Question about svchost

[thx1138xxix]

I was wondering if someone could help me figure something out.

When running TCPView, I'll see svchost establishing connections to
places that I don't recognize. And I was wondering if there is a way I
could find out ~why~ it's connecting to these places.

For instance today.. I logged on and my firewall alerted me that
svchost wanted to connect to download.windowsupdate.com. Okay, fine..
I accepted. It connected and there were no updates. But while watching
TCPView.. svchost connected (without alerting me) to a different IP
(195.10.34.87 :80). I couldn't find any info on that IP so I checked
my Process Explorer and saw that svchost was connected to " rsvd-
akamaiint-87.34.10.195.in-addr.arpa:http ".

I sat there and watched as over 10 megs of data was being received by
my computer and about 800k was being sent out. I didn't see an
automatic update icon appear as it normally does when downloading
updates.. so I wasn't sure what kind of data was being exchanged.

So I logged off and reconnected. Now svchost has connected again
(without any alert from my firewall) to 72.247.127.51:80.. which is
AKAMAITECHNOLOGIES.COM and has begun sending and receiving data once
again with no auto-update icon showing.

Is there ~any~ possible way to find out what kind of data is being
sent or received by my computer when this happens?

Please help?

 

[Jim]

I was wondering if someone could help me figure something out.

When running TCPView, I'll see svchost establishing connections to
places that I don't recognize. And I was wondering if there is a way I
could find out ~why~ it's connecting to these places.

For instance today.. I logged on and my firewall alerted me that
svchost wanted to connect to download.windowsupdate.com. Okay, fine..
I accepted. It connected and there were no updates. But while watching
TCPView.. svchost connected (without alerting me) to a different IP
(195.10.34.87 :80). I couldn't find any info on that IP so I checked
my Process Explorer and saw that svchost was connected to " rsvd-
akamaiint-87.34.10.195.in-addr.arpa:http ".

I sat there and watched as over 10 megs of data was being received by
my computer and about 800k was being sent out. I didn't see an
automatic update icon appear as it normally does when downloading
updates.. so I wasn't sure what kind of data was being exchanged.

So I logged off and reconnected. Now svchost has connected again
(without any alert from my firewall) to 72.247.127.51:80.. which is
AKAMAITECHNOLOGIES.COM and has begun sending and receiving data once
again with no auto-update icon showing.

Is there ~any~ possible way to find out what kind of data is being
sent or received by my computer when this happens?

Please help?

svchost only does what it is told to do. So, the answer is "some other
process". Perhaps there is malware on your system.

Jim

 

[Tonnie]

I was wondering if someone could help me figure something out.

When running TCPView, I'll see svchost establishing connections to
places that I don't recognize. And I was wondering if there is a way I
could find out ~why~ it's connecting to these places.

For instance today.. I logged on and my firewall alerted me that
svchost wanted to connect to download.windowsupdate.com. Okay, fine..
I accepted. It connected and there were no updates. But while watching
TCPView.. svchost connected (without alerting me) to a different IP
(195.10.34.87 :80). I couldn't find any info on that IP so I checked
my Process Explorer and saw that svchost was connected to " rsvd-
akamaiint-87.34.10.195.in-addr.arpa:http ".

I sat there and watched as over 10 megs of data was being received by
my computer and about 800k was being sent out. I didn't see an
automatic update icon appear as it normally does when downloading
updates.. so I wasn't sure what kind of data was being exchanged.

So I logged off and reconnected. Now svchost has connected again
(without any alert from my firewall) to 72.247.127.51:80.. which is
AKAMAITECHNOLOGIES.COM and has begun sending and receiving data once
again with no auto-update icon showing.

Is there ~any~ possible way to find out what kind of data is being
sent or received by my computer when this happens?

You might check this:
http://en.wikipedia.org/wiki/Akamai

You can find a lot of information about Akamai on Google as well.

 

[Jim]

I was wondering if someone could help me figure something out.

When running TCPView, I'll see svchost establishing connections to
places that I don't recognize. And I was wondering if there is a way I
could find out ~why~ it's connecting to these places.

For instance today.. I logged on and my firewall alerted me that
svchost wanted to connect to download.windowsupdate.com. Okay, fine..
I accepted. It connected and there were no updates. But while watching
TCPView.. svchost connected (without alerting me) to a different IP
(195.10.34.87 :80). I couldn't find any info on that IP so I checked
my Process Explorer and saw that svchost was connected to " rsvd-
akamaiint-87.34.10.195.in-addr.arpa:http ".

I sat there and watched as over 10 megs of data was being received by
my computer and about 800k was being sent out. I didn't see an
automatic update icon appear as it normally does when downloading
updates.. so I wasn't sure what kind of data was being exchanged.

So I logged off and reconnected. Now svchost has connected again
(without any alert from my firewall) to 72.247.127.51:80.. which is
AKAMAITECHNOLOGIES.COM and has begun sending and receiving data once
again with no auto-update icon showing.

Is there ~any~ possible way to find out what kind of data is being
sent or received by my computer when this happens?

Please help?

Doesn't this sound like malware? svchost.exe is just a program. It only
connects when some process directs it to connect. So, you have a problem.

The reason it went to microsoft update is that you have enabled this
service. The others look very suspicious to me.

Jim