Author Topic: Scvhost.exe? (Read 10974 times)

sanctuary24 · « **on:** August 05, 2007, 03:02:51 PM »

I keep seeing Svchost.exe in my connections log in Avast with a destination port of 239.255.255.250:1900 (UDP out) with about 525 bytes going out is this something related to Windows Update checks or something or is it malicious?

any help is appreciated

DavidR · « **Reply #1 on:** August 05, 2007, 03:16:17 PM »

Are you sure you are seeing this in an avast connections log, I don't believe there is an avast connections log, avast isn't a firewall and none of the avast providers (namely the web shield) would be monitoring this port.

SVCHOST does get involved in windows updates, if you blocked in in your firewall you couldn't do a windows update.

This 239.255.255.250 IP and port 1900 returns many hits in a google search.
http://www.google.com/search?q=port+1900+239.255.255.250

This would appear to be relater to UUnP something that unless you have a specific requirement for isn't required by the average user. You could disable this Service.

. ...]This UDP port is opened and used by Universal Plug N' Play (UPnP) devices ... a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. ...

Quote

This UDP port is opened and used by Universal Plug N' Play (UPnP) devices ... a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. ...

http://www.grc.com/port_1900.htm

Also see another of the google hits, http://www.nthelp.com/upnpscrewup.htm.

Lisandro · « **Reply #2 on:** August 05, 2007, 03:23:00 PM »

Is it a typo on the thread name?
Correct would be Svchost.exe and not Scvhost.exe.

DavidR · « **Reply #3 on:** August 05, 2007, 04:47:30 PM »

I assume it is a typo as it is correct (svchost.exe) in the body of the post.

sanctuary24 · « **Reply #4 on:** August 05, 2007, 05:12:53 PM »

Yes its a typo and I accidentaly posted this under the wrong forum as I had a few open at once but before it gets locked could someone tell me if this port can be used for malicious attacks or viruses as I was told it is used for Messenger which I use but I am worried it can be exploited as Comodo firewall is saying its constantly sending out 525 bytes

sorry for the confusion and thanks for trying to help

MeDIeVaL · « **Reply #5 on:** August 05, 2007, 06:04:01 PM »

Taken from CHIP Mag (Issue 5 2007);

One of the most imcomprehensible messages is based on the "svchost.exe" process; the Service Host. This includes several Windows services that are executed with the help of different DLL files. These services are necessary for the automatic updates, for recognizing USB devices or even for print functions. Windows start svchost sessions as soon as the system requires one of these services. Each service howeveralso creates its own firewall message, which makes the whole thing particularly annoying. In order to find out wether a legitimate connection is opened. Have a look at the file path and the remote address to which the service wishes to connect. The file "svchost.exe" must be in "C:\Windows\System32" folder. Important: Also take care that the spelling is correct. Since some Trojans disguise themselves with similar looking file names such as "svhost.exe", svchosts.exe" or "sychost.exe".
If you want to know precisely which sub-process and linked Windows services are connected with the program, start the freeware "Process Explorer" offered by Microsoft for download. The tool displays all running processes. Select the "svchost.exe" process. In the details window you can then find all files, indexes and registry entries that are connected with it. With one click on the "Properties" you can find out more details. This also includes the IP address and the port with which the program connects. Usually, "svchost.exe" connectes only with the local addresses.

DavidR · « **Reply #6 on:** August 05, 2007, 06:45:36 PM »

Quote from: sanctuary24 on August 05, 2007, 05:12:53 PM

Yes its a typo and I accidentaly posted this under the wrong forum as I had a few open at once but before it gets locked could someone tell me if this port can be used for malicious attacks or viruses as I was told it is used for Messenger which I use but I am worried it can be exploited as Comodo firewall is saying its constantly sending out 525 bytes

sorry for the confusion and thanks for trying to help

I basically said that svchost isn't the problem or the port, but the UPnP service which under normal circumstances isn't required. It is in no way connected to the normal windows Plug and Play, so the name is confusing. The UPnP is about sharing devices (like printers, etc.) across the internet and I would imagine you have no desire or requirement to do that.

