Windows Update was acting very suspiciously this morning...

I've had the Windows Update icon in my system tray for a while, and
the lone update (SP3) always failed to install for some reason.

This morning, I decided to go through the browser in the hopes that I
would get some kind of error message I could follow up on.

I opened Windows Update through the start menu.

IE opened to "update.microsoft.com," and I got an information bar that
I need to authorize an ActiveX control.

Weird thing was, the referenced add-on was "'DTBDOT~1.ocx' from
'ALLTEL (unverified publisher)'".

Who is ALLTEL? Why are they wanting to run ActiveX controls on
Microsoft's own site? And why would they be unverified?

I got to wondering if this was a man-in-the-middle attack. I checked
my HOSTS file for rogue entries, but found nothing.

I pinged "update.microsoft.com" and it came back "65.55.184.93".
Reverse DNS failed to resolve, but there was a pointer to
"update.microsoft.com.nsatc.com."

What is "nsatc.com"? I tried to pull this up in a browser, but it
doesn't resolve.

Needless to say, I didn't do the update.

So...does all this seem weird to anyone else?

On Nov 13, 7:39*am, Deane <de...@blendinteractive.com> wrote:
> I've had the Windows Update icon in my system tray for a while, and
> the lone update (SP3) always failed to install for some reason.
>
> This morning, I decided to go through the browser in the hopes that I
> would get some kind of error message I could follow up on.
>
> I opened Windows Update through the start menu.
>
> IE opened to "update.microsoft.com," and I got an information bar that
> I need to authorize an ActiveX control.
>
> Weird thing was, the referenced add-on was "'DTBDOT~1.ocx' from
> 'ALLTEL (unverified publisher)'".
>
> Who is ALLTEL? *Why are they wanting to run ActiveX controls on
> Microsoft's own site? *And why would they be unverified?
>
> I got to wondering if this was a man-in-the-middle attack. *I checked
> my HOSTS file for rogue entries, but found nothing.
>
> I pinged "update.microsoft.com" and it came back "65.55.184.93".
> Reverse DNS failed to resolve, but there was a pointer to
> "update.microsoft.com.nsatc.com."
>
> What is "nsatc.com"? *I tried to pull this up in a browser, but it
> doesn't resolve.
>
> Needless to say, I didn't do the update.
>
> So...does all this seem weird to anyone else?

I tried on my computer at the office, and I did not get prompted to
load that ActiveX control. Additionally, I searched the controls
currently installed, and it did not appear anywhere.

Deane

Deane wrote:
> On Nov 13, 7:39 am, Deane <de...@blendinteractive.com> wrote:
>> I've had the Windows Update icon in my system tray for a while, and
>> the lone update (SP3) always failed to install for some reason.
>>
>> This morning, I decided to go through the browser in the hopes that I
>> would get some kind of error message I could follow up on.
>>
>> I opened Windows Update through the start menu.
>>
>> IE opened to "update.microsoft.com," and I got an information bar that
>> I need to authorize an ActiveX control.
>>
>> Weird thing was, the referenced add-on was "'DTBDOT~1.ocx' from
>> 'ALLTEL (unverified publisher)'".
>>
>> Who is ALLTEL? Why are they wanting to run ActiveX controls on
>> Microsoft's own site? And why would they be unverified?
>>
>> I got to wondering if this was a man-in-the-middle attack. I checked
>> my HOSTS file for rogue entries, but found nothing.
>>
>> I pinged "update.microsoft.com" and it came back "65.55.184.93".
>> Reverse DNS failed to resolve, but there was a pointer to
>> "update.microsoft.com.nsatc.com."
>>
>> What is "nsatc.com"? I tried to pull this up in a browser, but it
>> doesn't resolve.
>>
>> Needless to say, I didn't do the update.
>>
>> So...does all this seem weird to anyone else?
>
> I tried on my computer at the office, and I did not get prompted to
> load that ActiveX control. Additionally, I searched the controls
> currently installed, and it did not appear anywhere.

Alltel is/was a wireless provider which was/is being acquired by Verizon;
cf. http://en.wikipedia.org/wiki/Alltel

Were you connecting via a wireless USB key at home (or wherever you were at
the time)?

>> I've had the Windows Update icon in my system tray for a while, and
>> the lone update (SP3) always failed to install for some reason.

WinXP SP3 - Read all prerequisites for a successful installation
http://msmvps.com/blogs/harrywaldron...tallation.aspx

Free unlimited installation and compatibility support is available for
Windows XP, but only for Service Pack 3 (SP3), until 14 Apr-09. Chat and
e-mail support is available only in the United States and Canada. Go to
http://support.microsoft.com/oas/def...spx?gprid=1173 | select "Windows
XP" then select "Windows XP Service Pack 3"
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

