revol
15-04-2004, 22:45
Hey people, (first-poster here, hello to everyone :) )
I'm an NTL 512k STB BB user, running Windows XP Pro (Sp1) fully updated with all current security 'fixes'. Today I noticed a strange log in my Kerio personal firewall. It seems that on startup, the program 'Explorer.exe' appears to either be trying to be accessed or trying to establish a connection with another address. I set up a rule to block TCP/UDP attempts on 'Explorer.exe', and got the following logs:
Blocked:Out UDP, localhost:3011->239.255.255.250:1900, Owner: C:\Windows\Explorer.exe
Blocked:Out UDP, localhost:3011->127.0.0.1:3011, Owner: C:\Windows\Explorer.exe
The localhost ports are usually in the range 3009-3014 (from whats been logged so far), and these logs only appear just at startup. After 7 or 8 attempts are blocked (on different ports in the range), it stops trying and nothing else gets logged. Kerio shows no open incoming or outgoing connections through anything suspicious.
I've never seen this before, (I got scared) and re-installed Windows completely, only to find the problem still occuring. I have done a full virus check through Trend Micro's Housecall, and run Spybot S&D (up to date) with nothing logged on either.
One thing struck me that on one reboot, a different connection was blocked through Explorer.exe:
Blocked: Out TCP, localhost:3034->207.46.248.249:80, Owner: C:\Windows\Explorer.exe
Blocked: Out TCP, localhost:3033->207.46.248.249:80, Owner: C:\Windows\Explorer.exe
I ran a SmartWHOIS on the IP and it is a Microsoft Corporation address (maybe these are just harmless connections logged only because I put a complete block on Explorer.exe, and I haven't noticed them in the past?). Anyway, due to my Firewall config no connections are successful through Explorer.exe, but I'm still concerned why these have only just appeared.
Any help/advice? Sorry if the post is lay-man, I'm not too up on Network systems.
-rev
I'm an NTL 512k STB BB user, running Windows XP Pro (Sp1) fully updated with all current security 'fixes'. Today I noticed a strange log in my Kerio personal firewall. It seems that on startup, the program 'Explorer.exe' appears to either be trying to be accessed or trying to establish a connection with another address. I set up a rule to block TCP/UDP attempts on 'Explorer.exe', and got the following logs:
Blocked:Out UDP, localhost:3011->239.255.255.250:1900, Owner: C:\Windows\Explorer.exe
Blocked:Out UDP, localhost:3011->127.0.0.1:3011, Owner: C:\Windows\Explorer.exe
The localhost ports are usually in the range 3009-3014 (from whats been logged so far), and these logs only appear just at startup. After 7 or 8 attempts are blocked (on different ports in the range), it stops trying and nothing else gets logged. Kerio shows no open incoming or outgoing connections through anything suspicious.
I've never seen this before, (I got scared) and re-installed Windows completely, only to find the problem still occuring. I have done a full virus check through Trend Micro's Housecall, and run Spybot S&D (up to date) with nothing logged on either.
One thing struck me that on one reboot, a different connection was blocked through Explorer.exe:
Blocked: Out TCP, localhost:3034->207.46.248.249:80, Owner: C:\Windows\Explorer.exe
Blocked: Out TCP, localhost:3033->207.46.248.249:80, Owner: C:\Windows\Explorer.exe
I ran a SmartWHOIS on the IP and it is a Microsoft Corporation address (maybe these are just harmless connections logged only because I put a complete block on Explorer.exe, and I haven't noticed them in the past?). Anyway, due to my Firewall config no connections are successful through Explorer.exe, but I'm still concerned why these have only just appeared.
Any help/advice? Sorry if the post is lay-man, I'm not too up on Network systems.
-rev