SVChosts inbound log

Recently I’ve noticed that there are basically points where in the logs I see clusters of SVChost in the application section as opposed to every entry windows operating system (see attached).

Basically I’m wondering if anyone else has clusters like these or if any insight could be provided. Did .18.309 change the way it reported some intrusion attempts or perhaps did I do something to the setting which led to this trigger (added a global inbound block to global rules and checked protocol analysis)?

[attachment deleted by admin]

It appears that the hits on svc are only on port 1026, and the logs is pretty much like 70% svc where it was once 100% windows operation.

There are also varied instances where it the hits start out as windows operating and after a period of time switches completely over to svc, I’ve marked two sections of the attach that shows an IP that was recognized as windows then as svc.

edit: I may attempt to revert back to .17 to test out if the change in .18 is the cause in my case.

[attachment deleted by admin]

Okay I tried to downgrade to .17 by downloading the installer from filehippo, and then tried reverting to .16, both of which still show svchost in the logs. I’m starting to think MS updates did something to SVChost again. Port 1026 has pretty much been taken over by svchost.

Anyways, the situation is now upgraded to annoying problem. SVChost incoming hits are now being alerted by comodo unless I make a rule for SVC or use a global block all incoming rule (hits probably occured before as well, but I probably set the global rule fast enough to beat the hits, thus I didn’t realize), which wasn’t the case before (because I previously dumped the global block rule when torrenting).

140 views and no other comments, it’s still an annoyance though for some reason WOS took back control for like a day then it reverted back to SVC, ugh maybe I’ll try using a dell restore then just leaving the computer with the firewall on and see what happens with no updates and no other security software.

SVChost is part of Windows and should be allowed. I have a fresh install of Comodo and get mo errors,

Well I would be happy as comodo blocks it (:NRD).
Couse SVChosts.exe is know as a trojan horse → it opens a gap in your security and so downloads other malware. Comodo blocks it. (V)

Try running some antivirus/antispyware/antitrojan scans or just post a log.


P.S. If you post a log, please post it in notepad or something !!!

Be sure your pc is clean of spyware and viruses also.

Vettetech, If you are not getting traffic like that it’s because you have a router or a Hardware firewall that blocks inbound connections.

Inbound connections to windows process should be blocked unless the connections are known to be safe. Most of the entries in the screenshot look like botnets or worms (inbound connections from different parts of the world directed to windows services) trying to find vulnerable computers to infect.

Allowing all inbound connections to svchost.exe or any other windows process is like having a nuke-proof door but leave it unlocked.

Yes I have a 2Wire Gateway DSL modem with a built in hardware firewall. I have it fully stealthed and echo pings blocked.

If I unstealth my modem then I get the same results as the poster and my pc is clean.

Try running some antivirus/antispyware/antitrojan scans or just post a log.

I’ve already thought of this, and have run Avast, Spybot, and SAS in a safe boot, as well as examined a hijack log. Also, I ran a dell system restore to its manufacturing setting when I first noticed this issue, and after reinstalling all the security software first then updating, the traffic continued to hit SVC on 1026.

If I unstealth my modem then I get the same results as the poster and my pc is clean.

Do you see normal bot traffic with SVChost or WOS, especially on port 1026?

edit: meh, I’ll attach a hjt log anyways

[attachment deleted by admin]