Home News Forum Articles
  Welcome back Join CF
You are here You are here: Home | Forum | Explorer.exe connecting on startup


You are currently viewing our boards as a guest which gives you limited access to view most of the discussions, articles and other free features. By joining our Virgin Media community you will have full access to all discussions, be able to view and post threads, communicate privately with other members (PM), respond to polls, upload your own images/photos, and access many other special features. Registration is fast, simple and absolutely free so please join our community today.


Welcome to Cable Forum
Go Back   Cable Forum > Computers & IT > Security & Virus Discussion
Reload this Page Explorer.exe connecting on startup
Register FAQ Members List Calendar Mark Forums Read

Explorer.exe connecting on startup
Reply
 
Thread Tools
Old 15-04-2004, 22:45   #1
Inactive
 
Join Date: Apr 2004
Posts: 2
revol is an unknown quantity at this point
Explorer.exe connecting on startup
Hey people, (first-poster here, hello to everyone )

I'm an NTL 512k STB BB user, running Windows XP Pro (Sp1) fully updated with all current security 'fixes'. Today I noticed a strange log in my Kerio personal firewall. It seems that on startup, the program 'Explorer.exe' appears to either be trying to be accessed or trying to establish a connection with another address. I set up a rule to block TCP/UDP attempts on 'Explorer.exe', and got the following logs:

Blocked:Out UDP, localhost:3011->239.255.255.250:1900, Owner: C:\Windows\Explorer.exe
Blocked:Out UDP, localhost:3011->127.0.0.1:3011, Owner: C:\Windows\Explorer.exe

The localhost ports are usually in the range 3009-3014 (from whats been logged so far), and these logs only appear just at startup. After 7 or 8 attempts are blocked (on different ports in the range), it stops trying and nothing else gets logged. Kerio shows no open incoming or outgoing connections through anything suspicious.

I've never seen this before, (I got scared) and re-installed Windows completely, only to find the problem still occuring. I have done a full virus check through Trend Micro's Housecall, and run Spybot S&D (up to date) with nothing logged on either.

One thing struck me that on one reboot, a different connection was blocked through Explorer.exe:

Blocked: Out TCP, localhost:3034->207.46.248.249:80, Owner: C:\Windows\Explorer.exe
Blocked: Out TCP, localhost:3033->207.46.248.249:80, Owner: C:\Windows\Explorer.exe

I ran a SmartWHOIS on the IP and it is a Microsoft Corporation address (maybe these are just harmless connections logged only because I put a complete block on Explorer.exe, and I haven't noticed them in the past?). Anyway, due to my Firewall config no connections are successful through Explorer.exe, but I'm still concerned why these have only just appeared.

Any help/advice? Sorry if the post is lay-man, I'm not too up on Network systems.

-rev
revol is offline   Reply With Quote
Old 15-04-2004, 22:59   #2
cf.mega poster
 
Xaccers's Avatar
 
Join Date: Jun 2003
Location: Milling around Milton Keynes
Age: 31
Posts: 11,666
Xaccers has a pair of shiny starsXaccers has a pair of shiny stars
Xaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny starsXaccers has a pair of shiny stars
Re: Explorer.exe connecting on startup
Oh god I can't remember the details but this caused so many conspiracy theories.
Think it's something to do with the search facility in explorer
Xaccers is offline   Reply With Quote
Old 15-04-2004, 23:01   #3
cf.geek
 
darkangel's Avatar
 
Join Date: Jun 2003
Location: manchester
Age: 67
Posts: 553
darkangel is a jewel in the roughdarkangel is a jewel in the roughdarkangel is a jewel in the roughdarkangel is a jewel in the roughdarkangel is a jewel in the rough
Re: Explorer.exe connecting on startup
Quote:
Originally Posted by revol
<snip>
239.255.255.250 is an iana reserved address no 100% sure what this does but it's harmless as far as i know.
207.46.248.249 is the windows search assistant server sc.microsoft.com again harmless.
darkangel is offline   Reply With Quote
Old 15-04-2004, 23:13   #4
Permanently Banned
 
Defiant's Avatar
 
Join Date: Apr 2004
Location: Salford(UK)
Age: 37
Posts: 976
Defiant is a name known to allDefiant is a name known to allDefiant is a name known to allDefiant is a name known to allDefiant is a name known to allDefiant is a name known to allDefiant is a name known to allDefiant is a name known to all
Send a message via ICQ to Defiant Send a message via AIM to Defiant Send a message via MSN to Defiant Send a message via Yahoo to Defiant
Re: Explorer.exe connecting on startup
run spybot and adaware both free on www.download.com see what they say
Defiant is offline   Reply With Quote
Old 15-04-2004, 23:16   #5
Busy Admin
 
