-Alarm Pro.  And i'm running windows XP Pro SP2 with all latest updates.

According to my firewall, "Generic Host Process for Win32 Services" keeps downloading things at about 50% of my bandwidth.  I hit the stop button when I notice this and set the permissions to ask me if it wants to access again.  It then stops for about 10 mins or so, and then pops-up the message asking me if I want to accept connections for this.  I hit DENY, and everything seems to work just fine.

HOWEVER, this generic host process is usually required for when I access my e-mail or some websites.  So i'm in a constant battle of accepting it, and denying it when it wants to download for no reason.

I have automatic updates TURNED OFF.  So I have no idea what is trying to download on my computer.  If I just let it download it goes forever...WHAT on earth could it be?  Also every day I get blocked attempts probably just port scans, but dangit with all the windows updates I would think i'd be safe.

Anyways, what is this generic host process used for, and what do you think it could be downloading?

Thanks!
0
Whipsmack
Asked:
Whipsmack
2 Solutions
 
rossfingalCommented:
Hi!

Get "Process Explorer" (free) and see what is running:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

"Generic Host Process for Win32 Services" - it's svchost.exe - it's normal to see more than one instance
of svchost.exe running on Win 2000/XP (I usually see 4 to 5 running).
Go through them and look at what's "calling" them -
Maybe, some "strange" Dll/exe  ?!?

RF
0
 
FalconHawkCommented:
"Generic Host Process for Win32 Services" keeps downloading things at about 50% of my bandwidth."

Actually, it might not be "downloading" at all. Since i have exactly the same firewall as you use, its pretty easy for me to see what can be happening.  Actually, the Generic Host Process for Win32 Services is only listening to a port, and thats ONLY in the trusted zone port TCP 1025 and 5000. In fact, on my PC, the services arent even generating ANY internet traffic, according to zonealarm

Furthermore, did you really test if your connection is slower? or do you just think its slower? Modems are perfect things to get various connection speeds, most times because of large file downloads. Try testing your connection here:
http://www.speedtest.nl/
Block and test, and then unblock and test, and see if it really makes a difference. This site is one on the few that actually can test even if your proxied, so thats why use it :).

Also try opening the task manager when your idle. take the tab Network, and see if any data is passing trough. If your not busy, it should be more then a few bits or so.

Oh btw.... if those prorgams you noted are the only secuity tools, you are missing an anti-spyware progeam.  try these 2 if you dont have them:
http://safer-networking.de/en/download/index.html (Spybot search and destroy, very good freeware one)
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
(Microsoft Antispyware, Beta, but functioning very well)
0
 
r-kCommented:
Try the following from a command window (Start->Programs->Accessories->Command Window):

> cd \
> tasklist /svc > list.txt

This will save a file named list.txt on your c: root folder. Please cut and paste the contents of that file here. It may help decide if anything suspicious is running on your system. Thanks.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
WhipsmackAuthor Commented:
Okay I downloaded that Process Explorer (pretty nifty :)  And I unblocked genernic host process and sure enough 2 minutes later it starts downloading.

And yes i'm sure it's downloading because my network link is constantly receiving data.  And when I try to play a game my ping time goes from 200 to 600, meaning something is hogging my bandwidth.

HERE is whats downloading the data according to the explorer

svchost.exe (PID= 916) and theres a plus box where a file below that is running
-    wscntfy.exe (PID=1384) Windows SEcurity Center Notification App
Although the CPU process is only on svchost not the wscntfy


Also, I took r-k's advice and made the list, it looks like svchost 916 has a lot more apps running through it then what process explorer was showing,.  Heres the list


