Why one Svchost.exe is using a local address of 0.1.0.4?

TheMSsForum.com: The Microsoft Software Forum

Hi to you group.

May I ask if someone have ever seen that before that one Svchost.exe (932)
who is controlling ..AudioSrv, BITS, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, FastUserSwitchingCompatibility, helpsvc, Netman, Nla, Schedule,
seclogon, SENS, SharedAccess....has the local address as 0.1.0.4? The others
have either 127.0.0.1 or my IP address or 0.0.0.0 and that is the normal, I
think because I have never seen another local address being used.

I can tell that I installed a webcam just before seeing this but are not
sure that one is the culprit though and it is not connected any more as I
took it away. A2 Squared also found a Trojan.Win32.Autoit.b the last night
after a scan but when reading about that one it doesn't seems to be so
destructive and I could not see that it used any ports but to be honest, not
much info to get on that one via searching the web.

I have also scanned the PC in safe mode with AVG, MS Antispyware, Spybot
S&D, Ad-Aware SE, Hijack This, CWShredder and some other stand alone
scanners even the Sysclean from Trend Micro and they didn't find anything. I
think I am clean. The thing is that strange local address and that
Svchost.exe always ends up with having five as listening to ports from being
three from the beginning. They are the same...992 (DNS Chache) and 932...but
they multipy after a while.

More info...I have no File and Printersharing, no Client for MS Network,
disabled uPnP, no Browser thingy, no RDsessMgr and no Remote Registry, no
remote access at all as all are disabled but I can see in Symantecs
Deepsight Extrator logs that I have connections events, so something might
not stop it but it should be ZA free as I have as a firewall and I am also
running XP Pro SP2. All things I have are the latest versions and updated
every day.

TCPView I have used, CurrPorts also and SuperScan and also another post
scanners to look after known Trojan ports but that one was freezing up while
scanning. ProcessExplorer and AutoRun I used too but understand nada, at
least in order to find something malicious.

Okay, thanks for you time and TIA for any thoughts about what it can be.
Cheers to all. :-))

Gunilla.

PS. Sorry for the long post.
Top

Re: Why one Svchost.exe is using a local address of 0.1.0.4? by Gunilla

Gunilla
Sun Jan 30 20:56:48 CST 2005

Just realized that I should say that I am using a Realtek RTL 8139 Fast
Ethernet PCI NIC 100.0 Mbits/sec and are supposed to be on a Broadband LAN
with a Motorola modem and no Switch or Router.

"Gunilla" <removekakaomumsathotmaildotcom> skrev i meddelandet
news:urddWdzBFHA.3824@TK2MSFTNGP10.phx.gbl...
> Hi to you group.
>
> May I ask if someone have ever seen that before that one Svchost.exe (932)
> who is controlling ..AudioSrv, BITS, CryptSvc, Dhcp, dmserver, ERSvc,
> EventSystem, FastUserSwitchingCompatibility, helpsvc, Netman, Nla,
> Schedule, seclogon, SENS, SharedAccess....has the local address as
> 0.1.0.4? The others have either 127.0.0.1 or my IP address or 0.0.0.0 and
> that is the normal, I think because I have never seen another local
> address being used.
>
> I can tell that I installed a webcam just before seeing this but are not
> sure that one is the culprit though and it is not connected any more as I
> took it away. A2 Squared also found a Trojan.Win32.Autoit.b the last night
> after a scan but when reading about that one it doesn't seems to be so
> destructive and I could not see that it used any ports but to be honest,
> not much info to get on that one via searching the web.
>
> I have also scanned the PC in safe mode with AVG, MS Antispyware, Spybot
> S&D, Ad-Aware SE, Hijack This, CWShredder and some other stand alone
> scanners even the Sysclean from Trend Micro and they didn't find anything.
> I think I am clean. The thing is that strange local address and that
> Svchost.exe always ends up with having five as listening to ports from
> being three from the beginning. They are the same...992 (DNS Chache) and
> 932...but they multipy after a while.
>
> More info...I have no File and Printersharing, no Client for MS Network,
> disabled uPnP, no Browser thingy, no RDsessMgr and no Remote Registry, no
> remote access at all as all are disabled but I can see in Symantecs
> Deepsight Extrator logs that I have connections events, so something might
> not stop it but it should be ZA free as I have as a firewall and I am also
> running XP Pro SP2. All things I have are the latest versions and updated
> every day.
>
> TCPView I have used, CurrPorts also and SuperScan and also another post
> scanners to look after known Trojan ports but that one was freezing up
> while scanning. ProcessExplorer and AutoRun I used too but understand
> nada, at least in order to find something malicious.
>
> Okay, thanks for you time and TIA for any thoughts about what it can be.
> Cheers to all. :-))
>
> Gunilla.
>
> PS. Sorry for the long post.
>

Top