SVChost Windows service issue - threat or not ?

[Cyan]

I installed OBS (streaming app for Twitch streaming).
I started using it without allowing network access to the obs-plugins\64bit\obs-browser-page.exe
Then enabled it. (related or not?)
Since then, I'm having my firewall notification popping every 10 seconds asking me to grant access to "SVChost" but without being able to determine which service is being attached to that process.

My computer firewall is set to "deny all outgoing access" and warn on each attempt of new process.

it tries to access :
34.104.35.123:80 (123.35.104.34.bc.googleusercontent.com)

and I can't accept or block in the firewall because it says "unable to detect the service, choose in the list".

Spoiler

EapHost
gpsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
ProfSvc
Schedule
SENS
ShellHWDetection
Themes
Winmgmt

This popup is annoying :/


I searched that IP and OBS on the net, and found that site :
https://any.run/report/9f0e9a4839e3...7e95be20/3622b845-755e-4a04-8e3a-7ec52d674b19
it's a computer analysis of application installation, checking file access, network access, etc. to determine if there are threats.

It lists that IP after installing OBS, thought it's not the same domain name (mine is googleusercontent, while on the report it's edge), but the report is old, it might have changed.
in the log, we can see different URL trying to download binary files.
one of the URL is http://edgedl.me.gvt1.com/edgedl/re....3.36.121_win_bxugoraqoudfswxg22hsatfdbi.crx3
All access to that IP are marked as "whitelisted", not a threat.


If I go to 34.104.35.123:80 in the browser, there's a google log message.
If I go to http://edgedl.me.gvt1.com/ (from the website log) is redirects to "google chrome download page".

Is OBS trying to install Google chrome silently ?
I'm not using Chrome on my computer.
OBS also updated/installed VCredist. could it be related to vc_redist instead ?

It seems it's doing few download requests, and it's also downloading/running "avg_secure_browser_setup.exe"
is that something needed to OBS ?
Maybe OBS is forcing users to download an install AVG without consent ???


OBS is closed, I rebooted, and I still have the firewall alerts.
I re-blocked OBS browser pluging, it still trigger the alerts.
I don't know which process to allow or deny to stop them.


BUT I also found this report :
https://any.run/report/e601c1d200be...4374382f/46394b76-fe32-41aa-9749-0e4d039b3bd3
it's not a tool I have, but it has that IP in the logs.
and it's marked as dangerous.


BUT I also found this site :
https://www.abuseipdb.com/check/34.104.35.123
Which seems to match the DNS name, and it's marked as threat.
My access is "outgoing" so it's not a remote trying to access my PC, but the PC trying to access the network. Could it be an exploit? an issue ?


My questions :
Is it safe, or is it a threat ?
Why would it be SVChost trying to download (and install?) it, and not OBS itself ?
Is there a way to block SVChost [OBS] ?
if I have to enable access, which "service" should I enable from the firewall list of detected service ?
Should I delete OBS ?
Restore a backup of my computer and never touch OBS and forget about streaming games to Twitch at all ?


I could add a Firewall rule to simply block remote access to 34.104.35.123 BUT it will not stop the process trying to connect, and it will just spam the CPU !
I'd prefer to know how to either stop the app from requesting access, or just allow it once and for all if it's not a threat, and it's effectively related to OBS, not a malware, etc.
Should I allow ALL svchost access to that IP ? for like 5 minutes if it needs to update or download something ?

Maybe it's even unrelated to OBS, and just random unfortunate timing ?
have I been infected ?
My antivirus is up to date and not finding an issue.


I removed OBS from my computer and rebooted. It's STILL happening !
I feel like having to restore an acronis backup of my computer... and never touch OBS ever again.

I give 1h or so, without any help I'll just recover my pc to an old backup.

