Possible Trojan

This one has got me stumped.

A while back I was reviewing my Comodo firewall log and noticed outbound TCP traffic from svchost.exe to RIPE servers in Amsterdam at WIN XP SP3 boot time. I knew of no reason why these servers should be contacted at boot time so I added a block all TCP inbound/outbound traffic from svchost.exe for 213.199.000.000 - 213.199.255.255.

A few days have passed and I received no block log activity for the above. Then today at boot I received a bunch of block events as follows:

TCP Port IP Address


1037 213.199.149.122
1039 213.199.149.146
1041, 1051 213.199.149.82
1043 213.199.149.143
1045 213.199.149.167
1047 213.199.149.111
1053 213.199.149.124

I have scanned my PC with Symantec Endpoint AV, AntimalwareBytes, SuperAntiSpyware, A2 Squared, etc. and I am clean. I also was running Prevx 3.0 for a while and was clean under that also. Prevx has since been uninstalled.

Any ideas on why svchost.exe is “dialing out” to these IPs at boot time?

This will help give you more detail on whats going on with svchost.exe

I use the the tool SIW among others such as Everest, Sandra Utilities, etc. for maintenance diagnostics. It can expand svchost and show it’s .dll components and the like. Never have seen anything suspicious there.

Also, the behavior of these block entries is identical to an application update where an UDP outbound DNS request is first made to port 53. Because I am behind a router, I don’t have any addresses for these. The only app I have seen that uses those Ripe servers is Prevx since they are a UK outfit. I manually “scrubbed” my drive and Registry of all Prevx traces so I am fairly confident the refereneced outbound traffic is not from that.

Everyone appears to be using bogus servers anyway these days as evidenced in MS’s use of Alcalmie’s servers.