What is SVCHost doing, is this normal?

JJ2K · June 2, 2009, 12:27pm

Hi,

Sometimes I notice a popup claiming svchost.exe is trying to access the internet, sometimes even when i’m ■■■■ nothing and just on the desktop, i always block it and dont notice any change.

I was wondering if this is normal, or should I be suspicious about this.

The details of what SVChost is trying to do from the Firewall log are as follows:

Date/Time Application Action Source IP Source Port Destination IP Destination Port Protocol
6/1/2009 1:21:54 PM C:\WINDOWS\system32\svchost.exe Blocked 82.229.28.139 3161 192.168.2.2 135 TCP

6/1/2009 1:32:02 PM C:\WINDOWS\system32\svchost.exe Blocked 82.65.30.221 2964 192.168.2.2 135 TCP

6/1/2009 1:32:05 PM C:\WINDOWS\system32\svchost.exe Blocked 82.65.30.221 2964 192.168.2.2 135 TCP

6/1/2009 1:33:39 PM C:\WINDOWS\system32\svchost.exe Blocked 82.7.239.41 2730 192.168.2.2 135 TCP

6/1/2009 1:34:45 PM C:\WINDOWS\system32\svchost.exe Blocked 88.170.175.112 31615 192.168.2.2 135 TCP

6/1/2009 1:36:55 PM C:\WINDOWS\system32\svchost.exe Blocked 82.28.226.199 22496 192.168.2.2 135 TCP

6/1/2009 1:36:58 PM C:\WINDOWS\system32\svchost.exe Blocked 82.28.226.199 22496 192.168.2.2 135 TCP

6/1/2009 1:37:57 PM C:\WINDOWS\system32\svchost.exe Blocked 118.123.5.109 6000 192.168.2.2 135 TCP

6/1/2009 1:42:32 PM C:\WINDOWS\system32\svchost.exe Blocked 82.30.73.63 1790 192.168.2.2 135 TCP

6/1/2009 1:53:48 PM C:\WINDOWS\system32\svchost.exe Blocked 82.13.247.116 2874 192.168.2.2 135 TCP

6/1/2009 2:08:40 PM C:\WINDOWS\system32\svchost.exe Blocked 201.219.132.2 3767 192.168.2.2 135 TCP

6/1/2009 2:17:25 PM C:\WINDOWS\system32\svchost.exe Blocked 82.29.193.254 38465 192.168.2.2 135 TCP

6/1/2009 2:36:40 PM C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 67 192.168.1.168 68 UDP

6/1/2009 3:42:18 PM C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.1 67 192.168.1.168 68 UDP

Just for more info: I typed in some of the Source IP’s into an IP Lookup and they came back to some random places, most in UK, a couple were from France, one was from China and one was from Chillie.

I scan with MBAM, SAS and Comodo AV and none show any infections.

This might be normal SVChost activity, i’d just like to know what is going on here.

Thanks.

jebuchanan · June 2, 2009, 1:18pm

Svchost can be permitted (and should be) as Outgoing only.

JJ2K · June 2, 2009, 1:45pm

Thanks I have changed the settings for svchost.exe as outgoing only. Shouldn’t this be done by default?

Anyhow i’m not very educated on ports and ip’s etc… what was actually going on?

All i can tell is that the source ip’s are from random places, with varying ports, and the destination is always 192.168.2.2 on port 135

Is this normal or was something suspicious happening?

jebuchanan · June 2, 2009, 2:13pm

I’ve seen it on mine so I believe it is normal.

OmeletGuy · June 2, 2009, 6:23pm

Well i looked most of those IP address and here is a list:

Country, Region, City

82.229.28.139 =France, Ile-De-France, Paris
82.65.30.221 =France, Ile-De-France, Paris
82.7.239.41 = UK, Scotland, Glasgow
88.170.175.112 = France, Ile-De-France, Paris
82.28.226.199 =UK, England, Doncaster
118.123.5.109 =China, Sichuan, Chengdu
82.30.73.63 = UK, England, Huddersfield
82.13.247.116 = UK, England, Stockton-on-Tees
201.219.132.2 = Chile, Region Metropolitan, Santiago
82.29.193.254 = UK, England, Nottingham

JJ2K · June 2, 2009, 9:40pm

Thanks, so what are these IP’s doing trying to access 192.168.2.2 on port 135, are they trying to hijack my computer !

OmeletGuy · June 2, 2009, 9:42pm

some like the one from china and chile are probable hackers the others maybe infected PC’s with malware trying to spread, this is why you should set svhost to outgoing only.

grue155 · June 3, 2009, 1:32am

Real quick question here: why are these packets getting past the router?

The destination IP address of 192.168.2.2 tells me that you’re behind a NAT/router. A router like that will only allow traffic in to your machine in response to traffic from your machine. TCP port 135 is the Windows networking RPC port (I think), and if it is the RPC port, has no business talking to anything on the Internet.

If that is the RPC port, then there’s something wrong somewhere.

OmeletGuy · June 3, 2009, 1:38am

acording to GRC | Port Authority, for Internet Port 135 Port 135 is linked to RPC Endpoint Mapper

So there is something wrong

JJ2K · June 14, 2009, 12:43pm

Well I haven’t had the problem since I set svchost to outgoing only.

I am connected wirelessly to an Orange Livebox.

I’ve scanned with Comodo MBAM and SuperantiSpyware and they don’t find anything wrong with my system.

I might change svchost back to what it was to see if the problem happens again, just to find out what is going on and see if i have any programs open when it occurs. Because if there is something going wrong somewhere as guru said i’d rather find out about it now.

inlineskater · September 24, 2009, 12:07pm

I have BLOCKED al SVCHost.exe’s and nothing has stopped working on my PC. Seems all is fine. What should not work if it’s stopped?