This one has got me stumped.
A while back I was reviewing my Comodo firewall log and noticed outbound TCP traffic from svchost.exe to RIPE servers in Amsterdam at WIN XP SP3 boot time. I knew of no reason why these servers should be contacted at boot time so I added a block all TCP inbound/outbound traffic from svchost.exe for 213.199.000.000 - 213.199.255.255.
A few days have passed and I received no block log activity for the above. Then today at boot I received a bunch of block events as follows:
TCP Port IP Address
1037 213.199.149.122
1039 213.199.149.146
1041, 1051 213.199.149.82
1043 213.199.149.143
1045 213.199.149.167
1047 213.199.149.111
1053 213.199.149.124
I have scanned my PC with Symantec Endpoint AV, AntimalwareBytes, SuperAntiSpyware, A2 Squared, etc. and I am clean. I also was running Prevx 3.0 for a while and was clean under that also. Prevx has since been uninstalled.
Any ideas on why svchost.exe is “dialing out” to these IPs at boot time?