0

Im using Windows XP Professional SP2.

Whenever I start my Windows, svchost.exe starts connecting to all the possible IPs on LAN like from 192.168.1.2 to 192.168.1.200. The local port ranges from 1000-1099 and the remote port being 445.

After it's done with the local IPs, it starts connecting to other random IPs.

I tried blocking connections to the port 445 using the local security polices but it didn't work. Is there any possible way I could prevent svchost from connecting to these IPs without involving any firewall installed? My PC slows down due to the load.

I scanned my PC with MalwareBytes and found out it was infected with a worm, it's deleted now but still svchost is connecting to the IPs.

I also found out that in my Windows Firewall settings, under Internet Control Message Protocol (ICMP), there's a tick on "allow incoming echo request" (usually disabled) which is locked and I can't disable it.

Its description is as follows

Messages sent to this computer will be repeated back to the sender. This is used for trouble shooting for e.g to ping a machine. Requests of this type are automatically allowed if TCP port 445 is enabled.

Any solutions? I can't bear going with the reinstalling Windows phase again.

Improve this question
1
  • You clearly haven't gotten rid of whatever is on there doing this. So another option is to reinstall Windows. This removes the current one.
    – barlop
    Commented Mar 23, 2012 at 22:24

2 Answers 2

Reset to default
0

It seems your PC is infected by a virus, remove it or reformat and reinstall Windows.

SP2 is old. You should use the latest Windows XP Service Pack (SP3).

Improve this answer
0

From the symptoms you describe, it sounds like you have a Conficker infection loose on your network. If you are also unable to run Windows Update on the machine I would say that is almost guaranteed to be the worm you have.

Conficker is a VERY aggressive worm, and removing it from one machine on your LAN is next to useless, because bringing that machine back onto the LAN will mean almost immediate re-infection. Get a tool to remove the infection, disconnect all your machines from the LAN, and disinfect them one by one, and only reconnect them to the network once all machines are clean.

Note that this worm also spreads by USB drives, so ensure nobody is re-infecting your network from an infected USB drive.

Here is a Conficker Worm Removal Tool from Sophos with instructions and security recommendations.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .