How to determine what program is downloading?

Platform: Windows 7 Home Premium, ASUS laptop K52F

I use the NetMeter gadget to monitor downloads & uploads. I notice that about 2 minutes after booting, there starts a constant download (approx. 500kbps) that lasts for several minutes. I'll unplug my Ethernet connection, the download will stop, I'll plug the Ethernet back in, and the download will start back up within 30 seconds. The download goes on for several minutes and then stops. I am pretty sure (although not 100%) the download is not from my anti-virus, Avira, since I have tried manually updating its virus definitions as soon as I login. And even after Avira stops downloading its files, the download displayed on NetMeter continues for a while. I am very diligent about keeping all software & OS up to date. I have tried stopping some processes but cannot find the culprit. How can I determine which program/process is causing this download? How do I track this down?

 

What is listed in the startup tab of msconfig? or the Startup under Tools in CCleaner? or Startup Programs in WinPatrol?

 

Good question -- I did not think to check the startup items. Would you be able to look at the attached screen dumps from CCleaner and tell me what I should turn off or remove?

Thank you!!!!

 

Wow, I did not even know this existed. Thanks. I'll use this tool the next time I login and see what I learn. I'll post the results.

 

Can you save the CCleaner startups as a txt file rather than a doc?
I don't have Office installed on my main desktop computer.

 

Sorry, I should have attached this as text rather than doc. See the attached for the startup items.

Thank you!!!!!!!!!!!!!!!!!!!!

 

Another thanks Doc. I'm going to try this on my 8.1 to narrow down it's attraction for the internet. Was thinking of using a third party packet capture program but I really didn't like them in prior usage. This method is something I've overlooked.

 

With 8.1, aren't you logged in to Microsoft?

 

I made two accounts. One for me and one for my wife. Local offnet. Then to use appstore my account changed to the MS logon. My offline account didn't show anymore. I've cleaned up my MS desktop and Metro to eliminate all the tiles I'll never use. Her's is still a local account and uses afair amount more of internet. SO I'm thinking some of the apps and tiles are still active in the backlground even when not signed in to MS. I use gbytes cards for my wireless and don't need constant contact.

 

Another, and possibly better way for Win 7 is Task Manager > Performance tab > Resource Monitor button. You can expand any of the monitors as required. Haven't tried it in 8.1 but it probably works much the same.

 

SuperAntispyware (free) doesn't need to run at startup

ATKOSD2 doesn't need to run at startup
http://www.bleepingcomputer.com/startups/ATKOSD2.exe-24311.html

Stop setwallpaper from running at startup
http://www.bleepingcomputer.com/forums/t/419327/setwallpapercmd-virus/

You have McAfee Raptor AND MBAM Anti-Exploit. Pick one and get rid of the other.

Stop ACMON/splendid from running at startup - you do not need to uninstall it
http://www.shouldiremoveit.com/ASUS-Splendid-Video-Enhancement-Technology-5790-program.aspx

Fire up CCleaner and look over the section called Options then Monitoring. You do not need CCleaner monitoring and running at startup. They started this with the newest version.
You simply turn off all the monitoring, ignoring the dire warnings (I do not have it set to monitor on our four Win 7 computers) and you decide when you want to clean, not the program.

 

PLODR -- Thank you so much for the help. I took your advice.

Take care.....

 

Post back if the downloading still continues and we'll look further.

 

Re: How to determine what program is downloading? SOLVED

SOLVED - Windows update was the culprit.

Here is the process I used to solve this problem:

(1) Used Windows ResourceMonitor to watch which process was the major downloaded. Answer = svchost (netsvcs)

(2) used ProcessExplorer to look at details of all running svchost processes while the download in progress. Found one svchost process (see attached image) that referenced wupdate process. I stopped this svchost process & download immediately stopped.

(3) Changed wupdate service from auto to manual

(4) Rebooted - Hard boot + reboot DSL modem

(5) Watched what happened over course of several days. No more unidentified downloads.

Does anyone know why Windows Update would behave in this way? Is this a bug in the update software?

 

Thanks for reporting back.

