Process List: [snip] PID 952: 'C:\WINNT\System32\wins\DLLHOST.EXE' [snip] PID 1800: 'C:\WINNT\System32\wins\svchost.exe'
Services running on local machine: PID 952: RpcPatch = "WINS Client" / "C:\WINNT\System32\wins\DLLHOST.EXE" PID 1800: RpcTftpd = "Network Connections Sharing" / "C:\WINNT\System32\wins\svchost.exe"
TCP table: Process Local Address Remote Address ------------ ------------------- -------------- PID 952 0.0.0.0:2069 LISTENING (** Service **) C:\WINNT\System32\wins\DLLHOST.EXE PID 952 0.0.0.0:2070 LISTENING (** Service **) C:\WINNT\System32\wins\DLLHOST.EXE PID 952 0.0.0.0:2073 LISTENING (** Service **) C:\WINNT\System32\wins\DLLHOST.EXE PID ???????? 206.112.xx.xxx:2069 211.161.119.69:80 SYN_SENT PID ???????? 206.112.xx.xxx:2070 211.161.119.64:80 SYN_SENT PID ???????? 206.112.xx.xxx:2073 211.161.119.100:80 SYN_SENT Note: Sequentially incrementing Target IP addresses
If your system is infected with the Nachi/Welchia worm it's almost certainly because you have failed to apply all Microsoft security patches to this system AND you connected this system *directly* to the Internet (without firewall protection).
See Removal ****AND**** security patching directions here:
Nachi/Welchia Removal
If this system is a user desktop, you'd be wise to install a personal firewall to protect against
future infections of this type.
The free version of Zone Alarm is adequate for most situations.
If this system is a critical server, you should consider acquiring a hardware firewall and putting this host *behind* the firewall.