On Nov 13, 10:46*am, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> Deanewrote:
> > On Nov 13, 7:39 am,Deane<de...@blendinteractive.com> wrote:
> >> I've had the Windows Update icon in my system tray for a while, and
> >> the lone update (SP3) always failed to install for some reason.
>
> >> This morning, I decided to go through the browser in the hopes that I
> >> would get some kind of error message I could follow up on.
>
> >> I opened Windows Update through the start menu.
>
> >> IE opened to "update.microsoft.com," and I got an information bar that
> >> I need to authorize an ActiveX control.
>
> >> Weird thing was, the referenced add-on was "'DTBDOT~1.ocx' from
> >> 'ALLTEL (unverified publisher)'".
>
> >> Who is ALLTEL? Why are they wanting to run ActiveX controls on
> >> Microsoft's own site? And why would they be unverified?
>
> >> I got to wondering if this was a man-in-the-middle attack. I checked
> >> my HOSTS file for rogue entries, but found nothing.
>
> >> I pinged "update.microsoft.com" and it came back "65.55.184.93".
> >> Reverse DNS failed to resolve, but there was a pointer to
> >> "update.microsoft.com.nsatc.com."
>
> >> What is "nsatc.com"? I tried to pull this up in a browser, but it
> >> doesn't resolve.
>
> >> Needless to say, I didn't do the update.
>
> >> So...does all this seem weird to anyone else?
>
> > I tried on my computer at the office, and I did not get prompted to
> > load that ActiveX control. *Additionally, I searched the controls
> > currently installed, and it did not appear anywhere.
>
> Alltel is/was a wireless provider which was/is being acquired by Verizon;
> cf.http://en.wikipedia.org/wiki/Alltel
>
> Were you connecting via a wireless USB key at home (or wherever you were at
> the time)?
>
> >> I've had the Windows Update icon in my system tray for a while, and
> >> the lone update (SP3) always failed to install for some reason.
>
> WinXP SP3 - Read all prerequisites for a successful installationhttp://msmvps.com/blogs/harrywaldron/archive/2008/05/08/windows-xp-sp...
>
> Free unlimited installation and compatibility support is available for
> Windows XP, but only for Service Pack 3 (SP3), until 14 Apr-09. Chat and
> e-mail support is available only in the United States and Canada. *Go tohttp://support.microsoft.com/oas/default.aspx?gprid=1173| select "Windows
> XP" then select "Windows XP Service Pack 3"
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Adminhttp://aumha.net
> DTS-Lhttp://dts-l.net/

Well, I know who Alltel is, I guess, but why would they be trying to
install an ActiveX control on the Microsoft Update site?

Deane

Deane wrote:
> On Nov 13, 10:46 am, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
>> Deanewrote:
>>> On Nov 13, 7:39 am,Deane<de...@blendinteractive.com> wrote:
>>>> I've had the Windows Update icon in my system tray for a while, and
>>>> the lone update (SP3) always failed to install for some reason.
>>
>>>> This morning, I decided to go through the browser in the hopes that I
>>>> would get some kind of error message I could follow up on.
>>
>>>> I opened Windows Update through the start menu.
>>
>>>> IE opened to "update.microsoft.com," and I got an information bar that
>>>> I need to authorize an ActiveX control.
>>
>>>> Weird thing was, the referenced add-on was "'DTBDOT~1.ocx' from
>>>> 'ALLTEL (unverified publisher)'".
>>
>>>> Who is ALLTEL? Why are they wanting to run ActiveX controls on
>>>> Microsoft's own site? And why would they be unverified?
>>
>>>> I got to wondering if this was a man-in-the-middle attack. I checked
>>>> my HOSTS file for rogue entries, but found nothing.
>>
>>>> I pinged "update.microsoft.com" and it came back "65.55.184.93".
>>>> Reverse DNS failed to resolve, but there was a pointer to
>>>> "update.microsoft.com.nsatc.com."
>>
>>>> What is "nsatc.com"? I tried to pull this up in a browser, but it
>>>> doesn't resolve.
>>
>>>> Needless to say, I didn't do the update.
>>
>>>> So...does all this seem weird to anyone else?
>>
>>> I tried on my computer at the office, and I did not get prompted to
>>> load that ActiveX control. Additionally, I searched the controls
>>> currently installed, and it did not appear anywhere.
>>
>> Alltel is/was a wireless provider which was/is being acquired by Verizon;
>> cf.http://en.wikipedia.org/wiki/Alltel
>>
>> Were you connecting via a wireless USB key at home (or wherever you were
>> at
>> the time)?
>>
>>>> I've had the Windows Update icon in my system tray for a while, and
>>>> the lone update (SP3) always failed to install for some reason.
>>
>> WinXP SP3 - Read all prerequisites for a successful
>> installationhttp://msmvps.com/blogs/harrywaldron/archive/2008/05/08/windows-xp-sp...
>>
>> Free unlimited installation and compatibility support is available for
>> Windows XP, but only for Service Pack 3 (SP3), until 14 Apr-09. Chat and
>> e-mail support is available only in the United States and Canada. Go
>> tohttp://support.microsoft.com/oas/default.aspx?gprid=1173| select
>> "Windows XP" then select "Windows XP Service Pack 3" --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Adminhttp://aumha.net
>> DTS-Lhttp://dts-l.net/
>
> Well, I know who Alltel is, I guess, but why would they be trying to
> install an ActiveX control on the Microsoft Update site?

Repost:
>> Were you connecting via a wireless USB key at home (or wherever you were
>> at
>> the time)?

> > Were you connecting via a wireless USB key at home (or wherever you were at
> > the time)?

No, my connection was wired at the time.

Deane wrote:
>>> Were you connecting via a wireless USB key at home (or wherever you were
>>> at the time)?
>
> No, my connection was wired at the time.

PLEASE stop snipping my replies!

Open a free Support Incident.

[I am no longer watching this thread.]