 

Well, I thought the download problem was solved. But two more instances popped up. The first was from AeLookupSvc - see a separate post about this:
http://forums.majorgeeks.com/showthread.php?p=1893170#post1893170

Then today there was another mysterious download. The process tree showed that svchost -k netsvcs was calling Appinfo.

All of this leads to a general question. What the heck is going on here? Why should Windows download large amounts of data at all unless I specifically do work on the Internet? Perhaps there is something wrong with my laptop that should be fixed? What are your thoughts on this?

Note: See the attachment which displays the 3 instances of processes that caused these mysterious downloads.

 

GoshenGeek...

One thing you can do is visit VirusTotal online and upload and scan the appinfo.dll in your Windows\system32 folder. That's the path apparently to the key file for the download as shown in the pic you uploaded.

Information on this file here:

http://www.shouldiblockit.com/appinfo.dll-2199.aspx

Looks like it is Windows, and I found it in my W7 Pro system32 folder.

 

I followed your advice for the appinfo.dll in my system32 folder. No problem was found.

Any other thoughts anyone?????

 

Something else to try, look at your firewall logs for the ip address(s) the service(s) are connecting to. A couple of programs that are handy for determining what is connecting to who:

Microsoft Sysinternals TCPView - |MajorGeeks| and/or
CurrPorts - |MajorGeeks|. My preference.​

Knowing where the download is comming from may help you decide whether or not to allow it. It may also help you figure out if something nefarious is happening or not.

 

GoshenGeek

One other thing I thought I would mention. I am running Private Firewall on Windows 7. I first used PF on Win XP Pro, and it was great, but it is amazing on Win 7. Haven't yet put the pieces together to explain the difference, but it seems like PF is able to do a better job of identifying the source of each internet connection on Win 7. I get prompts about connections fairly regularly about net connections now when I didn't get as many on XP.

I guess I would say it's something you have to be sort of up for the challenge for, learning to use PF. It's very featured and gives you all the controls you want for each program (anti-keylogging/anti-unsolicited screen capture/others), but there is sort of a learning curve to deciding what the firewall should remember and what you want it to do only once and so on. Big thumbs up for PF from me.

Plastidust mentioned CurrPorts. That's a very good program and TCPView is something I have too. I like that I can check the WhoIs database in TCPView for the IP of a connection to find out what is behind the connection. Then you can Google to see who is behind it all. You can turn off connections with either CPorts or TCPView, but, if you want full control, I recommend Private Firewall. Then you can have TCPView or CPorts too...

One thing I do when I get prompted by PF about a connection is check the IP of the connection here:

https://who.is/

You can see this in TCPView, too, but this is quicker to get to usually for me...

 

I have some additional info about the problem. Thank you very much for telling me about CurrPorts. Here is what I did:
(1) Used ResoureMonitor to find the process PID that is causing the download
(2) use ProcessExplorer to see details of this process; again it is AppInfo
(3) Used CurrPorts to look at the process PID & see the remove address of the download

The download is coming from Akamai Tech. I have no idea what is going on here. See the 2 attachments that show the details from CurrPorts & the info from Who.Is.
(1) Is this download needed? Why is there a download from Akamai??
(2) If not, can I block this download?

 

GoshenGeek...

Been down this road, GG. Companies like Akamai and Mark Monitor (and some others e.g. Amazon does some of the same things but not for MS that I know of) host downloads for Microsoft, including Windows updates. It's a little bit weird, considering they are a strange hybrid of marketing/image protection and data hosting. Anyway, if it's MS (such as AppInfo) you are safe security-wise (and Akamai connections that are MS are safe), but, you are correct to ask and monitor, because some processes run under svchost.exe that aren't Microsoft. Overall, it especially makes sense to ask the questions about these companies hosting MS data. Who knows what they could get the idea to retrieve for themselves.

If the amount of info passing into your PC seems unusual to you (or just too high), I recommend Googling to find out more. Answers aren't very easy to find, though. This surprised me a little bit, especially once I started to get the picture. I also recommend Wilders Security forum here:

http://www.wilderssecurity.com/

They can help point you in the right direction on who's who when it comes to these major download hosts and so on...

