Call home ?

  • Thread starter Thread starter DanS
  • Start date Start date
D

DanS

Now I have a question. After restarting my computer, for some reason I
opened up a port monitoring program I have.

There I saw an open socket, on port 80, with a remote IP that resolves to a
Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
the processes, is System Idle Processes.

I DO NOT use Windows Update, and it is disabled.

This socket is being created by something at startup using RulDllAsApp.exe.

Any ideas ?

Thanks,

DanS
 
Now I have a question. After restarting my computer, for some reason I
opened up a port monitoring program I have.

There I saw an open socket, on port 80, with a remote IP that resolves
to a Microsoft address. It was in a TIME_WAIT state, and a PID of 0,
which in the processes, is System Idle Processes.

I DO NOT use Windows Update, and it is disabled.

This socket is being created by something at startup using
RulDllAsApp.exe.

Any ideas ?

Thanks,

DanS
Click to expand...

rundll32.exe is what it actually is.

DanS
 
DanS said:
Now I have a question. After restarting my computer, for some reason I
opened up a port monitoring program I have.

There I saw an open socket, on port 80, with a remote IP that resolves to
a
Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
the processes, is System Idle Processes.

I DO NOT use Windows Update, and it is disabled.

This socket is being created by something at startup using
RulDllAsApp.exe.

Any ideas ?

Thanks,

DanS
Click to expand...

What's the address/IP ?
 
Ports That Are Used by Windows Product Activation
http://support.microsoft.com/default.aspx?scid=kb;en-us;291983

Description of Microsoft Product Activation
http://support.microsoft.com/default.aspx?scid=kb;en-us;302806

Frequently asked questions about Microsoft Product Activation
http://support.microsoft.com/default.aspx?scid=kb;en-us;302878

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

---------------------------------------------------------------------------

:

| Now I have a question. After restarting my computer, for some reason I
| opened up a port monitoring program I have.
|
| There I saw an open socket, on port 80, with a remote IP that resolves to a
| Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
| the processes, is System Idle Processes.
|
| I DO NOT use Windows Update, and it is disabled.
|
| This socket is being created by something at startup using RulDllAsApp.exe.
|
| Any ideas ?
|
| Thanks,
|
| DanS
 
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt220.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


* * * Please report your results ! * * *

Dave






| Now I have a question. After restarting my computer, for some reason I
| opened up a port monitoring program I have.
|
| There I saw an open socket, on port 80, with a remote IP that resolves to a
| Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
| the processes, is System Idle Processes.
|
| I DO NOT use Windows Update, and it is disabled.
|
| This socket is being created by something at startup using RulDllAsApp.exe.
|
| Any ideas ?
|
| Thanks,
|
| DanS
|
|
 
What's the address/IP ?
Click to expand...

The IP address that it's reporting is 207.46.249.56 port 80.

It happens on startup only, again the PID is 0, which leads me to believe
that it something in Windows itself, not any kind of spyware.

It first sends a DNS query, and then by the time I can see it, it's in
the TIME_WAIT state, just waiting to close.

I'll have to do some packet sniffing and find out what this is.

DanS
 
Pasting: 207.46.249.56 into the Address box in IE opens >>>
http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us

Hotmail or MSN ring a bell? What's your IE Home Page?

Search results for: 207.46.249.56
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

More info
Search for : 207.46.249.56
http://ws.arin.net/cgi-bin/whois.pl


What's the suspicious Rundll32.exe process
http://www.mvps.org/sramesh2k/rundll32.htm
 
Pasting: 207.46.249.56 into the Address box in IE opens >>>
http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us

Hotmail or MSN ring a bell? What's your IE Home Page?

Search results for: 207.46.249.56
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

More info
Search for : 207.46.249.56
http://ws.arin.net/cgi-bin/whois.pl


What's the suspicious Rundll32.exe process
http://www.mvps.org/sramesh2k/rundll32.htm
Click to expand...

Hmmmm. That's interesting. Windows update is disabled. I have no hotmail
account. My browser's homepage is about:Blank. No MSN, no Messenger (the
service nor the IM program.)

The option's I have set in IE are no script's, no AX, no cookies, no java
applets, no nothing.

And it only happens at startup.

Well I guess that's another thing to block for ZoneAlarm.

Thanks for the legwork to all.

Regards,

DanS
 
DanS,

Start | Run | Type: msconfig | OK |
Startup tab |
Have a look to see if something's there that might be trying to go online.
 
Back
Top