I downloaded port explorer 2.0 a couple days ago and I really love it. I'm wondering though, why, when I connect online, svchost.exe PID 756 shows up only briefly in the socket list, sends a few packets, then disappears, all the while I'm still connected to my ISP. It doesn't appear in my processes list in task manager. Port explorer doesn't show any hidden sockets, but still, I wonder if this could be a trojan. I've heard that some trojans are disguised as svchost. I did a whois and lookup but no results. I'll be happy to provide more details on request. I just hope I'm being overcautious, and not infected. ty
Hi, If you show it as FULL PATH you'll probably see that its the real SVCHOST - its in Windows\System32. FAKE svchost trojans are plentiful. Usually they are in C:\Windows, or their name LOOKS like svchost, but isn't. Common choices are svhost, and scvhost SVCHOST in Windows 2000/XP is the "services host" which handles many service functions. Most likely the packets you are seeing will go out to port 53, for DNS name resolution (www conversion to an IP address)
Thanks for your reply. You are right, the path is C:\WINDOWS\System32, and no misspelling of svchost.exe. I ran a full system scan with TDS-3, AVG, a-squared, spybot, McAffee Stinger, and they all came up clean. I frequently play MSN games that came with my XP. Out of curiosity I used Socket Spy while I was playing a few minutes ago, and the same IP which always briefly appears in the socket list when I connect to the net, was the same. It shows either 255.255.255.255 or 239.255.255.250 on ports 67 and 1900. So nothing to worry about I guess. Thanks again and great forum here.
I'd guess you probably want to leave the bootp alone (67) but you might want to fry 1900 (depending on your setup) http://www.windowsnetworking.com/kb...eWindowsMessengerbroadcastsonUDPport1900.html Those addresses with all the 255's you mentioned are broadcast addresses.
i tried to kill the process with port explorer. but afterward, i couldn't disconnect from the net, and had to reboot. errgh. thankyou for the link. i'll check that out.