outbound svchost request

Hello again,

Since booting up this morning, I have had ~250 attempted outbound connections from svchost.

svchost.exe port 427 to 92.242.144.50 port 427 UDP
svchost.exe port 1648 to 92.242.144.50 port 139 TCP

My understanding of svchost is that it does nothing on its own but is tasked by some service or app. My basic question is what would be attempting to make such a connection and why have I never seen it before today. Svchost sometimes does local multicast to look for my HP printer (224.0.1.60), and to UPnP(239.255.255.250), and also sometimes to DNS. Those are pretty innocuous, thought I don't always understand what their purpose is.

This is new, and since one is port 139, that is a bit more concerning. These have come regularly all day, so I'm not sure what is prompting them.

Here is my Tasklist output for svchost,

Code:

Image Name:   svchost.exe
PID:          1292
Services:     DcomLaunch
              TermService

Image Name:   svchost.exe
PID:          1360
Services:     RpcSs

Image Name:   svchost.exe
PID:          1540
Services:     AudioSrv
              Browser
              CryptSvc
              Dhcp
              EventSystem
              LanmanServer
              lanmanworkstation
              Netman
              Nla
              Schedule
              SENS
              SharedAccess
              ShellHWDetection
              Themes
              W32Time
              winmgmt

Image Name:   svchost.exe
PID:          1936
Services:     hpqcxs08
              hpqddsvc

Image Name:   svchost.exe
PID:          1948
Services:     HPSLPSVC

Image Name:   svchost.exe
PID:          2020
Services:     Net Driver HPZ12

Image Name:   svchost.exe
PID:          1496
Services:     Pml Driver HPZ12

Image Name:   svchost.exe
PID:          1612
Services:     stisvc

Image Name:   svchost.exe
PID:          1440
Services:     SSDPSRV

I guess I would like to know if this kind of traffic is associated with anything I should be concerned with and also some general information about what is going on under the hood here. Can anyone provide any insight as to why svchost is trying to connect the the WAN and what app or service may be prompting it. The comodo logs don't say which instance of svchost is trying to connect, unless I'm not reading them right.

LMHmedchem

 

traced back the ip you listed and it came to a website called Barefruit Ltd. Wikipedia lists as follows at this link.
http://en.wikipedia.org/wiki/Barefruit

 

Thanks for doing that. I'm not sure why svcohst would be trying to connect to that domain. It seems as if you may be re-directed to that site if your browser tries to connect to a site at an invalid domain. Why would svchost be making that connection unless it was first trying to connect elsewhere and got redirected? It would be helpful to know what program was tasking svchost to make this connection.

I looked in the event log to see if there were any errors that might provide some insight, but there are not any.

LMHmedchem

 

Just to update, I just had requests for "system" to connect to the same two IP/port combinations.

system port 427 to 92.242.144.50 port 427 UDP
system port 1648 to 92.242.144.50 port 139 TCP

and also,

system to 92.242.144.50 port 445 TCP

Since port 445 is netbios, I have disabled NetBIOS over TCP/IP, as I probably should have done anyway.

This is a bit disturbing since port 445 and 139 are associated with file-sharing protocols.

LMHmedchem