I keep seeing Svchost.exe in my connections log in Avast with a destination port of 239.255.255.250:1900 (UDP out) with about 525 bytes going out is this something related to Windows Update checks or something or is it malicious?
any help is appreciated
Are you sure you are seeing this in an avast connections log, I don’t believe there is an avast connections log, avast isn’t a firewall and none of the avast providers (namely the web shield) would be monitoring this port.
SVCHOST does get involved in windows updates, if you blocked in in your firewall you couldn’t do a windows update.
This 239.255.255.250 IP and port 1900 returns many hits in a google search.
http://www.google.com/search?q=port+1900+239.255.255.250
This would appear to be relater to UUnP something that unless you have a specific requirement for isn’t required by the average user. You could disable this Service.
[url=http://This UDP port is opened and used by Universal Plug N’ Play (UPnP) devices … a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. …]This UDP port is opened and used by Universal Plug N’ Play (UPnP) devices … a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. …[/url]
This UDP port is opened and used by Universal Plug N' Play (UPnP) devices ... a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. ...http://www.grc.com/port_1900.htm
Also see another of the google hits, http://www.nthelp.com/upnpscrewup.htm.
Is it a typo on the thread name?
Correct would be Svchost.exe and not Scvhost.exe.
I assume it is a typo as it is correct (svchost.exe) in the body of the post.
Yes its a typo and I accidentaly posted this under the wrong forum as I had a few open at once but before it gets locked could someone tell me if this port can be used for malicious attacks or viruses as I was told it is used for Messenger which I use but I am worried it can be exploited as Comodo firewall is saying its constantly sending out 525 bytes
sorry for the confusion and thanks for trying to help
Taken from CHIP Mag (Issue 5 2007);
One of the most imcomprehensible messages is based on the “svchost.exe” process; the Service Host. This includes several Windows services that are executed with the help of different DLL files. These services are necessary for the automatic updates, for recognizing USB devices or even for print functions. Windows start svchost sessions as soon as the system requires one of these services. Each service howeveralso creates its own firewall message, which makes the whole thing particularly annoying. In order to find out wether a legitimate connection is opened. Have a look at the file path and the remote address to which the service wishes to connect. The file “svchost.exe” must be in “C:\Windows\System32” folder. Important: Also take care that the spelling is correct. Since some Trojans disguise themselves with similar looking file names such as “svhost.exe”, svchosts.exe" or “sychost.exe”.
If you want to know precisely which sub-process and linked Windows services are connected with the program, start the freeware “Process Explorer” offered by Microsoft for download. The tool displays all running processes. Select the “svchost.exe” process. In the details window you can then find all files, indexes and registry entries that are connected with it. With one click on the “Properties” you can find out more details. This also includes the IP address and the port with which the program connects. Usually, “svchost.exe” connectes only with the local addresses.
I basically said that svchost isn’t the problem or the port, but the UPnP service which under normal circumstances isn’t required. It is in no way connected to the normal windows Plug and Play, so the name is confusing. The UPnP is about sharing devices (like printers, etc.) across the internet and I would imagine you have no desire or requirement to do that.
Read the GRC.com link and I think you will see you are probably best advised to disable the UPnP service, then it won;t be using svchost.
So, if you run a full avast scan and, maybe, with other antispyware tools (like AVGas or SpywareTerminator or SuperAntispyware) and you’re clean, don’t worry.
One suggestion re Svchost and your firewall, for which I’m indebted to my son.
So far (knock wood) the only times Svchost has asked for internet access has been in relation to using MS update. My son recommended that you do not tick the “always remember” (or however your own firewall words this) for this one, since there are way too many things that could call up Svchost.
one last thing (i hope anyway) is this program on this website reliable as it says it will disable the upnp for me?
Yes, it’s reliable, you can trust on it.
Just ran it but Svchost.exe is still running under my Comodo list
It is used for a lot of actions. You won’t be able to run Windows and shut down all svchost.exe processes.
You disable one that is ‘dangerous’ and you don’t need. The others should be there.
Ok, it shouldn’t be shown with activity into Comodo, so, I suggest you follow the general cleaning procedure:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
Just after I disabled UpnP it still said Svchost.exe was running so I restarted the computer and opened Comodo then 3 Svchost were displayed and I thought it made it worse, then it went down to one (which I have screen grabbed) but stayed there for a while then vanished. What could the 3 Svchost have been?
Nothing harmful or anything will come of disabling the UpnP will it mate and is it reversable if I need it at a later date?
Edit: tested computer using shields up (hope they are reliable tests) and it passed every test with full stealth even UpnP
There is no problem with disabling it.
Sure. Just start the service and set it to automatic start.
Start > Control Panel > Administrative Tools > Services
Did you test the other antimalware tools I’ve posted before?
Svchost stands for Services Host, so it is required for many services but now that UPnP is disabled it shouldn’t be connecting.
I have said UPnP is for the majority of users an unessential service and why GRC.com gives such a strong emphasis on disabling it. If you required it you would know because you need to connect to devices over the Internet, typically if you were connecting to say a work printer. There is enough work required to set this up that if you needed it you would know.
So if you haven’t already disabled I recommend you do so as you said if you ever needed it (highly unlikely) you can enable it.
This is something else again as port 53 isn’t normally used for UPnP
The IP address in your image is for Domain name: tiscali.com possibly you ISP ?
Port 53 is normally used for DNS purposes, getting an IP address for the friendly URL that you type this requires an IP address so it can find it and it gets that from a DNS server.
If one is behind a NAT router (which many of us are in these days of wireless and shared home network connections) then telling folks that turning of the UPnp service will have no effect is totally misleading.
The UPnp service is necessary for a number of (fairly well known) applications that will not work unless they have the service to help them deal with internal vs external IP addresses and the management of ports for devices sharing the connection.
Thanks Alan, since I don’t have broadband and no NAT Router I wasn’t aware of this and I’m not aware of these fairly well known applications that require it ?
So my assumption that if people used those applications or had a need for the UPnP service would know it needed to be enabled. Should someone require it and it was disabled then they would soon know about it and could enable UPnP.
P2P applications, for instance. eMule can use UPnP service (if the user set it to do so).
Thanks Tech, I fear many wouldn’t know what UPnP is from a hole in the ground.