Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


SVC Host Trying to Connect to Internet (Comodo)

  • Please log in to reply
7 replies to this topic

#1 JJ2K


  • Members
  • 162 posts
  • Local time:07:02 AM

Posted 01 June 2009 - 01:56 PM

Hi randomly when not doing anything I got a popup from Comodo saying that SVC Host was trying to access the internet or something like that.

I've had this before and always blocked it without a problem, but i'd like to know what is actually going on here.

Here is details from the firewall log (columns are:Time, Application, Action Taken, Source IP, Source Port, Destination IP, Destination Port, Protocol):

PM C:\WINDOWS\system32\svchost.exe Blocked 3161 135 TCP

6/1/2009 1:32:02 PM C:\WINDOWS\system32\svchost.exe Blocked 2964 135 TCP

6/1/2009 1:32:05 PM C:\WINDOWS\system32\svchost.exe Blocked 2964 135 TCP

6/1/2009 1:33:39 PM C:\WINDOWS\system32\svchost.exe Blocked 2730 135 TCP

6/1/2009 1:34:45 PM C:\WINDOWS\system32\svchost.exe Blocked 31615 135 TCP

6/1/2009 1:36:55 PM C:\WINDOWS\system32\svchost.exe Blocked 22496 135 TCP

6/1/2009 1:36:58 PM C:\WINDOWS\system32\svchost.exe Blocked 22496 135 TCP

6/1/2009 1:37:57 PM C:\WINDOWS\system32\svchost.exe Blocked 6000 135 TCP

6/1/2009 1:42:32 PM C:\WINDOWS\system32\svchost.exe Blocked 1790 135 TCP

6/1/2009 1:53:48 PM C:\WINDOWS\system32\svchost.exe Blocked 2874 135 TCP

6/1/2009 2:08:40 PM C:\WINDOWS\system32\svchost.exe Blocked 3767 135 TCP

6/1/2009 2:17:25 PM C:\WINDOWS\system32\svchost.exe Blocked 38465 135 TCP

6/1/2009 2:36:40 PM C:\WINDOWS\system32\svchost.exe Blocked 67 68 UDP

So what is going on here, seems to be some random source IP addresses?
Quick Update: I typed in some of the Source Ip's in IP lookup and most of them were linked to random parts of the UK, a couple from france, one was from china and one was from chilie ? What's SVCHost trying to do?

Thanks for any help.

Edited by JJ2K, 01 June 2009 - 02:01 PM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,573 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:07:02 AM

Posted 01 June 2009 - 03:23 PM

Hello, let's first determine if there is malware. I am moving this to the Am I Infected forum for scans.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bluesjunior


  • Members
  • 761 posts
  • Gender:Male
  • Local time:12:02 PM

Posted 02 June 2009 - 03:50 AM

I don't believe it is malware. In Comodo you need to set the rule for svchost to outgoing only. Go to Firewall>Advanced>Network Security Policy and in the list under Application Rules right click on the svchost entry click on edit then put a tick in the "Use a predefined Policy" box and choose outgoing only from the drop down list. Click on Apply, Apply and OK to exit and you should be good to go. I would advise anyone using Comodo to go to the Comodo Forums for information. http://forums.comodo.com/
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#4 JJ2K

  • Topic Starter

  • Members
  • 162 posts
  • Local time:07:02 AM

Posted 02 June 2009 - 08:43 AM

Thanks a lot I went to the Comodo forums to ask for help and they said the same thing, thanks for the helpful description on how to set it to outgoing only. Hopefully it'll stop the problem.

But do you have any idea on what was going on because i don;t really understand all this source ip destination ip ports thing. It seems the source IP's are from random places and random ports and the destination IP is the on port 135?

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,090 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 02 June 2009 - 10:38 AM

An IP address (Internet Protocol address) is a unique address used to identify a computer and communicate with other computers. Computers can use static or dynamic (DHCP) IP addresses. A static IP address is a number assigned to a computer by an Internet service provider (ISP) and intended to be its permanent (fixed) address on the Internet, thus, it will not change.

A port is an address associated with a particular process on a computer. Ports have a unique number in the header of a data packet that is used to map this data to that process. Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic/Private Ports. Default port values for commonly used TCP/IP services have values lower than 255 and Well Known Ports have numbers that range from 0 to 1023. Registered Ports range from 1024 to 49151 and Dynamic/Private Ports range from 49152 to 65535. An "open port" is a TCP/IP port number that is configured to accept packets while a "closed port" is one that is set to deny all packets with that port number.

