svchost.exe - outbound connection to different ips

PCrazy123 · 20 Aug 2013

Hi everyone. A few days ago I had to change the motherboard of my pc and I reinstalled windows after that. Since then whenever I connect to the internet svchost.exe always forms an outbound connection only for an instant to a different ip everytime - the ip address always starts with 79.140 like 79.140.94.209 , 79.140.94.216 , 79.104.81.64 , etc. Before I reinstalled windows the ip address whenever i noted it was 192.186something.

Also since I have reinstalled windows the incoming data in the AV's firewall for svchost.exe is currently at 64MB+ (this was after I updated windows) whereas in the previous installation it was only at 3-4 MB for the past 5 months. The network activity upon connection only lasts for about 20-30 seconds on average and the outbound connection appears only for 1-2 seconds. I also connected the net in my laptop and the result is the same.

The system itself is working fine, is fully updated (Win7 SP1) and there are no other problems. I regularly scan the system with Kasperky PURE, Malwarebytes, SpybotS&D , TDSSKiller and Malwarebytes Anti-Rootkit.

So is this behaviour by svchost.exe a sign of infection or is this normal ?

MilesAhead · 20 Aug 2013

Did you look up any of the 79.x.x.x IPs to get the name? It might tell you the OS is calling home to MS. If you have a different motherboard maybe it's been noted and the activation checker is trying to figure out if it's legit? I'm just guessing. But you might learn more if you look up the IPs it's calling to.

UsernameIssues · 20 Aug 2013

Welcome to the Seven Forums.

I cannot say that what you see is normal or not, I can mention a tool (Process Explorer) that will let you see which services are using the various svchost instances. If you want to post the info mentioned here (Windows Genuine and Activation Issue Posting Instructions) then maybe we can tell if there is an ongoing activation issue.

You can download/use Process Explorer (nothing to install)
Download the zipped (compressed) file
Open the zipped (compressed) file (folder)
Copy the files somewhere
Run the exe as admin
Agree to the EULA

I like to select Option > Difference Highlight Duration... and set that to the max of 9 seconds.

Mouse over each svchost,exe to see the info in a tool tip like this:

svchost.exe - outbound connection to different ips-svchost-via-process-explorer.png

You can change the columns to display the network traffic as shown above - if desired.

Double clicking on the svchost entry of interest and then selecting the TCP/IP tab should show the connections:

svchost.exe - outbound connection to different ips-svchost-via-process-explorer2.png

UsernameIssues · 20 Aug 2013

MilesAhead said:

Did you look up any of the 79.x.x.x IPs to get the name? It might tell you the OS is calling home to MS. If you have a different motherboard maybe it's been noted and the activation checker is trying to figure out if it's legit? I'm just guessing. But you might learn more if you look up the IPs it's calling to.

I looked up one of the IP addresses in the OP before posting. More than one source reported it as being an Akamai Server. Here is one such source: WHOIS Search, Domain Name, Website, and IP Tools - Who.is

When a connection to a network is first made, the Windows OS attempts to determine if it has a connection to the internet. (Windows 7 Network Awareness: How Windows knows it has an internet connection « Super User Blog) Microsoft uses Akamai servers around the world as part of this brief check.

From one of my VMs when I disable/enable the network adapter:

svchost.exe - outbound connection to different ips-wireshark.png

The IP highlighted above resolves to an Akamai server.
WHOIS Search, Domain Name, Website, and IP Tools - Who.is

edit: this might be a more informative screen:

svchost.exe - outbound connection to different ips-wireshark2.png

PCrazy123 · 21 Aug 2013

Thanks for helping.

@MilesAhead I looked up 79.104.81.64 at WHOIS Search, Domain Name, Website, and IP Tools - Who.is as UsernameIssues has already looked up the rest and this ip is from Russia and it seems to be unrelated to Akamai.

@UsernameIssues I will check the svchost.exe via Process Explorer and report back. Please check the 79.104.81.64 ip as I can't understand whether its from Akamai or not.

UsernameIssues · 21 Aug 2013

PCrazy123 said:

Thanks for helping.

@MilesAhead I looked up 79.104.81.64 at WHOIS Search, Domain Name, Website, and IP Tools - Who.is as UsernameIssues has already looked up the rest and this ip is from Russia and it seems to be unrelated to Akamai.

@UsernameIssues I will check the svchost.exe via Process Explorer and report back. Please check the 79.104.81.64 ip as I can't understand whether its from Akamai or not.

The IP range from 79.0.0.0 to 79.255.255.255 seems to be assigned to this company VimpelCom Ltd. - Wikipedia, the free encyclopedia.
VimpelCom has servers inside Russia using IP addresses in the range of 79.104.0.0 - 79.104.255.25.

PCrazy123 · 21 Aug 2013

@UsernameIssues Thanks again for helping. I checked with Process Explorer by enabling\disabling the net three times in a row and 58.24.124.211 ip came up two times and when I checked it on WHOIS Search, Domain Name, Website, and IP Tools - Who.is it seems to be from Malaysia.

Please check the attached screenshots of the network activity in Process Explorer.

Why is my pc connecting to all these ips in different countries upon every connection ? Also I scanned my pc again and all results were clear.

UsernameIssues · 21 Aug 2013

You can try a clean boot and see if you can find the app that is asking svchost to make those connections:

Troubleshoot Application Conflicts by Performing a Clean Startup

MilesAhead · 21 Aug 2013

By the way, do you have a router? You may be able to block the ports they are trying to call out on as a stop gap until you resolve the issue.

PCrazy123 · 23 Aug 2013

Thanks for helping. Sorry for late reply I had to reinstall windows due to more motherboard issues. After I reinstalled it I checked everytime I had to download updates for windows and AV and sometimes the connection does not seem to occur to any ips and after the initial connection there is no activity or connection by these ips unless I disable\enable it again.

Do the screenshots I posted indicate any problems ?

@UsernameIssues Will the clean startup disable the Antivirus ? And before connecting to the internet in clean startup should I enable AV or disable it ?

@MilesAhead the port everytime connection is made by these ips is port 80. Will it cause any problems by disabling this port as when I was updating windows and AV this was the port being used.