Read the GRC.com link and I think you will see you are probably best advised to disable the UPnP service, then it won;t be using svchost.

Lisandro · « **Reply #7 on:** August 05, 2007, 07:28:13 PM »

Quote from: sanctuary24 on August 05, 2007, 05:12:53 PM

Yes its a typo

So, if you run a full avast scan and, maybe, with other antispyware tools (like AVGas or SpywareTerminator or SuperAntispyware) and you're clean, don't worry.

MikeBCda · « **Reply #8 on:** August 05, 2007, 07:43:42 PM »

One suggestion re Svchost and your firewall, for which I'm indebted to my son.

So far (knock wood) the only times Svchost has asked for internet access has been in relation to using MS update. My son recommended that you do not tick the "always remember" (or however your own firewall words this) for this one, since there are way too many things that could call up Svchost.

sanctuary24 · « **Reply #9 on:** August 05, 2007, 09:01:14 PM »

one last thing (i hope anyway) is this program on this website reliable as it says it will disable the upnp for me?

http://www.grc.com/unpnp/unpnp.htm

Lisandro · « **Reply #10 on:** August 05, 2007, 09:02:51 PM »

Quote from: sanctuary24 on August 05, 2007, 09:01:14 PM

one last thing (i hope anyway) is this program on this website reliable as it says it will disable the upnp for me?
http://www.grc.com/unpnp/unpnp.htm

Yes, it's reliable, you can trust on it.

sanctuary24 · « **Reply #11 on:** August 05, 2007, 09:08:03 PM »

Just ran it but Svchost.exe is still running under my Comodo list

Lisandro · « **Reply #12 on:** August 05, 2007, 09:12:55 PM »

Quote from: sanctuary24 on August 05, 2007, 09:08:03 PM

Just ran it but Svchost.exe is still running under my Comodo list

It is used for a lot of actions. You won't be able to run Windows and shut down all svchost.exe processes.
You disable one that is 'dangerous' and you don't need. The others should be there.
Ok, it shouldn't be shown with activity into Comodo, so, I suggest you follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

sanctuary24 · « **Reply #13 on:** August 05, 2007, 09:40:01 PM »

Just after I disabled UpnP it still said Svchost.exe was running so I restarted the computer and opened Comodo then 3 Svchost were displayed and I thought it made it worse, then it went down to one (which I have screen grabbed) but stayed there for a while then vanished. What could the 3 Svchost have been?

Nothing harmful or anything will come of disabling the UpnP will it mate and is it reversable if I need it at a later date?

Edit: tested computer using shields up (hope they are reliable tests) and it passed every test with full stealth even UpnP

Lisandro · « **Reply #14 on:** August 05, 2007, 11:39:55 PM »

Quote from: sanctuary24 on August 05, 2007, 09:40:01 PM

Nothing harmful or anything will come of disabling the UpnP will it mate

There is no problem with disabling it.

Quote from: sanctuary24 on August 05, 2007, 09:40:01 PM

is it reversable if I need it at a later date?

Sure. Just start the service and set it to automatic start.
Start > Control Panel > Administrative Tools > Services

Did you test the other antimalware tools I've posted before?

Author Topic: Scvhost.exe? (Read 10974 times)

sanctuary24

Scvhost.exe?

DavidR

Re: Scvhost.exe?

Lisandro

Re: Scvhost.exe?

DavidR

Re: Scvhost.exe?

sanctuary24

Re: Scvhost.exe?

MeDIeVaL

Re: Scvhost.exe?

DavidR

Re: Scvhost.exe?

Lisandro

Re: Scvhost.exe?

MikeBCda

Re: Scvhost.exe?

sanctuary24

Re: Scvhost.exe?

Lisandro

Re: Scvhost.exe?

sanctuary24

Re: Svchost.exe?

Lisandro

Re: Scvhost.exe?

sanctuary24

Re: Scvhost.exe?

Lisandro

Re: Scvhost.exe?