 

Thank you for the information. Very much appreciated. Good to know that this is safe although I still do not understand why the downloads occur. Doesn't Microsoft Update take care of all relevant updates?

 

GoshenGeek...

Windows updates is the program responsible for fetching the updates. The service runs under svchost. The way I understand things, the source of the updates is akamai, because MS uses akamai's file hosting service to store/deliver the updates.

If this is true, which seems apparent, I'm not sure why MS doesn't host them on their own private servers. It's been a mystery to me since I tracked down the info on all of this several months ago...

 

What is strange in my case is that I have the Windows Update service set to manual. I don't need it running all the time since I periodically check on my own. So if Windows Update is not calling Akamai, then who is?

I use a DSL service so that I am not concerned about the download quantity affecting my service with my ISP. But if I had a satellite service, this download from Akamai would really screw up my calculations since the satellite services have 30 day download limits.

 

I have an 8.1 doing the same thing and the same offender is the culprit. I buy gbyte cards so it does affect my use of the computer online. Akamai use the internet constantly. I'm looking for where it comes from and how to stop it also. I'll keep watching this thread to see how it progresses. Don't know if it is possible to troubleshoot it while offline. But when I search the drive for akamai nothing comes up. Same when searching the registry.

 

GoshenGeek/ImandyMann:

Here is the latest news I could find.

http://news.microsoft.com/2014/07/2...-cybersecurity-focused-accelerator-in-israel/

This is amazing here. There is a video over to the right that it very good to watch:

http://www.akamai.com/html/solutions/index.html#neil-cohen

Akamai seems to have become the golden child of cloud computing. Could be they are dispensing all the MS anti-virus updates in 8 (not sure what the MS a-v is called). I wouldn't be surprised.

In my opionion, we all have legit grounds to contact MS and find out what's going on, especially if you're getting 80 MB in downloaded info with no notice of what is being downloaded. In this way, this is just like anyone with any other difficulty with MS software. Those with monthly download limits are getting nuked by 80 MB a day.

For sure, MS should be careful as HELL when using someone else's services to reach people with MS software. Also, MS should be transparent and popularly highly visible about what's going on, and internet drops coming from companies other than MS (in the name of MS) should come with a detailed explaination.

There are huge stakes in net security, and this partnership between Akamai and MS seems to me to be something that will grow to cause PC users to lose sleep. I mean how would I feel if avast started using someone else for their a-v definitions updates and then what if they didn't even say anything about it.

I really hope this issue comes to the surface popularly and soon. It's really uncomfortable, and Akamai isn't the only one of these companies. Companies like Dropbox and Qihu Security are using Mark Monitor and Amazon. Actually, Qihu has been transparent about the whole thing, which has helped their software take off some. I guess noone really expects them to have a huge network for delivering a-v defs being such a new startup in international security software.

 

AtlBo - I read that article and watched the video. It seems to me that Akamai product and services is more geared toward business traffic and data handling and protection. If a home user only browses the internet with no finacial transactions and no sensitive data sent or recieved I don't see the purpose of their products on such machines. If smartphones become the only choice in coming years are users going to have to upgrade to higher cost more data plans because of this piggy-back service. If I over used a contract plan on a consistent basis because of this background traffic I would be pi--ed!. If this is what becomes the norm I will start back collecting machines. Ones with vista and 7 on them before I allow unwanted continuos contact from my device to a cloud or other 24 service. Heck my 7 machine is never turned off. If it were a 8.1 with this on it it would eat up even the 250 gbyte cap I used to have on Comcast. This is crazy!

 

ImandyMann...

Yeah...I agree with you. The MS/Akamai partnership is very shaky. Only possible thing I can think of is that maybe MS is doing a really aggressive job on Win 8.x with updating the security definitions for the built in security. This is the only thing that I could think of that would lead to such a large amount of downloaded info over the net from MS' Akamai host.

In any case, I guess one could switch to another a-v, and maybe that would stop some of the traffic. It is still ridiculous.

