what is this process?

Discussion in 'Port Explorer' started by portnewbie, Oct 27, 2004.

Thread Status:
Not open for further replies.
  1. portnewbie

    portnewbie Guest

    I downloaded port explorer 2.0 a couple days ago and I really love it. I'm wondering though, why, when I connect online, svchost.exe PID 756 shows up only briefly in the socket list, sends a few packets, then disappears, all the while I'm still connected to my ISP. It doesn't appear in my processes list in task manager. Port explorer doesn't show any hidden sockets, but still, I wonder if this could be a trojan. I've heard that some trojans are disguised as svchost. I did a whois and lookup but no results. I'll be happy to provide more details on request. I just hope I'm being overcautious, and not infected. ty
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    If you show it as FULL PATH you'll probably see that its the real SVCHOST - its in Windows\System32. FAKE svchost trojans are plentiful. Usually they are in C:\Windows, or their name LOOKS like svchost, but isn't. Common choices are svhost, and scvhost :)

    SVCHOST in Windows 2000/XP is the "services host" which handles many service functions. Most likely the packets you are seeing will go out to port 53, for DNS name resolution (www conversion to an IP address)
     
  3. Portnewbie

    Portnewbie Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    2
    Thanks for your reply. You are right, the path is C:\WINDOWS\System32, and no misspelling of svchost.exe. I ran a full system scan with TDS-3, AVG, a-squared, spybot, McAffee Stinger, and they all came up clean. I frequently play MSN games that came with my XP. Out of curiosity I used Socket Spy while I was playing a few minutes ago, and the same IP which always briefly appears in the socket list when I connect to the net, was the same. It shows either 255.255.255.255 or 239.255.255.250 on ports 67 and 1900. So nothing to worry about I guess. Thanks again and great forum here.
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  5. Portnewbie

    Portnewbie Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    2
    i tried to kill the process with port explorer. but afterward, i couldn't disconnect from the net, and had to reboot. errgh. thankyou for the link. i'll check that out.
     
Thread Status:
Not open for further replies.