 

[Latiodile]

do a virus scan with malwarebytes or something? obs shouldn't be doing this, and it never has for any of the countless times i've installed it

 

[Cyan]

it detected only one thing :

Valeur du registre: 1
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-4082770478-2965212832-1393914720-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Aucune action de l'utilisateur, 6665, 251589, 1.0.39721, , ame, , ,
https://blog.malwarebytes.com/detections/pum-optional-lowriskfiletypes/

I think it's not a malware, but just a user setting I chose (to prevent seeing the "security popup" when launching a downloaded app.


humm, I switched ON the antivirus' firewall (Eset internet security) instead of windows default firewall which I trust more.
It first asked me about svchost > BITS.
looking for BITS, it's something related to downloading files...

I think I allowed it. reverting to windows' firewall, I don't have the popup anymore.
seeing malwarebyte said it was safe.. I took the risk and tried.
I have a backup from thursday, I can restore if needed.


Edit:
Thanks for the help.

I guess it's "fixed" by allowing access to BITS when I switched to ESET firewall.
I'm not sure why it happened, nor what it requested or downloaded...

I updated windows (4 update found, 2 failed updating, unknown error...)
I reinstalled OBS.
Made a new Acronis backup, just in case...


really, OBS had me stressed for over a week !
I needed to update my nVidia graphics to use NVenc codec in OBS, and I never could update it.
official Nvidia installer fails, and the computer crashed, with colored square on screen...
I tried DDU, and install nvidia again, FAILED again...
It's like the computer can't update/install drivers anymore.
And now, even Windows update is failing... pfff

 

[Cyan]

Today I launched OBS again, and the firewall started detecting request from svchost again, right after I tried to use the internal browser (which is used for lot of things, like overlay, or twitch chat integration, etc.)
I think it's related to the internal browser engine used inside OBS, it probably wants to download something, or send data/stats to some servers, or maybe check for updates...

But, it's trying to use a service instead of its own app

here what happens :
- svchost (BITS) : connects to remote host 34.104.35.123:80

If I allow it, then I have this :

- svchost (CryptSvc) : Connects to remote host ctldl.windowsupdate.com:80 (2001:4de0:ac10::1:1:19)

And THEN, in third place, finally the internal browser :
- obs-browser-page.exe : connects to remote host chrome.cloudflare-dns.com:443 (2606:4700:4400::ac40:9155) (AT Last a secured connection)
- obs-browser-page.exe 146.75.2.167:443, followed by a lot of request to amazon cdn.

The issue is that my usual firewall notifier doesn't detect BITS service.
I tried to make a manual rule in Windows' Firewall, for svchost [BITS], allowing outgoing connection to 34.104.35.123, but it doesn't seem to work as intended. My notifier still detects an attempt to access the network not matching any rules even if I just made one, so it prompts every 10 seconds if I want to allow/refuse, and have to pick a server in a list where it doesn't let me pick "BITS".

The solution I found is to use a third party firewall (ESET internet security), taking management over the official windows firewall, every time I launch OBS.
I can then disable it and go back to my own rules in windows once OBS did its "check". (no idea what)


I waited a little, and it did install something using "trusted installer" service, which is a tool used by windows to install windows updates or other apps with elevated rights. (still no idea what it did install...)
a spyware, a malware, a rootkit ?

Maybe it's legit, but when searching for that IP there are bad things related to it.

I searched information about OBS and virus, and found a website talking about newly found virus related to OBS, from July 17th 2022.
It seems not "included" with OBS, but bundled with other apps, and using OBS streaming capability to "stream" data to remote host, or send browser and chat client data.

in doubt, I re-restored a backup to clean my computer from that unknown activity in the background.
I'm now wondering whether I'll reinstall OBS or not. it only created me a lot of issues since I decided to stream from the computer (from impossibility to update graphic drivers, even with DDU, to this firewall alert when using OBS...)
I might forget about streaming the Switch and keep streaming directly from PS4/5 instead.
I might try "streamlab" original, not "streamlab obs", maybe there are less weird activities.