MS should really step forward and be aggressively up front about their relationship with Akamai in my opinion. If they explain what's going on, maybe then there could be some good solutions that work better than constant downloads. Honestly, if I had a net cap and Win 8.x, it would be a very short time before I was back on 7, even though Akamai does reach Win 7 PCs too.

I remember when cloud storage first started and there were data breaches with some customers losing their data or it being tampered with or compromised. This kind of reminds me of that situation.

I guess for now, anyway, I am OK with Win 7 Pro 64. Not sure why MS didn't just count it as their bottle of Coke and start selling nice upgrade bundles for it rather than put everybody through all this experimentation with 8 and all its built in gremlins and worries and inconveniences. The $40 for Win 8 would have been much better spent it seems to me on an upgrade bundle for 7 with right click burning and built in CD/DVD emulation, etc. With so much freeware out there to emulate as an example for improvements, MS could have really made it possible for Win 7 to be the whole package without the constant migration headaches.

 

That's true from a PC perspective but the future is more about mobile phones than PCs. I'm a recent convert to smartphones and am pretty impressed by Windows Phone 8.1. Can't really imagine Win 7 on it though. If MS had taken your advice for business users and pushed harder with Windows phone for personal users they might be in a better position today.

That's all a bit off topic really, but I certainly haven't noticed any unusual download activity on my mobile and anyway, most of it is done on wifi so doesn't for most ppl impact much on their data allowance.

 

Earthling...

Yeah, that's largely true, I think. I guess my take is that the PC will always be king, so to speak, at the office and in the home office. I mean, if MS had approached things a little bit differently, we could have had a software bundle for Windows 7 that included a metro type app for the PC that mirrors the W8+ phone app (along with some other nice features and upgrades). I picture a mini mock up of a phone or tablet in the bottom corner (phone size or table size) or right screen that PC users could access to even answer the phone or listen to messages, etc. and all on W7...

Actually, I think the metro start screen could have been a successful part of a bundle, too, albeit a separate one. Honestly, the best picture I get of the the metro start screen (I mean for PCs) is as a golden girls/golden guys thing (60-80 generation)...something easy to learn but designed in an all in philosophy that does away with the traditional desktop and start button. The present metro screen would have required a bit of work to be the desktop and start screen I suppose...

Just seems so much to me like MS could have had satisfied customers and sales, too, when it comes to PC Windows...

Haven't tried W8 for phones. Sounds good, though, so maybe I will look into that. Thanks for the info on it...

 

Surely you are not suggesting Microsoft should take over the mobile networks? :-D :eek

 

WOW. Did I suggest that? Please somebody help me not imagine this...:-o :banghead

 

I went to the firewall and disabled all items with sony. store, remote and vpn in the title. Now inbound and outbound rules have mostly core networking and discovery as allowed items. Internet traffic is now close to normal. I'm on the 8.1 now and it's much less hungry for traffic. It's still more traffic than my others and I'm thinking maybe because no adblock on here yet. That's my next step. But at least once it loads a site traffic quits.
After I had done this I found this just searching around. It's something similar to what I did 'cept they're looking from a security standpoint.



http://www.eightforums.com/system-security/36465-windows-8-1-what-best-practice-security-tweaks.html

 

So far - with the firewall changes I made- I did a manual windows update- ok. Defender notified me needed updates. First defender updates for this pc. About 200meg. Lost connectivity once halfway through. Restarted the updates and finished no problem. Downloaded an html editor. Browsed the geeks. Did everything as normal. Reset the computer after all the downloads and now 2 hours later the internet traffic is 15 mbytes. I can live with that. So turning off all these things at the firewall hasn't hurt one bit.

 

Scary thing is someone may be seeing the future here!

 

If you like the Windows 8 Metro UI, it's available from IObit. It works for Windows XP, Vista and 7. And it's free.

http://www.majorgeeks.com/files/details/winmetro.html

 

(60-80 generation)...

I'm crossing the mark to that generation and my wife is already there. She made me give her '7' back after 2 days with win 8.1