"Port scanning" is a technique used by hackers to locate open ports in your computer which they can break into. Malicious programs like viruses and Trojan horses can be introduced into your computer via these open ports. If your PC is sending out large amounts of data, this usually indicates that your system may have a virus or a Trojan horse.There are third party utilities that will allow you to manage and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:You can use netstat from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
You can use Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity or various Internet Traffic Monitoring Tools for troubleshooting and malware investigation.

If your firewall provides an alert that indicates it has blocked access to a port that does not necessarily mean your system has been compromised. Firewall alert messages are a response to unrequested traffic from remote computers. The alert means that your firewall has blocked an attempt from an external host to access a port on your computer that is commonly used by a trojan. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it. These alerts are often classified by the network port they arrive on and allow you to see the activity of what is happening on your firewall. The alerts allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. It is not unusal for a firewall to provide numerous alerts regarding such attempted access. Botnets and Zombie computers scour the net and will randomly scan a block of IP addresses. These infected computers are searching for "vulnerable ports" and make repeated attempts to access them. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 bluesjunior


  • Members
  • 761 posts
  • Gender:Male
  • Local time:12:02 PM

Posted 02 June 2009 - 01:38 PM

Glad to be of help JJ2K. Quietman7 has explained much better than I ever could about IP addresses and port attacks in the post above. However although I am not particularly PC techie I have used Comodo for a number of years and have grown to trust it as a reliable security source. If you are new to it I would recommend you visit the forums in the link above and in the CIS section look for the heading "Guides" by Kyle and implement them. They are an excellent way to make the Firewall and Defence+ more secure than the installation default setting for the beginner. With CIS configured like this and the outgoing only rule for svchost.exe you will be very secure. If you are on a DCHP connection where your IPS gives you a new address every 14 days you will also need a rule to allow ports 67 & 68 for this purpose.
I use Comodo CIS v3.9 along with Spywareblaster as real time protection and have Superantispyware and Malwarebytes as on demand scanners. I use Firefox as my default browser with the No Scripts and Ad-Block Plus add ons. Using the above I haven't even had a tracking cookie for over four months. You will get lots of attacks in your Firewall log this is normal and just shows that Comodo is doing it's job. Good luck.

Edited by bluesjunior, 02 June 2009 - 01:41 PM.

Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#7 JJ2K

  • Topic Starter

  • Members
  • 162 posts
  • Local time:07:02 AM

Posted 14 June 2009 - 07:42 AM

Thanks quietman7 and bluesjunior.

I have pretty much the same setup as you bluesjunior. SuperantiSpyware, MBAM, SpywareBlaster and Comodo.

None show any infections.

Since i've set svchost to outgoing only I haven't had this problem again.

According to: https://www.grc.com/port_135.htm

The port this IP's were trying to connect to:

DCOM Service Control Manager
Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.

If it was port-scanning why did 10 different computers try to connect to my port 135 within the space of an hour?

I might change svchost back to its original setting to see if it happens again, and if I have any programs open when it happens.

#8 Nostromov


  • Members
  • 17 posts
  • Gender:Male
  • Location:Belgrade, Serbia
  • Local time:01:02 PM

Posted 14 March 2014 - 11:35 AM

I believe the answer/topic is still relevant. Windows 7 Pro SP1 and xDSL router, here at home, still requires DHCP traffic on ports 67-68 (for IP address assignment); however what's *somewhat* confusing is:

For now, I'd just keep an eye on things. The connection, as stated above, is using standard DHCP protocols and ports and it's originating at a trusted source. Unfortunately, if the connection only happens rarely, it's difficult to trace the cause.

If it's related to file-sharing, or a Windows Service, or what exactly.. When my Windblows installation settings are left to default, I get this kind of traffic occasionally and if it's not allowed - my Internet connection will stop working (iirc, also I can't connect to the router either, 192.168.*.* which is the address DHCP is asking to connect to; and so, that's the rule in my Comodo that I've added).

Google.com/ query brought me to this post, so I hope that it can help (other ppl 2).. :)

comodo svchost port 67

Edited by boopme, 14 March 2014 - 07:28 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users