Replies

http://www.windowsbbs.com/showthread.php?s=7ce73da18993ed68cdcc9f15d9048297&threadid=13442

"Read this on another site--thought it might be of interest to some folks.

XP Phone Home
I've mentioned my recent play with ZoneAlarm Pro, and while I don't use it heavily, I have left it to start automatically on one workstation where I do a lot of software testing. It's a fairly clean installation of Windows XP Pro, Office XP and a few other commonly used tools. Part of my routine with XP is to put a halt to the various automated procedures that it attempts to shove down my throat. This would include Automatic Updates most notably, but I also be sure to disable Windows Messenger, IE automatic updates and Error Reporting. Nothing should be contacting Microsoft without my knowledge as things are configured.

Imagine my horror when ZoneAlarm informs me that rundll32.exe wishes to contact 207.46.134.94:HTTP. I realize that spyware and viruses have posed as the legitimate rundll32.exe, but there are two things to consider. First of all, 207.46.134.94 is Microsoft's Windows Update site. Second, the version and date are identical to those of the rundll32.exe file on a different Windows XP Pro installation.

Nothing is launching from any of the startup registry entries or Startup Program Group using rundll32.exe explicitly, and there certainly isn't anything specific to Microsoft that is launching in those areas.

A service perhaps? Well, the process associated with rundll32.exe is executing under the context of my username, versus SYSTEM, which most services utilize unless configured to use different credentials. Speaking of services, both the Cryptographic Services and (gasp) Automatic Updates have been started by the operating system behind my back!

I have denied the access for now, but I have not forgotten. Next, I dig out a hub so I can sniff the packets as they wander by for clues regarding the suspicious activity. Not that I'm going to let it contact Microsoft, mind you. I also plan to fire up a full- blown hardware router to further isolate the machine from Microsoft, add a static route for the offending IP address, pointing it at a Windows 2000 server running IIS so there will at least be a session establishment attempt instead of the request being immediately stomped by the router and/or ZoneAlarm.

My suspicions at this point are not that Microsoft is being deceptive, collecting my hat size or preference in pain relievers for subversive use, but this lends weight to my very sincere believe that Microsoft is overstepping the bounds of reasonable respect to paying customers. Whatever XP is trying to do is likely trivial, but how it's being done is far from it. I'm plenty steamed, believe me."

You may just be seeing Windows Autoupdate. By default it's turned on in Windows XP, so it downloads Windows Updates in the background and just asks you if you want to install them after they've been downloaded. You can go in and turn off the auto function if you choose. I don't mistrust Microsoft, but I prefer to turn it off so it doesn't start downloading right when I'm trying to do something else.

Thanks for your list. You also might want to have a look at SpySites, a Shareware or Freeware program at Camtech:

http://camtech2000.net/Pages/SpySites_Program.html

Scroll down to the bottom for the freeware version. It provides a list of troublesome and extra-troublesome sites and can be used to enter these sites in your blocked sites list under IE Explorer Options. This is especially useful if you have kids who use your computer who may be drawn to some site that installs spyware on your computer.

I got a new XP box in the mail, planning to add a second HD for dual boot running a Linux or BSD(?) distribution. I have no idea if it will add any protection but don't see how it could hurt.

The article I read on this mentioned a NSA.dll file, of course the NSA part drew alot of attention from the less trusting. Think the story was up at voxnyc, which seems to be conspiracy oriented. Thanks for the info, don't know much about these things.