Image Name                   PID Services                                    
========================= ====== =============================================
System Idle Process            0 N/A                                          
System                         4 N/A                                          
smss.exe                     500 N/A                                          
csrss.exe                    552 N/A                                          
winlogon.exe                 576 N/A                                          
services.exe                 620 Eventlog, PlugPlay                          
lsass.exe                    632 PolicyAgent, ProtectedStorage, SamSs        
ati2evxx.exe                 792 Ati HotKey Poller                            
svchost.exe                  808 DcomLaunch, TermService                      
svchost.exe                  864 RpcSs                                        
svchost.exe                  916 AudioSrv, BITS, Browser, CryptSvc, Dhcp,    
                                 dmserver, ERSvc, EventSystem,                
                                 FastUserSwitchingCompatibility, helpsvc,    
                                 lanmanserver, lanmanworkstation, Netman,    
                                 Nla, RasMan, Schedule, seclogon, SENS,      
                                 SharedAccess, ShellHWDetection, srservice,  
                                 TapiSrv, Themes, TrkWks, W32Time, winmgmt,  
                                 wscsvc, wuauserv, WZCSVC                    
svchost.exe                  980 Dnscache                                    
svchost.exe                 1016 LmHosts, RemoteRegistry, WebClient          
spoolsv.exe                 1192 Spooler                                      
avgamsvr.exe                1336 Avg7Alrt                                    
avgupsvc.exe                1428 Avg7UpdSvc                                  
ati2evxx.exe                1464 N/A                                          
ncupdatesvc.exe             1560 NCUpdateSvc                                  
explorer.exe                1596 N/A                                          
wdfmgr.exe                  1736 UMWdf                                        
vsmon.exe                   1808 vsmon                                        
alg.exe                      364 ALG                                          
atiptaxx.exe                 776 N/A                                          
CTHELPER.EXE                 936 N/A                                          
qttask.exe                  1048 N/A                                          
winampa.exe                 1032 N/A                                          
realplay.exe                1112 N/A                                          
avgcc.exe                   1268 N/A                                          
PDVDServ.exe                1296 N/A                                          
SM1bg.exe                   1348 N/A                                          
wscntfy.exe                 1384 N/A                                          
zlclient.exe                1360 N/A                                          
procexp.exe                 3060 N/A                                          
msimn.exe                   2868 N/A                                          
firefox.exe                  712 N/A                                          
cmd.exe                     3752 N/A                                          
tasklist.exe                2908 N/A                                          
wmiprvse.exe                3336 N/A                                      


Thanks a lot everyone!    
0
 
WhipsmackAuthor Commented:
Well I wish that process explorer could tell me exactly which one of those apps under 916 is doing the downloading.  I suspected it might be the BITS technology that is used to download patches for a certain video game that I play.  I disabled it, restarted and that didn't fix it, still continues to download data. hmmm
0
 
Rich RumbleSecurity SamuraiCommented:
Turn off system restore, and try running ad-aware after system restore is off
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
-rich
0
 
r-kCommented:
>>>I suspected it might be the BITS technology that is used to download patches for a certain video game that I play.  I disabled it,...

I think that gives the clue. There seems to be nothing wrong. BITS is the "Background Intelligent Transfer Service" from Microsoft. When it is in your tasklist it means that you are receiving a Windows update from Micrrosoft. You can download information about it at:

 http://www.microsoft.com/windowsserver2003/techinfo/overview/bits.mspx

For some reason, your automatic update is running even though you think it is disabled. Please check that setting again. I think the download activity you see is just BITS downloading stuff from Microsoft. Normally this should also put an icon in the system tray, and if you point the mouse over it, it should say "downloading" or something like that.
0
 
r-kCommented:
To further check what might be doing the downloading, you can type (in a command window):

> netstat -o

And optionally save it to a text file:

> netstat -o > net.txt

and then cut and paste the contents of the net.txt file here.
0
 
r-kCommented:
There is nothing in the Tasklist you posted that suggests anything wrong or suspicious.
0
 
WhipsmackAuthor Commented:
Well I can't thank you all enough for the wonderful help.  I will be accepting an answer as soon as I get the download to come back so I can log it to that net.txt file.  

Im positive windows update is off, the BITs for the game is off, and system restore is now off.  Nothing is happening yet i'll give it a bit and see if it comes back.
0
 
r-kCommented:
Thanks. I assume that your system is OK now that you turned off all the automatic downloads. Just for completeness, I want to mention that with Win/XP SP2 or later, the better command to check network connections is:

 netstat -ab

this not only identifies the connections, but also names the process that is using each.

Good luck.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now