Google Answers Logo
View Question
 
Q: 2003 Norton Personal Firewall ( Answered 5 out of 5 stars,   0 Comments )
Question  
Subject: 2003 Norton Personal Firewall
Category: Computers > Security
Asked by: wolfriend-ga
List Price: $2.00
Posted: 17 Jan 2004 18:15 PST
Expires: 16 Feb 2004 18:15 PST
Question ID: 297523
Why does my 2003 Norton Personal Firewall Log Viewer constantly repeat
the same report over and over - several times a minute?  "An instance
of "C:\WINDOWS\System32\rundll32.exe" is preparing to access the
Internet for the first time"

Request for Question Clarification by livioflores-ga on 17 Jan 2004 20:33 PST
Please try the following:

Download and run the following software:
Spybot:
http://www.safer-networking.org/index.php?page=spybotsd
http://spybot.zone-x.com/spybotsd12.exe

May be a spyware are trying to connect to the Internet.

Request for Question Clarification by tisme-ga on 17 Jan 2004 23:39 PST
It could be spyware, but I suspect that it could also be a trojan
(probably irc triggered). I suggest that you do a complete virus scan
at this URL: http://housecall.trendmicro.com/housecall/start_corp.asp

Let us know how it goes,

tisme-ga

Clarification of Question by wolfriend-ga on 18 Jan 2004 13:19 PST
Hello.  Thank you both, livioflores and tisme, for your suggestions. 
I ran Housecall, but it did not find anything.  I ran Spybot, and
while and fixed some spyware, it didn't have an effect on my issue. 
I'm sure this rundll32.exe is a legitimate program, I just don't
understand why it's constantly appearing in my Log Viewer every few
seconds.  I suppose it's more annoying than anything.  When it hogs up
all my Log Viewer space, other items drop from the list more quickly.

Thanks again for your responses.

Request for Question Clarification by tisme-ga on 18 Jan 2004 14:09 PST
Hello wolfriend,

While rundll32.exe is a legitimate program, a lot of trojans use it as
a gateway to access your system. Considering there was spyware on your
computer, it is not a far fetch to imagine that there could still be a
trojan (or spyware) that uses the file. I am not sure what OS you have
but you may want to try to get rundll32.exe from a different system or
from your cd-rom cab files. Here are the instructions if you happen to
be using Windows ME:

http://www.techsupportforum.com/showthread.php?s=&threadid=8556

tisme-ga

Request for Question Clarification by tisme-ga on 18 Jan 2004 14:11 PST
Try this: http://www.zonelabs.com/store/content/promotions/pestscan/pestscan.jsp?lid=bnr1

tisme-ga

Clarification of Question by wolfriend-ga on 18 Jan 2004 19:57 PST
Hi Tisme.  Thanks again for your comments.  To answer your first
question I am using Windows XP Home Edition.  I tried the pestscan. 
It did find several items it called spyware that the other program
didn't find.  I got rid of the ones that were cookies, but I don't
have the expertise I need to mess with the Hkeys and the dll files.  I
will try a couple other free programs I know of to see if they can
find and fix these files.  If not, I may go ahead and pay for the
license version of Pest Control.  So far my exe file is still happily
hogging all my Log Viewer space.

Thanks again for your suggestions.  The saga continues...
Wolfriend

Clarification of Question by wolfriend-ga on 18 Jan 2004 20:18 PST
CLARIFICATION - Actually pestcan called the hkey and dll files
"hijackers" not spyware.  It also found some adware.

wolfriend

Request for Question Clarification by tisme-ga on 18 Jan 2004 22:25 PST
By far the best adware program can be found here:
http://www.lavasoftusa.com/support/download/ (free version will work
fine for you)

Be sure to have it update the latest reference file after installing
it and before scanning. This program should automatically delete all
the adware detected by the other program.

To replace your rundll32.exe file with the one on your Windows XP
cd-rom do the following:

Put the Windows XP CD ROM disk in the CD ROM drive. 
Click Start, and then click Run.
Type expand X:\i386\rundll32.ex_ c:\windows\rundll32.exe in the Open
box, where X is the letter of your CD ROM Drive.
Restart the computer.

Let me know if this helps!

tisme-ga

Request for Question Clarification by livioflores-ga on 19 Jan 2004 06:54 PST
May be your computer are running a service that are trying to connect
to the Internet. Try installing the following software:
XP-Antispy: XP-AntiSpy is a little utility that let's you disable
somebuilt-in update and authetication 'features' in WindowsXP.
-Frequently asked questions:
http://www.xp-antispy.org/index.php?option=content&task=view&id=9&Itemid=38
-Download:
http://www.xp-antispy.org/index.php?option=com_remository&Itemid=26&func=fileinfo&parent=category&filecatid=2

Additional info:
XPAntispy:
http://www.megagames.com/news/show.cgi?&idtype=tweaks&database=418&page=1&

Clarification of Question by wolfriend-ga on 19 Jan 2004 13:36 PST
Hello again tisme.  Well, I ran the lavasoft program a couple times,
but it kept missing certain "hijacker" files that the free trial of
Pest Control did find.  So I bit the bullet and paid for a licensed
version.  It got rid of several hijacker, spyware, and adware files. 
It has now been more than 12 hours since my rundll32.exe file tried to
access the internet.  So I think you helped me resolve the problem.  I
didn't replace the file yet with the XP disk since the problem seems
to be gone.  I'm hoping it's no longer infected.  Do you think I still
need to replace the rundll32.exe file?
Thanks so much,
wolfriend
Answer  
Subject: Re: 2003 Norton Personal Firewall
Answered By: tisme-ga on 19 Jan 2004 14:45 PST
Rated:5 out of 5 stars
 
Hello wolfriend,

I am officially answering this question because it appears that we
have resolved the problem.

