Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: svchost.exe - outbound connection to different ips

20 Aug 2013   #1
PCrazy123

Win7 Ultimate 32bit
 
 
svchost.exe - outbound connection to different ips

Hi everyone. A few days ago I had to change the motherboard of my pc and I reinstalled windows after that. Since then whenever I connect to the internet svchost.exe always forms an outbound connection only for an instant to a different ip everytime - the ip address always starts with 79.140 like 79.140.94.209 , 79.140.94.216 , 79.104.81.64 , etc. Before I reinstalled windows the ip address whenever i noted it was 192.186something.

Also since I have reinstalled windows the incoming data in the AV's firewall for svchost.exe is currently at 64MB+ (this was after I updated windows) whereas in the previous installation it was only at 3-4 MB for the past 5 months. The network activity upon connection only lasts for about 20-30 seconds on average and the outbound connection appears only for 1-2 seconds. I also connected the net in my laptop and the result is the same.

The system itself is working fine, is fully updated (Win7 SP1) and there are no other problems. I regularly scan the system with Kasperky PURE, Malwarebytes, SpybotS&D , TDSSKiller and Malwarebytes Anti-Rootkit.

So is this behaviour by svchost.exe a sign of infection or is this normal ?


My System SpecsSystem Spec
.
20 Aug 2013   #2
MilesAhead

Windows 7 32 bit
 
 

Did you look up any of the 79.x.x.x IPs to get the name? It might tell you the OS is calling home to MS. If you have a different motherboard maybe it's been noted and the activation checker is trying to figure out if it's legit? I'm just guessing. But you might learn more if you look up the IPs it's calling to.
My System SpecsSystem Spec
20 Aug 2013   #3
UsernameIssues

W7 Pro SP1 64bit
 
 

Welcome to the Seven Forums.

I cannot say that what you see is normal or not, I can mention a tool (Process Explorer) that will let you see which services are using the various svchost instances. If you want to post the info mentioned here (Windows Genuine and Activation Issue Posting Instructions) then maybe we can tell if there is an ongoing activation issue.

You can download/use Process Explorer (nothing to install)
Download the zipped (compressed) file
Open the zipped (compressed) file (folder)
Copy the files somewhere
Run the exe as admin
Agree to the EULA

I like to select Option > Difference Highlight Duration... and set that to the max of 9 seconds.

Mouse over each svchost,exe to see the info in a tool tip like this:

svchost.exe - outbound connection to different ips-svchost-via-process-explorer.png

You can change the columns to display the network traffic as shown above - if desired.

Double clicking on the svchost entry of interest and then selecting the TCP/IP tab should show the connections:

svchost.exe - outbound connection to different ips-svchost-via-process-explorer2.png


My System SpecsSystem Spec
.

20 Aug 2013   #4
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by MilesAhead View Post
Did you look up any of the 79.x.x.x IPs to get the name? It might tell you the OS is calling home to MS. If you have a different motherboard maybe it's been noted and the activation checker is trying to figure out if it's legit? I'm just guessing. But you might learn more if you look up the IPs it's calling to.
I looked up one of the IP addresses in the OP before posting. More than one source reported it as being an Akamai Server. Here is one such source: WHOIS Search, Domain Name, Website, and IP Tools - Who.is

When a connection to a network is first made, the Windows OS attempts to determine if it has a connection to the internet. (Windows 7 Network Awareness: How Windows knows it has an internet connection Super User Blog) Microsoft uses Akamai servers around the world as part of this brief check.

From one of my VMs when I disable/enable the network adapter:
svchost.exe - outbound connection to different ips-wireshark.png
The IP highlighted above resolves to an Akamai server.
WHOIS Search, Domain Name, Website, and IP Tools - Who.is

edit: this might be a more informative screen:
svchost.exe - outbound connection to different ips-wireshark2.png


My System SpecsSystem Spec
21 Aug 2013   #5
PCrazy123

Win7 Ultimate 32bit
 
 

Thanks for helping.


@MilesAhead I looked up 79.104.81.64 at WHOIS Search, Domain Name, Website, and IP Tools - Who.is as UsernameIssues has already looked up the rest and this ip is from Russia and it seems to be unrelated to Akamai.

@UsernameIssues I will check the svchost.exe via Process Explorer and report back. Please check the 79.104.81.64 ip as I can't understand whether its from Akamai or not.
My System SpecsSystem Spec
21 Aug 2013   #6
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by PCrazy123 View Post
Thanks for helping.


@MilesAhead I looked up 79.104.81.64 at WHOIS Search, Domain Name, Website, and IP Tools - Who.is as UsernameIssues has already looked up the rest and this ip is from Russia and it seems to be unrelated to Akamai.

