In and Out

On startup of my computer I noticed that Returnil and svchost keep using my broadband connection.

  • does the screen look ok to you? anything suspicious that should be blocked? I got rusty over the last few months…
    greatly appreciated O0

I did a little check with Whois - IP Address - Domain Name Lookup .

Returnil connects to an IP address that belongs to an ISP from Kieiv. Svhost.exe connects to Microsoft and Neustar/Ultra DNS. Comodo DNS uses Neustar/Ultra DNS.

Nice, mate, real nice and sorry for the wrong section.

So… any suggestions? are the connections legitimate? should I keep them or block them? I mean Returnil needs to stay as it is but the rest?

this thingie…svchost - I have updates turned OFF permanently so why is it communicating with MS?

awaiting yr suggestions!

The connections to the DNS servers by svchost you want to keep otherwise you can’t surf the web properly.

It may be communicating to Microsoft for updates. Not sure what exactly gets communicated by Windows with Microsoft.

Is there a way to determine which connections should stay and which not?
svchost connects every time I start my laptop and keeps connecting in and out… would you say it’s suspicious?

Svchost also connects out whenever I start my computer and continues to connect with Microsoft throughout the day and I see computer Certificate Validations whenever I run a certain registry cleaner which I believe to be a result of these outbound svchost contacts.


just restarted my rig… got even more:

is it abnormal? is it wicked? am I paranoid android?

Are you running Vista or Seven? If so these are all normal.

The entries are standard DNS queries.
The entries are LLMNR, kind of local DNS queries (Link-Local Multicast Name Resolution - Wikipedia
The entry is DHCP
The 3702 is WSD (WS-Discovery - Wikipedia)
The is UPnP

All of these may be disabled via simple svchost rules.

If I remember correctly the default svchost rule it allows everything out by…

That’s pretty informative, thanks mate!

‘‘All of these may be disabled via simple svchost rules.’’

instruct me PLEASE

Leave the DNS and DHCP otherwise you will have problems.

Add the following under svchost:

Block UDP OUT (don’t log)
Source Address = ANY
Destination Address =
Source Port = ANY
Destination Port = 5355

Block UDP OUT (don’t log)
Source Address = ANY
Destination Address =
Source Port = ANY
Destination Port = 3702

Block UDP OUT (don’t log)
Source Address = ANY
Destination Address = 239,255,255,250
Source Port = ANY
Destination Port = 1900

A few things to note:

The source address ( in your screen shot is from the APIPA (Automatic Private IP Address) range. IP addresses issued from the range through are allocated dynamically in the absence of a DHCP server, so you might want to look into that. You’ll probably find and entry for this address space in your Network Zones.

You also have the address, which I assume was issued by your router, this will be your standard local address.

As for UPnP, if you don’t use this, you can disable the service

Hope that helps.

yes, I’m on it yet a slight obstacle on my way…is this the settings panel I’m supposed to use?

is this the settings panel I'm supposed to use?

For modifying svchost by applying the rules outlined above, it’s the right place. To disable UPnP you need to open services.msc and disable the service there.

As I mentioned in my earlier post, these connections are all standard issue on Vista and Seven and you can simply leave them alone. For most people, where controlling both inbound and outbound connections, is unimportant, simply leave the default rules.

Personally, I like to have control, so I always delete all the default rules as well and anything trusted, and do my own thing. I don’t, however, recommend this approach, without understanding the consequences of these actions.

Got it!
Well put mate
thanks again for this valuable lesson!

oh my god. System is listening 5357 :'(. Services is listening too. It is… It seems like a lot of back- and even frontdoors :slight_smile:

Scary_bear - your suggestions, please?

This is not an issue, ports 5357 and 3702 are used by WSDAPI (Web Services on Devices API) and WSD (Web Services Dynamic Discovery) respectively, on Vista and later MS Operating

As I mentioned in my earlier post, these ports can be closed via firewall rules, but for most users it’s unnecessary and in some cases may cause problems.

these ports can be closed via firewall rules
This is important suggestion

What about services listening random port?

Any given service listens on one or more specific ports, they are not random. The client, when attempting a connection to a given service may use a randomised port for the connection.

For example, when a web browser attempts to connect to a web server, via HTTP, the client uses a random port typically between 1024 and 5000 (the ephemeral ports) and sends a request to port 80 on the web server, unless instructed otherwise instructed.

to sum-up, I’m good, aren’t I?