Regarding replacing the rundll32.exe file, what I want you to do is to
still follow the instructions, but replace this line:

expand X:\i386\rundll32.ex_ c:\windows\rundll32.exe 

with this: expand X:\i386\rundll32.ex_ c:\windows\TESTrundll32.exe 

What this will allow you to do is go into C:\Windows\ and right click
both of the files, and click on properties. I want you to check the
file size and to see if there are any major differences. If there are
any major differences, then you will want to rename your OLD
rundll32.exe file to OLDrundll32.exe and rename the new one from
TESTrundll32.exe to rundll32.exe This will effectively replace it but
there will also be a backup just in case something happens and you
will be able to easily fix it up. Renaming can be done by right
clicking the file and clicking on Rename.

Chances are the problem is gone, but if there are any major
differences between the two files (except for modified date), I would
at least try replacing it. Even though it has not been targetted by
your antivirus software or the licensed version of Pest Control, there
is still a slight chance that your system has a hole in it, and it is
always better to be safe than sorry.

All the best,

tisme-ga

Request for Answer Clarification by wolfriend-ga on 19 Jan 2004 16:46 PST
Hello Tisme.  I did exactly as you said, but before I rename anything
I wanted to let you know what exactly I found to make sure I rename
the correct one.  I had trouble finding my new file so I did a search.
 (1) I have a rundll32 file in the c:\windows\system32 folder.  This
is the one that kept repeating itself.  It's dated 8/28/2002 and file
size is 31kb.  File type is "application".  (2) I have a rundll32 in
folder c:i386 and it is dated 8/29/2002.  File size is 11kb. File type
is EX_File.  (3) Last but not least is the new file testrundll32 in
c:\windows folder, file type is application, and file size is 31kb. 
It is dated 8/17/2001.  Anyway, should I be renaming the one in the
system32 folder since that is the one that kept getting logged over
and over?  Or do I rename the one in the i386 folder?

Incidentally, my search also found several PF files in a folder named
C:\windows\Prefetch which also contained the name rundll32.exe plus
various extensions.  All dated yesterday and today.  I don't know what
that means.

I should also mention that today my Norton Log Viewer started showing
this command "TCP non-syn/non-ack packet on invalid connection. Packet
has been dropped" several times a minute now whenever I am surfing
websites.  It doesn't seem to happen unless I am actively surfing
Internet Explorer (unlike the other report).  I have cable broadband,
by the way.  The Source IP is usually the website I'm visiting.  This
started before I ran the XP disk.

Clarification of Answer by tisme-ga on 19 Jan 2004 17:18 PST
Hello wolfriend,

I believe that the new error messages are unrelated to any security
breach on your computer. According to Norton, it seems that there is
something wrong with your internet connection and there are some
packets coming through that are either missing information or are
corrupt (this could be due to hardware/transmission errors). This is
probably an isp issue and happens at one time or another to most of
us, another term for it is packet loss and it is only when a high
percentage of packets get "lost" that it becomes a serious problem.
See here for more information:
http://service1.symantec.com/SUPPORT/nip.nsf/4a29389c214c78ea88256c75005f451a/8736b9e561d467fa88256ccc0066c104?OpenDocument&prod=&ver=&src=sg&pcode=&svy=&csm=no

According to the date of the files, I am confident that you have
nothing to worry about changing and renaming the files. It seems that
the file sizes match with the one on your CD-ROM, and not since
8/28/2002 has the file been modified (this is probably when Windows XP
was installed on your computer). If Windows was NOT installed on that
date, make sure that the file is exactly 31.0 KB (31,744 bytes) in
size. (Look at actual size, not size on disk). If not, go ahead and
change it with a fresh one from the CD-ROM by renaming it and copying
it into C:\Windows\System32\

All the best,

tisme-ga

Feel free to delete the entire contents of your /Prefetch directory.
Some people recommend doing this at least once a month to keep your
computer nicely maintained. Prefetch is just a way that Microsoft made
to start up your computer faster. The files will be created again when
you reboot. You can read more about this here:
http://www.prabhums.org/weblogs/?postid=70
wolfriend-ga rated this answer:5 out of 5 stars and gave an additional tip of: $5.00
Thanks again Tisme for your advice.  I believe my computer is running
fine now and consider the issue resolved.  I also agree with you about
the new error message.  I believe they have more to do with certain
types of ads I'm blocking than the actual webpage I'm visiting.

Thanks for your help.

Wolfriend

Comments  
There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy