Now I have a question. After restarting my computer, for some reason I
opened up a port monitoring program I have.

There I saw an open socket, on port 80, with a remote IP that resolves to a
Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
the processes, is System Idle Processes.

I DO NOT use Windows Update, and it is disabled.

This socket is being created by something at startup using RulDllAsApp.exe.

Any ideas ?

Thanks,

DanS

DanS <(E-Mail Removed)> wrote in
news:Xns9590B30B8B5E6idispcom@216.196.97.142:

> Now I have a question. After restarting my computer, for some reason I
> opened up a port monitoring program I have.
>
> There I saw an open socket, on port 80, with a remote IP that resolves
> to a Microsoft address. It was in a TIME_WAIT state, and a PID of 0,
> which in the processes, is System Idle Processes.
>
> I DO NOT use Windows Update, and it is disabled.
>
> This socket is being created by something at startup using
> RulDllAsApp.exe.
>
> Any ideas ?
>
> Thanks,
>
> DanS
>
>
>

rundll32.exe is what it actually is.

DanS

"DanS" <(E-Mail Removed)> wrote in message
news:Xns9590B30B8B5E6idispcom@216.196.97.142...
> Now I have a question. After restarting my computer, for some reason I
> opened up a port monitoring program I have.
>
> There I saw an open socket, on port 80, with a remote IP that resolves to
> a
> Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
> the processes, is System Idle Processes.
>
> I DO NOT use Windows Update, and it is disabled.
>
> This socket is being created by something at startup using
> RulDllAsApp.exe.
>
> Any ideas ?
>
> Thanks,
>
> DanS
>
>

What's the address/IP ?

Ports That Are Used by Windows Product Activation
http://support.microsoft.com/default...b;en-us;291983

Description of Microsoft Product Activation
http://support.microsoft.com/default...b;en-us;302806

Frequently asked questions about Microsoft Product Activation
http://support.microsoft.com/default...b;en-us;302878

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/secu...t/default.aspx

---------------------------------------------------------------------------

"DanS" wrote:

| Now I have a question. After restarting my computer, for some reason I
| opened up a port monitoring program I have.
|
| There I saw an open socket, on port 80, with a remote IP that resolves to a
| Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
| the processes, is System Idle Processes.
|
| I DO NOT use Windows Update, and it is disabled.
|
| This socket is being created by something at startup using RulDllAsApp.exe.
|
| Any ideas ?
|
| Thanks,
|
| DanS

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt220.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


* * * Please report your results ! * * *

Dave






"DanS" <(E-Mail Removed)> wrote in message
news:Xns9590B30B8B5E6idispcom@216.196.97.142...
| Now I have a question. After restarting my computer, for some reason I
| opened up a port monitoring program I have.
|
| There I saw an open socket, on port 80, with a remote IP that resolves to a
| Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which in
| the processes, is System Idle Processes.
|
| I DO NOT use Windows Update, and it is disabled.
|
| This socket is being created by something at startup using RulDllAsApp.exe.
|
| Any ideas ?
|
| Thanks,
|
| DanS
|
|

"Colin Nash [MVP]" <cnash x@x mvps.org> wrote in
news:(E-Mail Removed):

>
> "DanS" <(E-Mail Removed)> wrote in message
> news:Xns9590B30B8B5E6idispcom@216.196.97.142...
>> Now I have a question. After restarting my computer, for some reason
>> I opened up a port monitoring program I have.
>>
>> There I saw an open socket, on port 80, with a remote IP that
>> resolves to a
>> Microsoft address. It was in a TIME_WAIT state, and a PID of 0, which
>> in the processes, is System Idle Processes.
>>
>> I DO NOT use Windows Update, and it is disabled.
>>
>> This socket is being created by something at startup using
>> RulDllAsApp.exe.
>>
>> Any ideas ?
>>
>> Thanks,
>>
>> DanS
>>
>>
>
> What's the address/IP ?
>
>

The IP address that it's reporting is 207.46.249.56 port 80.

It happens on startup only, again the PID is 0, which leads me to believe
that it something in Windows itself, not any kind of spyware.

It first sends a DNS query, and then by the time I can see it, it's in
the TIME_WAIT state, just waiting to close.

I'll have to do some packet sniffing and find out what this is.

DanS

Pasting: 207.46.249.56 into the Address box in IE opens >>>
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

Hotmail or MSN ring a bell? What's your IE Home Page?

