Many svchost connections

[Guest]

[jason78]

I’m getting lots of svchost.exe connections (udp out).  Is this normal? There is about 10-20 of them listed in my active connections. They are on ports in the 50,000 - 60,000 range, and I think the ip adress is my isp provider but I cant confirm.

[jason78]

Ugh. I just read that the only port svchost needs to connect to is 53. Someone please tell me I'm not completely screwed. How do I fix this?

[puddingpants]

First off, if you don't know already, svchost is a part of Windows that Windows and other programs can use to do various stuff.  So svchost, when making connections, can be acting on behalf of Windows, an innocent program, or potentially a malware program.  It's sometimes hard to tell which.

No, svchost can use a variety of ports, for example ports 80 and 443 when doing stuff like Windows Update (or Windows Defender updates), etc.  The vast majority of the time, svchost just uses port 53 (for DNS lookups when you try to access a website by name instead of by IP number... it's how your computer converts a website's name into its IP number).  But other ports occasionally are used (80, 443, maybe others).

50,000 and 60,000-range ports I haven't personally seen, but it's POSSIBLE that some program (or Windows itself) is just doing perfectly legitimate things.  However, these port ranges are also popular with malware.  Perhaps some malware was able to take control of svchost, which is a common tactic for malware because many firewalls let svchost, being a part of Windows, do whatever it wants... so hijacking svchost can be an easy ticket out to the Internet for a piece of malware.

Do full scans with Comodo AV, and with malwarebytes (malwarebytes.org if I recall right).  Malwarebytes seems to be a very impressive piece of anti-malware software, and is supposed to have detection and removal capabilities far in excess of what most AV packages can detect and clean.  And there's a free version.  The only limitation in the free version is that it's on-demand only, and has no realtime mode.  But it can be GOOD that it has no realtime mode, because this means it won't conflict with other anti-malware software that DOES have a realtime mode (like Comodo AV)!  In my experience, it "plays nice" with Comodo AV (and Windows Defender, and probably everything else, too).  Plus, it's really simple to use and obvious.  Install it, update its definitions, then do a full scan.  Easy to understand interface.

See what a Comodo AV scan and a Malwarebytes scan turn up, as a first step, I'd say.

[jason78]

Thanks for your reply. I run weekly scans with Malwarebytes, Superantispyware, and Avast, and always leave the Avast realtime protection on.  Haven’t had any problems so far, but now you have me thinking I may have some very tricky malware. Is there anything else in particular you can think of that would cause this?

[puddingpants]

With all those scanners, you sound pretty well covered.  So, it's probably something innocent, but it's hard to be sure.

I've heard there's a tool out there that shows you WHAT processes are using svchost to do their bidding.  You may want to try that tool.  That way you can gain insight into who's "pulling the strings" on svchost when this happens.

[bulgroz]

The svchost process is a real pain because it is used by so many apps. If it is making connections, you could google the IP addresses it connects to. That could give an indication of what or who is using these ports.

Hope this helps

Cheers

[Creasy]

I’m getting lots of svchost.exe connections (udp out).  Is this normal? There is about 10-20 of them listed in my active connections. They are on ports in the 50,000 - 60,000 range, and I think the ip adress is my isp provider but I cant confirm.

Torrents use 50,000 - 60,000 range.
Or do you use a router?
Please upload the screen shots.

[Tags:]