secure dns; firewal popup svchoshost recieve connection from dns udp port1101

Hi Folks. Using Comodo secure DNS. winxphome, sp3. No other firewall or av. Got, what I consider, a suspicious Comodo firewall popup. Before I finished writing it down, the popup disappears (grrr!!). It said:

Servicehost.exe is trying to receive a connection from the internet. Remote 156.154.70.22-UDP. Port 1101.

Since the firewall just disappeared >>> and why does it do that pls!! >>, I have little info to tell except to ask why would I get an inbound connection attempt over a Comodo “secure” syatem, or What???

Thanks much, Diligent. :slight_smile:

Well atleast the alert got blocked, that’s the default for alerts that are not responded to.

Servicehost.exe is trying to receive a connection from the internet. Remote 156.154.70.22-UDP. Port 1101.
Well i would try to make absolutely sure that that file does not exist on your system, this is not a legit windows service, those are named c:\windows\system32\svchost.exe

They also should not be active and loaded from other path’s then the above, there are lot’s of malware that try to use a name that looks like a legit windows name so you won’t see it if you look at the process list

Since the firewall just disappeared >>> and why does it do that pls!! >>, I have little info to tell except to ask why would I get an inbound connection attempt over a Comodo "secure" syatem, or What???

Thanks much, Diligent. :slight_smile:


The default setting for an alert is 120 seconds, you can change this by opening the GUI go to Firewall, Advanced settings, Firewall behavior settings, Show alert for x seconds.

The inbound attempt is indeed very strange, but as you set your DNS servers to those of Comodo they are the one to reply, If you had it set to your ISP’s it was very likely that that server was the “source” in these… Malware can also “use” your DNS servers to resolve and/or do other stuff that’s why it’s important to check if you don’t have that executable active on your system.

You can use process explorer from sysinternals to get a better view of your active processes.
You can find it here: Process Explorer - Sysinternals | Microsoft Learn

Thanks for the thorough reply Ronny!

Very glad to hear this attempted connection got blocked (by default). Thanks for alleviating some of my heartburn (ha ha). The firewall setting time info is also appreciated.

As to my “Servicehost.exe” quote. My blunder>>sorry. I was writing fast cause wanted the info, but on a double check, I actually had originally wrote “svchost.ext” which appeared in the firewall window. So it is the same name of the legit prog. It still could be malware though, right?.

I am a lil lost on your below bolded statement portions (probably cause I dunnow enough)

The inbound attempt is indeed very strange, but as you set your DNS servers to those of Comodo they are the one to reply, If you had it set to your ISP’s it was very likely that that server was the “source” in these… Malware can also “use” your DNS servers to resolve and/or do other stuff that’s why it’s important to check if you don’t have that executable active on your system.

Your help is genuinely appreciated. Thank You, Diligent

Edit. I might add just for additional info, that just prior to this firewall popup, I had opened a google news article from some web-newspaper abroad.

Yes possibly, if it’s in c:\windows or c:\windows\temp for instance, that are typical places where these would “hide”

I am a lil lost on your below [b]bolded [/b]statement portions (probably cause I dunnow enough)

The inbound attempt is indeed very strange, but as you set your DNS servers to those of Comodo they are the one to reply, If you had it set to your ISP’s it was very likely that that server was the “source” in these… Malware can also “use” your DNS servers to resolve and/or do other stuff that’s why it’s important to check if you don’t have that executable active on your system.


Well what i meant to say that it’s probably not “caused” by the Comodo DNS Servers, it would probably have happened with “every” DNS server used…

Your help is genuinely appreciated. Thank You, Diligent

Edit. I might add just for additional info, that just prior to this firewall popup, I had opened a google news article from some web-newspaper abroad.


Well you are on W2K3, and i have it running on an other system also, it’s very possible that this is because of the not fully supported features, i have seen CIS miss out on finding the right application for the request. Also so maybe this was a “false” alert so to say…

Ronny:

Tks for the analytical on W2K3. did not realize it!

As of 5:25 pm Pacific daylight time, got two more inbounds, via Comodo firewall:

First: “svchost.exe trying to receive connection for internet” with 192.1**.*** ODD. Nothing else right then but with about 15 sec’s, got this with the same above message: 192.68.. - TCP >> something like “para” then “ssdp(2869)”

same general thing different specific thing. So something is going on here. I blocked both this time myself >> and have a bunch of fire wall listings regarding these block(s).

Will this info help you out in analyzing whats going on?

Can you please post a screen shot of that ?

