Services.exe trying to connect to internet using svchost

Hello Everyone,

I couldn’t find any discussion that addressed this issue so I thought I would start my own:

In the past few days, CPF alerts me that services.exe is using svchost to try and access the internet. It says that it’s trying to act like a server and I have no clue what this means. Another bit of information is that in the past week I have seen a microsoft update shield appearing and trying to download updates. At least twice, it said it was ready to install and I thought it did but then I just sa the little yellow shield again in the task bar.

Attached is a screenshot to show an example of what I am talking about. Am I blocking the MS updater? If not, is this normal behavior for services.exe to use the svchost? And what does it mean when CPF uses the phrase “is acting like a server.”

Any help would be much appreciated.

Happy Thanksgiving to one and all, :■■■■

Max

[attachment deleted by admin]

Something similar is happening to me. It surprised me was that svchost.exe should try to reach out to the Web, and it is worrisome that the destination IP addresses are completely unfamiliar ones. All outbound attempts are on port 80, and occur even when I’m sitting at desktop with no browsers or other applications launched).

I am grateful, however, that COMODO Firewall has been diligent about stopping these outbound attempts. I wish I had a handle on what they are and how to stop them. Hopefully, one of the network savvy here will have an answer? :slight_smile:

I will give you a short answer and let the “savvy” guys give you a deeper one… :wink:
They are legit MS, so you can allow them. Since you have denied them, that’s maybe the update doesn’t work? Try to allow and see if the update works.
If you still have doubts, just allow without remember.

Thanks, AOwL! Based on your postings here, I’d say you qualified as one of the network savvy. :slight_smile:

I just found a web site named DShield that has an IP Info lookup feature. If the info it’s supplying is accurate, the destination IPs are not all Microsoft. Here are some:

208.172.44.62:http(80) ← on Savvis Networks
206.24.233.62:http(80) ← on Savvis Networks
208.172.96.222:http(80) ← on Savvis Networks
216.239.57.99:http(80) ← on google
207.46.18.88:http(80) ← HostName: startbeta.uk.msn.com (Hotmail Corporation)
207.46.212.62:http(80) ← Microsoft Corp
217.212.227.34:http(80) ← TELIANET (Sweden)
217.212.227.17:http(80) ← TELIANET (Sweden)

62.41.80.67:http(80) ← KPN (Netherlands)
62.41.80.34:http(80) ← KPN (Netherlands)
63.211.153.94:http(80) ← Level3.net
63.211.153.87:http(80) ← Level3.net
63.211.153.79:http(80) ← Level3.net
64.86.94.17:http(80) ← Teleglobe Inc (Canada)
64.86.94.16:http(80) ← Teleglobe Inc (Canada)
65.55.192.126:http(80) ← Microsoft Corp (hotmail?)

I hope there are legit reasons and/or explanations for these, since they all seem use port 80. I really hope I don’t have a trojan trying to “call home.” I scanned my computer with Trend Micro Antivirus, AVG Free, Spy Sweeper (with Sophos antivirus), Spybot Search and Destroy and came up clean. I did have some strange experiences with online checkers (House Call and Kaspersky), though. Back to square one, I guess… Any ideas/thoughts?

Ideas, anyone? As long as COMODO is blocking these outbound, I suppose I’m safe. Yet the attempts to “phone home” fill my log, and I begrudge the lost CPU cycles, however insignificant! ::slight_smile: TIA!

Most often it’s programs that check for updates.
You can turn off auto update in all you programs and OS and see if you get less entries in your log.

(Note: No, I am not one of what AOwl calls “savvy”) :slight_smile: That said, I may be able to provide a little assistance to help clarify…

I presume you’re getting a popup from CPF warning you about the connection attempt (if not, enable alerts under Security/Miscellaneous, and set your Network Monitor rule for outbound to create an alert if the rule is fired). When the attempt occurs, you may find some information in the popup, regarding an involved application (besides svchost or services). Both svchost.exe and services.exe are integral MS apps, and frequently used for automatic updates (as AOwl has already stated).

Your popup may tell you what application is using it, or the Activity Log may help shed some light on that. (You may already have looked, and it may not…). If it does, that may point the way toward the culprit. If it doesn’t, there are a lot of free applications/browser plugins that will help resolve the IP, not just to who owns it, but who is using it, the URL, etc. That might help you track down an associated application, or tell you if the sites are blacklisted, etc. (Note: Firefox has quite a few available that work nicely)

LM