question about svchost traffic

LMHmedchem · Joined: May 31, 2012 Posts: 2

Hello to lockergnome,

Since booting up this morning, I have had ~250 attempted outbound connections from svchost.

svchost.exe port 427 to 92.242.144.50 port 427 UDP
svchost.exe port 1648 to 92.242.144.50 port 139 TCP

My understanding of svchost is that it does nothing on its own but is tasked by some service or app. My basic question is what would be attempting to make such a connection and why have I never seen it before today. Svchost sometimes does local multicast to look for my HP printer (224.0.1.60), and to UPnP(239.255.255.250), and also sometimes to DNS. Those are pretty innocuous, thought I don't always understand what their purpose is.

This is new, and since one is port 139, that is a bit more concerning. These have come regularly all day, so I'm not sure what is prompting them.

Here is my Tasklist output for svchost,

Code:

Image Name: svchost.exe
PID: 1292
Services: DcomLaunch
TermService

Image Name: svchost.exe
PID: 1360
Services: RpcSs

Image Name: svchost.exe
PID: 1540
Services: AudioSrv
Browser
CryptSvc
Dhcp
EventSystem
LanmanServer
lanmanworkstation
Netman
Nla
Schedule
SENS
SharedAccess
ShellHWDetection
Themes
W32Time
winmgmt

Image Name: svchost.exe
PID: 1936
Services: hpqcxs08
hpqddsvc

Image Name: svchost.exe
PID: 1948
Services: HPSLPSVC

Image Name: svchost.exe
PID: 2020
Services: Net Driver HPZ12

Image Name: svchost.exe
PID: 1496
Services: Pml Driver HPZ12

Image Name: svchost.exe
PID: 1612
Services: stisvc

Image Name: svchost.exe
PID: 1440
Services: SSDPSRV

I am interested in some general information about what is going on under the hood here. Can anyone provide any insight as to why svchost is trying to connect the the WAN and what app or service may be prompting it. My comodo logs don't say which instance of svchost is trying to connect, unless I'm not reading them right.

I wish that winodws would require programs that want to connect to the internet to make a direct connection. It is much harder to keep track of everything with all of this sideways traffic.

This is XP sp3 in case that matters.

Thanks for any advice you can give.

LMHmedchem

goretsky · Posted: Tue Jun 05, 2012 2:36 am Post subject:

Hello,

Do you have device drivers for printer by Hewlett Packard installed on the computer, by any chance?

Regards,

Aryeh Goretsky

LMHmedchem · Joined: May 31, 2012 Posts: 2

Yes I do have an HP printer and drivers. I have rules set up to allow svchost to connect to the printer IP at the ports it needs. This is some of the most moronic software I have ever seen. The printer software keeps ~300 open connections to the printer at all times and make up more than 90% of my local network traffic.

I just don't understand why printer software would suddenly start trying to connect to a WAN IP.

LMHmedchem

goretsky · Posted: Wed Jun 06, 2012 3:41 am Post subject:

Hello,

You might want to look and see if Hewlett-Packard offers a "minimal" driver without the additional marketing software installed in it. I know they do that for some models of printers.

Regards,

Aryeh Goretsky

drwho07 · Joined: Nov 29, 2007 Posts: 2274 Location: Central FL, USA

Usually, if there is anything in your startup folder (MSCONFIG > Startup) that says HP on it, you can DE-Select it, so it won't start when you boot up your PC.

The actual Printer drivers will not be in there!
While you're there, DE-Select anything else that you don't need to have running all the time. Any reminders, schedulers, etc., should be shut down.

Good Luck,
The Doctor Cool

goretsky · Posted: Sun Jul 15, 2012 3:49 am Post subject:

[Message thread locked due to spam. If you need assistance on this or a related subject, please start a new message thread. AG]