W2K system phones home after latest MS security update

[the xt guy]

I'm running Win2K on a standalone system at home (not networked). It's connected to the Internet via a Linksys BEFSX41 router/hardware firewall and cable modem. I am running an old version of Zone Alarm (2.6x), but it's mainly to monitor something trying to 'get out', the router is blocking everything that used to trigger ZA.

After the latest MS security updates (Aug 12, 2008) Zone Alarm suddenly starts popping up with two requests to access the Internet after I boot up. The names of the two services are not much help (Generic Host Services for Win 32 Services and Services and Controller App).

I am very cautious abut security. I have been on the Internet for 10-1/2 years and in all that time I have never had an infection from any kind of a virus, worm or malware. I run W2K with lots of unnecessary services disabled. I have been using Zone Alarm ever since v 2.0 (1999 or 2000). I run Firefox Browser with no script, locked up tight and only trusted sites get to use Java, cookies, etc. I run a hosts file to block lots of ads, dangerous sites, etc. I have Ad-Aware, Spybot and AVG (although I have never had any of them flag anything.)

I am very careful not to have automatic update enabled on ANYTHING (not just Windows but every other piece of software as well.). I have both Outlook "Distress"

and MS Windows media player (along with other junk) uninstalled from my system via Win2K lite. (I use an old 3x version of Eudora for e-mail and Real Player Alternative/Quick Time Alternative.)

The only time I have ever had this happen before was when I had reinstalled W2K three or four years ago. I had to use the setup CD provided by my ISP (Comcast) to get connected to the Internet. I would sometimes get the same two requests when booting (which I always denied). I figured it was some crap-phone home thing that Comcast had on its software. After a few months, it seemed to ask less and less and finally seemed to stop.

I had to reinstall Windows last year and pleasantly discovered that I did not have to use the Comcast setup disc after setting up the router. After this point, I never got the two requests to phone home. That seemed to confirm to me that it was something of Comcast's. I just downloaded the MS security updates last week. After I rebooted, there were these two services trying to get out again.

I normally keep these two services as 'prompt' under Zone Alarm. They only time they ever come up is when I connect to the Windows update site. While the update is running, the request comes up for both of these services and I allow it, as Windows update fails if I deny them. They NEVER come up at any other time and that is why I keep them on 'prompt' as normally nothing should be asking to connect to the Internet via these.

Of course, I will keep denying them. They only come up once when booting and I hope they will eventually stop asking, just as happened before. Of course, Ad-Aware/Spybot/AVG come up with nothing as always.

Has anybody else experienced this?

Edited August 18, 2008 by the xt guy

[cluberti]

Hard to say - that's just saying something inside of a svchost.exe tried to contact someone/something on the internet. Usually windows update, but there are about 20 other services on your box by default that run in a svchost.exe (and other vendors can use it too, so it's not a guarantee it's Microsoft either). What IP address or host name did it try to contact, btw?

[the xt guy]

S and C was accessing 255.255.255.255:DHCP and GHC for W32 services was accessing 68.87.85.98:DNS. I know the first IP number is for Internal Routing with Windows and is really not a security threat. The second IP number goes to Comcast and I believe was the same IP number that my system used to try to access.

It seems odd that these two requests should suddenly start happening again immediately after I updated Win2K.

I'm confident that neither one of these is a security threat. But they are an annoyance .

Edited August 18, 2008 by the xt guy

[the xt guy]

Problem solved. Since I was confident that I did not have any spyware or viri on my computer, I allowed the two requests to go through, then checked the logs of my Linksys router. There was an outgoing request from my computer to the website "stats.microsoft.com" I had never seen that in the logs before. So I added the site to my hosts file and no more phoning home!

While searching on the net for info on stats. microsoft.com, I found someone's list of over 100 MS sites to add to a hosts file and block this sort of unwelcome communicating to MS. Since I am running W2K and do check for critical updates once a month (on "update Tuesday") I did have to take three sites out of this list to permit Windows update to still work, which it still does.

In XP SP2, adding the sites to the hosts file won't work as MS has hidden rules in the dnsapi.dll file to overide any manual settings in the hosts file for all MS sites.