Search results for: 207.46.249.56
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

More info
Search for : 207.46.249.56
http://ws.arin.net/cgi-bin/whois.pl


What's the suspicious Rundll32.exe process
http://www.mvps.org/sramesh2k/rundll32.htm

--
Hope this helps. Let us know.
Wes

In news:Xns9590C7F5C3ADBidispcom@216.196.97.142,
DanS <(E-Mail Removed)> hunted and pecked:
> "Colin Nash [MVP]" <cnash x@x mvps.org> wrote in
> news:(E-Mail Removed):
>
>>
>> "DanS" <(E-Mail Removed)> wrote in message
>> news:Xns9590B30B8B5E6idispcom@216.196.97.142...
>>> Now I have a question. After restarting my computer, for some reason
>>> I opened up a port monitoring program I have.
>>>
>>> There I saw an open socket, on port 80, with a remote IP that
>>> resolves to a
>>> Microsoft address. It was in a TIME_WAIT state, and a PID of 0,
>>> which in the processes, is System Idle Processes.
>>>
>>> I DO NOT use Windows Update, and it is disabled.
>>>
>>> This socket is being created by something at startup using
>>> RulDllAsApp.exe.
>>>
>>> Any ideas ?
>>>
>>> Thanks,
>>>
>>> DanS
>>>
>>>
>>
>> What's the address/IP ?
>>
>>
>
> The IP address that it's reporting is 207.46.249.56 port 80.
>
> It happens on startup only, again the PID is 0, which leads me to
> believe that it something in Windows itself, not any kind of spyware.
>
> It first sends a DNS query, and then by the time I can see it, it's in
> the TIME_WAIT state, just waiting to close.
>
> I'll have to do some packet sniffing and find out what this is.
>
> DanS

"Wesley Vogel" <(E-Mail Removed)> wrote in news:OzlQQHVvEHA.2876
@TK2MSFTNGP12.phx.gbl:

> Pasting: 207.46.249.56 into the Address box in IE opens >>>
> http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
>
> Hotmail or MSN ring a bell? What's your IE Home Page?
>
> Search results for: 207.46.249.56
> OrgName: Microsoft Corp
> OrgID: MSFT
> Address: One Microsoft Way
> City: Redmond
> StateProv: WA
> PostalCode: 98052
> Country: US
>
> More info
> Search for : 207.46.249.56
> http://ws.arin.net/cgi-bin/whois.pl
>
>
> What's the suspicious Rundll32.exe process
> http://www.mvps.org/sramesh2k/rundll32.htm
>

Hmmmm. That's interesting. Windows update is disabled. I have no hotmail
account. My browser's homepage is about:Blank. No MSN, no Messenger (the
service nor the IM program.)

The option's I have set in IE are no script's, no AX, no cookies, no java
applets, no nothing.

And it only happens at startup.

Well I guess that's another thing to block for ZoneAlarm.

Thanks for the legwork to all.

Regards,

DanS

DanS,

Start | Run | Type: msconfig | OK |
Startup tab |
Have a look to see if something's there that might be trying to go online.

--
Hope this helps. Let us know.
Wes

In news:Xns9590E30BC5112idispcom@216.196.97.142,
DanS <(E-Mail Removed)> hunted and pecked:
> "Wesley Vogel" <(E-Mail Removed)> wrote in
> news:OzlQQHVvEHA.2876 @TK2MSFTNGP12.phx.gbl:
>
>> Pasting: 207.46.249.56 into the Address box in IE opens >>>
>> http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
>>
>> Hotmail or MSN ring a bell? What's your IE Home Page?
>>
>> Search results for: 207.46.249.56
>> OrgName: Microsoft Corp
>> OrgID: MSFT
>> Address: One Microsoft Way
>> City: Redmond
>> StateProv: WA
>> PostalCode: 98052
>> Country: US
>>
>> More info
>> Search for : 207.46.249.56
>> http://ws.arin.net/cgi-bin/whois.pl
>>
>>
>> What's the suspicious Rundll32.exe process
>> http://www.mvps.org/sramesh2k/rundll32.htm
>>
>
> Hmmmm. That's interesting. Windows update is disabled. I have no
> hotmail account. My browser's homepage is about:Blank. No MSN, no
> Messenger (the service nor the IM program.)
>
> The option's I have set in IE are no script's, no AX, no cookies, no
> java applets, no nothing.
>
> And it only happens at startup.
>
> Well I guess that's another thing to block for ZoneAlarm.
>
> Thanks for the legwork to all.
>
> Regards,
>
> DanS