SSDP is related to uPNP traffic, are you using uPNP, or some p2p application that could cause your router to open incoming ports destined for your PC ?

In that case the 192.168.x number should be equal to your network gateway’s ip address, you can find that by typing

ipconfig /all

in a command-box and find Gateway: x.x.x.x

Be glad to give a screenshot. Have not done this yet but been meaning to, so now is a good a time as any. Have a list of screenshot freeware in bookmarks. Any suggestions on what a decent freeware screenshot program is, in your opinion?

I am solely receiving open signals with a USB stick and CD drivers prog. Use no router. So don’t know.

per ipconfig, the IP is 192.168.., Gateway: 192.168..*. I personally input these numbers which I had written down before, and used the Comodo DNS numbers I input also. The next to last "" in the IP and Gateway is the same. There is solely two new, different and extra numbers in the IP last ".*", versus the Gateway ".".

Thanks, Diligent

Well, here is the first try:

http://img44.imageshack.us/img44/8176/20090804135856.png

By diligentinquirer at 2009-08-04

Guess we’ll see. Diligent

Thanks Gordon!! https://forums.comodo.com/new_member_information/screenshotposting_for_beginners-t6770.0.html

Hello,

Is the Destination IP the address of your PC ?
Is the Source IP the address of your gateway/router ?

Then this should be uPNP traffic, if you don’t need it try to set it off on your router.
Do you have any application running that needs port-forwarding from the internet for incoming traffic.
P2P applications need this for example…

Ron:

Remember pls, while I am savvy on many computer matters, not quite so on this subject matter. :slight_smile:

The destination IP is the IP that I imputed manually >> guess that it is my computer IP.

The source IP is the gateway number I likewise inputted manually.

I have no, nor use any, router. Open radio signal complements of a local computer business person, which my USB stick device receives, by which I connect to the internet.

Don’t know what port-forwarding means, Ron. Sorry.

edit: also do not know what : uPNP traffic means. will Google upnp & port-forwarding.
Thanks for the continued help Ron. Appreciated!!

My Best, Diligent.

OK, got the very general idea:

What I inputted manually, per IPconfig:

(1). Mac: always the same … correct

(2). dhcp not enabled>> dunno.

(3). IP 192.168..* =CIS destination IP…correct

(4). Sub n/a

(5). Gateway: 192.168.**.* = CIS Source IP…correct

(6). DNS: comodo(primary, secondary…correct.

Hope this clears things up a bit more, Diligent

looks like, maybe, a Comodo dns prob. This i where it started with, and seem to end with, Too bad Comodo has not enough commentators to deal with this sort of prob. Guess got to go it on my own. Thanks Ronney, for initial try. Now bowing out, sorry to say.

Hope I haven’t missed you diligent?

I’m a little confused here. You said you don’t have a router, so I assume you have some sort of direct connection to the Internet?

This being the case, I can’t understand why you’re entering your IP addresses manually. This really should be allocated via DHCP and if not a router, then your ISP.

@ Quill. Thks for the response.

Lets start from initial scratch.

                                                          (A)

A close-by local computer business guy leaves his internet connection on, with his non-encripted (non-wep) “radio” internet connection signals sent out for my and other close-by persons use.

I buy a USB dongle. When the program is set up (off a disk), the dongle receives the internet radio signals.

Voila, I am connected to the internet. Sooo>>

(1). Business guy has the router sending out the signals.
(2). I have the usb dongle, which with the program on my puter, receives the signals.

                                                          (B).

With the above being the case, and working well for near a year, I uninstalled IE8 with an IE7 rollback to make an HP printer program compatible. Lost the old connection some how.

Via the program, there is an option to make the IP & gateway numbers and dns numbers automatic, OR manually insert an IP & gateway number and DNS numbers. Same exists in Winxp.

So, because automatic was not working, I inserted the numbers that existed before (I kept track just in case) but did not think to check what the dns numbers were. So I used Comodo DNS numbers, and it was then when all H…broke out.

So there is a new starting point for better understanding.

Hence, cause the automatic IP that appeared failed to connect to the internet (no gateway), I put in the IP and gateway I had before>>with the comodo dns numbers. Switched CF to safe mode (I think), and problem subsided, but as you correctly state, the automatic connection should work (as it did before).

Bottom line, something went haywire after the IE8 uninstall???dont ask me why. Basically I am functioning on sort of a workaround, but then again, there is nothing wrong with imputting an IP & gateway number, and dns numbers, cause both XP and this USB based networking program provide that option.

Hope this makes all more clear.

My Best, Diligent (thanks for the shout!!)