Paul M's Avatar
 
Join Date: Oct 2003
Location: Nottingham
Age: 45
Services: VM Phone : Sky+ Multiroom : VM Cable (20 Mbps)
Posts: 14,475
Paul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny star
Paul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny starPaul M has a nice shiny star
Send a message via ICQ to Paul M
Re: Explorer.exe connecting on startup
Port 1900 is the PnP equipment discovery stuff I believe.
__________________
DigiGuide Click here for a real, interactive, tv guide.
Paul M is offline   Reply With Quote
Old 15-04-2004, 23:37   #6
cf.pondlife
 
abailey152's Avatar
 
Join Date: Nov 2003
Location: In hiding!
Services: Sky+, 4Mb VM BB
Posts: 712
abailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation eraabailey152 has entered a golden reputation era
Send a message via MSN to abailey152 Send a message via Yahoo to abailey152
Re: Explorer.exe connecting on startup
Yep, it's Universal Plug and Play (Pray??? ). Unless you actually need UPnP, port 1900 can be blocked.

I had to open it up, however, to use some voice functions in Windows Messenger via Internet Connection Sharing through my LAN. ICS runs as a software router, so it needs to be UPnP capable for Messenger to be able to assign ports for the voice functions. At least this is what Microsoft KB said!
__________________
Andy
abailey152 is offline   Reply With Quote
Old 16-04-2004, 00:40   #7
Cable Forum Team
 
Matt D's Avatar
 
Join Date: Jun 2003
Location: Cambridge
Age: 31
Services: Freeview, Sky+HD, Sky Broadband "Max", BT phone
Posts: 10,384
Matt D has a nice shiny starMatt D has a nice shiny starMatt D has a nice shiny star
Matt D has a nice shiny star
Re: Explorer.exe connecting on startup
Quote:
Originally Posted by abailey152
Yep, it's Universal Plug and Play (Pray??? ). Unless you actually need UPnP, port 1900 can be blocked.

I had to open it up, however, to use some voice functions in Windows Messenger via Internet Connection Sharing through my LAN. ICS runs as a software router, so it needs to be UPnP capable for Messenger to be able to assign ports for the voice functions. At least this is what Microsoft KB said!
Also, to completely stop & disable the UPnP service in XP (unless you actually need it for some reason):

Goto "Start", then "Run", & enter "services.msc" & hit OK (or go to the "Services" tool in the Administrative Tools section in the Control Panel).

Look through the list of services for these entries: "Universal Plug and Play Device Host" *and* "SSDP Discovery Service".

Double click on one, Stop it, & then change its startup type to "Disabled" & hit "Apply". Then Stop & Disable the other of these two services.

Or, you can simply use GRC.com's "UnPlug N Pray" app to stop & disable the UPnP services: http://www.grc.com/unpnp/unpnp.htm (also info there on UPnP).
__________________
My Blog - My Photo Gallery

Xbox Live Gamertag - Tezcatlipoca | PSN ID - Mister_Tez | NTHW PC Gaming Clan
Last edited by Matt D; 16-04-2004 at 00:42. Reason: typos
Matt D is offline   Reply With Quote
Old 16-04-2004, 05:31   #8
Inactive
 
Join Date: Apr 2004
Posts: 2
revol is an unknown quantity at this point
Re: Explorer.exe connecting on startup
Thanks a lot guys. UPnP was stopped already but I set it to 'Disabled'. SSDP I stopped and disabled, and now the strange problem has gone! It's just weird that I never noticed it before. Ho hum.

Great forum, great advice. Mucho appreciated.

-rev
revol is offline   Reply With Quote
Old 16-04-2004, 18:30   #9
I've been here before?
 
Tricky's Avatar
 
Join Date: Jun 2003
Location: I am house...
Services: $KY+, Vodafone USB Stick Broadband!
Posts: 2,212
Tricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful oneTricky is the helpful one
Re: Explorer.exe connecting on startup
One thing to watch for is a trojan doing the rounds as "explorer.exe " (note the space at the end) - You may have this on your box (make sure your virus scanners are up to date also).

Do a search for explorer.ex* on your machine and see how many come back.
__________________
There are only 10 types of people in the world: Those who understand binary and those who don't...
Better Hosting packages? - I'd offer you a deal and my domain is now up
Tricky is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


All times are GMT +1. The time now is 09:43.


Links
Google
 
Web www.cableforum.co.uk

Contact Us - Service Status - Virgin.Net Status - Cable Forum - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.1.0
Copyright © 2003 - 2008, Cable Forum.
(s204569790.onlinehome.info)
Copyright © 2008 Cable Forum | Hosted By 1&1 | Privacy Policy | Terms of Use Message Boards and Forums Directory