@UsernameIssues I will check the svchost.exe via Process Explorer and report back. Please check the 79.104.81.64 ip as I can't understand whether its from Akamai or not.
The IP range from 79.0.0.0 to 79.255.255.255 seems to be assigned to this company VimpelCom Ltd. - Wikipedia, the free encyclopedia.
VimpelCom has servers inside Russia using IP addresses in the range of 79.104.0.0 - 79.104.255.25.
My System SpecsSystem Spec
21 Aug 2013   #7
PCrazy123

Win7 Ultimate 32bit
 
 

@UsernameIssues Thanks again for helping. I checked with Process Explorer by enabling\disabling the net three times in a row and 58.24.124.211 ip came up two times and when I checked it on WHOIS Search, Domain Name, Website, and IP Tools - Who.is it seems to be from Malaysia.

Please check the attached screenshots of the network activity in Process Explorer.

Why is my pc connecting to all these ips in different countries upon every connection ? Also I scanned my pc again and all results were clear.


Attached Thumbnails
svchost.exe - outbound connection to different ips-1stc.gif   svchost.exe - outbound connection to different ips-2ndc.gif   svchost.exe - outbound connection to different ips-3rdc.gif   svchost.exe - outbound connection to different ips-3rdca.gif   svchost.exe - outbound connection to different ips-3rdcb.gif  

My System SpecsSystem Spec
21 Aug 2013   #8
UsernameIssues

W7 Pro SP1 64bit
 
 

You can try a clean boot and see if you can find the app that is asking svchost to make those connections:

Troubleshoot Application Conflicts by Performing a Clean Startup
My System SpecsSystem Spec
21 Aug 2013   #9
MilesAhead

Windows 7 32 bit
 
 

By the way, do you have a router? You may be able to block the ports they are trying to call out on as a stop gap until you resolve the issue.
My System SpecsSystem Spec
23 Aug 2013   #10
PCrazy123

Win7 Ultimate 32bit
 
 

Thanks for helping. Sorry for late reply I had to reinstall windows due to more motherboard issues. After I reinstalled it I checked everytime I had to download updates for windows and AV and sometimes the connection does not seem to occur to any ips and after the initial connection there is no activity or connection by these ips unless I disable\enable it again.

Do the screenshots I posted indicate any problems ?

@UsernameIssues Will the clean startup disable the Antivirus ? And before connecting to the internet in clean startup should I enable AV or disable it ?

@MilesAhead the port everytime connection is made by these ips is port 80. Will it cause any problems by disabling this port as when I was updating windows and AV this was the port being used.
My System SpecsSystem Spec
Reply

 svchost.exe - outbound connection to different ips




Thread Tools




Similar help and support threads
Thread Forum
Outbound Connections
When using the current version of Firefox browser, my Comodo Firewall shows 60 to 80 outbound connections and 0 inbound connections. Checking the log shows a variety of IP destinations for these outbound connections. I run a number of Malware programs and use Comodo anti-virus and all seem to show...
System Security
Can only get inbound RDC after first making outbound RDC
I am having problems using RDC to connect to an HP laptop running Windows 7 Ultimate, 32 bit edition. The HP laptop is connected wirelessly to my home router. The second computer is an iMac (running same OS as HP) cabled to a switch, which is cabled to my home router router. A third computer, a...
Network & Sharing
IGMP outbound filtering not working
I've got a Windows 2008 R2 server with Firewall with Advanced Security configured with an outbound rule configured, in all policies, to block all IGMP traffic. I've deleted all but this one rule from the outbound list. When I run software, on this host, that joins a multicast group, I still...
System Security
Blocking outbound traffic (data out)
My ISP charges for outbound traffic, even though they dont pay for it. According to them it is to stop people sharing files and stuff illegally. In my case, it's accounting for 10% of my allowance, and I've tried everything I can to stop it. Somehow, people are getting into my network and...
System Security
Windows outbound firewall implementation
Using Windows 7 Premium 64 bit. I learned that the Windows 7 firewall also has outbound capability that is not turned on by default and that it can be turned on in its "Advanced settings". I've gone to that screen but do not see how to turn outbound on and I certainly do not know how to write...
System Security
Intense outbound static problem
I have a dell xps 420 and recently installed windows 7 32 bit. I am now having a problem with the sound that I never had before. Randomly when chatting with people in ventrilo the outbound (microphone) will go haywire and produce incredibly loud static that will not go away without reconnecting to...
Sound & Audio


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:05.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App