 

[Joom]

Lots of things use svchost for networking. Skype is another thing off the top of my head. That IP is also a shared IP that does indeed belong to Google:
https://www.abuseipdb.com/check/34.104.35.123

There's a bunch of reports on it, but that really doesn't mean much since it's a shared IP. People use Google's hosting for light storage all the time, and OBS may be using it for that or service delivery seeing as they're using Amazon and Cloudflare as well. You could use Wireshark to see exactly what's going on if you care enough to find out.

 

[Cyan]

Yeah, I think it's a shared IP and not a threat.
I suppose it was just a sum of different behaviors I'm not used with which frightened me. (same IP used for abuse, unusual events on my computer, firewall alerts, etc.).

For anyone looking for the same problem, here is a summary of what I found so far:


When I install OBS (and it download/install vc_redict), it ENABLES the BITS service. it was set to "manual" in my services.mcs before OBS installation. It also enabled Windows update service (I had it set to disabled, as I don't want Win7 to silently update and prompt me to update to win10).
I think it might be related to vcredist instead. (but I tried to install it as standalone, and I don't have any activity until I install and launch OBS).

I think the OBS browser plugin might be based on Chrome (I thought AVG_secure_browser at first).
Whenever I launch OBS and the browser plugin is enabled, it tries to connect to : youtube.com, google-analytics.com and stats.g.doubleclick.net
then I have svchost, using BITS service (background Intelligent Transfer Service), trying to access that google shared IP 34.104.35.123:80 (probably to check for new updates ? or send stats, but the BITS is used to download, not send stats).


And every time I launch OBS, svchost (CryptSvc) connects to both ctldl.windowsupdate.com and x1.c.lencr.org (or x2.c.lencr.org) to install/update something. Sometime, also oscp.digicert.com
then trustedinstaller.exe is being launched and is installing something. Usually, it's used to install new windows updates silently, with elevated privileges/rights.
After few launches of OBS, and not seeing "trusted installer" anymore, I switched BITS and wuauserv back to disabled. it seems to not being switch back to Enabled anymore. (but strangely, there are still cryptSvc and windowsupdate access every time I launch OBS, just not downloading and installed something anymore).


I tried Streamlabs, it doesn't have that behavior with its own browser plugin (but takes 4GB of RAM and sooo many processes... too much for my old computer).
So, I decided to stick with that strange "windows update" check/download every time I launch OBS.

Like you said, If I really want to know what happens, I can check the activity with wireshack and with Sysinternal's Sysmonitor (I logs all file and registry activity), because the Windows observer is not doing the job fully. I could only see that the "BITS service" has been switched to ON, but it doesn't tell who did that, etc.

I think I'll stop being paranoid XD
Too much work to find what really is happening in the background.

Nobody noticed because I might be the only user with windows update disabled, and firewall set to filter outgoing services by default... (and the firewall never caught BITS service before?).
All the people I asked about it said they don't have any "weird activity" with OBS, probably because they just don't know they have their firewall (if any) is probably set to "auto" or "allow all outgoing" like the default settings for all firewalls.


Edit:
I got the same ctldl.windowsupdate.com and x1.c.lencr.org request right after "nvcontainer.exe" tried to access the network, for its daily update check. (it's usually blocked in my firewall rules, but as I'm using a different firewall now, it prompts again).
I'll just disable that "Nvidia Check driver update daily" in the task manager. I can't update drivers anyway, it crashes the PC. "update failed" and I have colored square on screen, followed by blackscreen...

I did't run OBS this time, and it made a winupdate access... though, it didn't re-enabled any services (bits and wuauserv), it's only cryptsvc calling home.
Maybe OBS and nvidia are related? but when I use OBS that's only when I enable the browser which it does this winupdate access.

Edit one day later :
I didn't have the automatic update, as expected the task scheduler has "nvcontainer" auto-run disabled, and it didn't trigger windows update.
Still, OBS launch does.
This time, it even triggered windows Defender... it never did.