Sign in with
Sign up | Sign in
Your question

explorer.exe want to access the internet

Last response: in Windows XP
Share
January 19, 2005 7:05:38 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

I have a XP PC (Home) that was infected with worms & trojans.
Cleaned with Norton AV and Trend Micro on-line scan.
Installed Zone Alarm (Free version) to monitor out-going traffic.
Installed SP2.
After SP2 install Zone Alarm notifies that explorer.exe wants to access the
internet.
If I allow it access it sends out a series of pings to a random lot of IP
addresses and ports.

Is this normal?

Frank Klassen
Anonymous
January 19, 2005 8:32:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

A description of Svchost.exe in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314056

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/defaul...

----------------------------------------------------------------------------

"Frank" wrote:

| Hi,
|
| I have a XP PC (Home) that was infected with worms & trojans.
| Cleaned with Norton AV and Trend Micro on-line scan.
| Installed Zone Alarm (Free version) to monitor out-going traffic.
| Installed SP2.
| After SP2 install Zone Alarm notifies that explorer.exe wants to access the
| internet.
| If I allow it access it sends out a series of pings to a random lot of IP
| addresses and ports.
|
| Is this normal?
|
| Frank Klassen
Anonymous
January 19, 2005 9:28:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

What TCP and/or UDP port(s) does EXPLORER.EXE want to communicate at ?
What is the fully qualified path to EXPLORER.EXE that is trying to access the Internet ?


--
Dave




"Frank" <someone@microsoft.com> wrote in message
news:%23lcyctn$EHA.1564@TK2MSFTNGP09.phx.gbl...
| Hi,
|
| I have a XP PC (Home) that was infected with worms & trojans.
| Cleaned with Norton AV and Trend Micro on-line scan.
| Installed Zone Alarm (Free version) to monitor out-going traffic.
| Installed SP2.
| After SP2 install Zone Alarm notifies that explorer.exe wants to access the
| internet.
| If I allow it access it sends out a series of pings to a random lot of IP
| addresses and ports.
|
| Is this normal?
|
| Frank Klassen
|
|
Related resources
January 19, 2005 9:28:33 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for helping.

This is about 40 seconds worth.

01/19/2005 16:59:50 TCP from 192.168.1.123:1037 to 209.249.114.19:80
01/19/2005 16:59:56 TCP from 192.168.1.123:1042 to 213.224.140.57:3574
01/19/2005 16:59:56 TCP from 192.168.1.123:1046 to 68.49.91.50:4508
01/19/2005 16:59:56 TCP from 192.168.1.123:1045 to 80.171.116.251:4718
01/19/2005 16:59:56 TCP from 192.168.1.123:1044 to 24.182.101.208:2666
01/19/2005 16:59:56 TCP from 192.168.1.123:1043 to 68.191.17.240:3802
01/19/2005 16:59:58 TCP from 192.168.1.123:1047 to
80.171.116.251(80.171.116.251):9718
01/19/2005 16:59:59 TCP from 192.168.1.123:1048 to 166.82.53.210:3026
01/19/2005 17:00:06 TCP from 192.168.1.123:1049 to
68.49.91.50(68.49.91.50):9508
01/19/2005 17:00:06 TCP from 192.168.1.123:1050 to
213.224.140.57(213.224.140.57):8574
01/19/2005 17:00:06 TCP from 192.168.1.123:1052 to
68.191.17.240(68.191.17.240):8802
01/19/2005 17:00:06 TCP from 192.168.1.123:1051 to
24.182.101.208(24.182.101.208):7666
01/19/2005 17:00:09 TCP from 192.168.1.123:1053 to
166.82.53.210(166.82.53.210):8026
01/19/2005 17:00:17 TCP from 192.168.1.123:1055 to 165.134.177.105:4880
01/19/2005 17:00:17 TCP from 192.168.1.123:1054 to 62.101.231.181:2931
01/19/2005 17:00:17 TCP from 192.168.1.123:1056 to 169.254.241.4:1351
01/19/2005 17:00:17 TCP from 192.168.1.123:1057 to 68.205.50.196:4187
01/19/2005 17:00:20 TCP from 192.168.1.123:1058 to 169.254.12.1:1138
01/19/2005 17:00:27 TCP from 192.168.1.123:1059 to
165.134.177.105(165.134.177.105):9880
01/19/2005 17:00:27 TCP from 192.168.1.123:1061 to
68.205.50.196(68.205.50.196):9187
01/19/2005 17:00:27 TCP from 192.168.1.123:1062 to
169.254.241.4(169.254.241.4):6351
01/19/2005 17:00:27 TCP from 192.168.1.123:1060 to
62.101.231.181(62.101.231.181):7931
01/19/2005 17:00:30 TCP from 192.168.1.123:1063 to
169.254.12.1(169.254.12.1):6138

Zone alarm reports the following details on the file:

Product Name: Microsoft Windows Operating System
File Name: C:\Windows\explorer.EXE (upper case exe by Zone Alarm)
Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Created Date: 04/08/2004
File Size: 1008 KB

Frank Klassen



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uhSLY6n$EHA.2584@TK2MSFTNGP09.phx.gbl...
> What TCP and/or UDP port(s) does EXPLORER.EXE want to communicate at ?
> What is the fully qualified path to EXPLORER.EXE that is trying to access
the Internet ?
>
>
> --
> Dave
>
>
>
>
> "Frank" <someone@microsoft.com> wrote in message
> news:%23lcyctn$EHA.1564@TK2MSFTNGP09.phx.gbl...
> | Hi,
> |
> | I have a XP PC (Home) that was infected with worms & trojans.
> | Cleaned with Norton AV and Trend Micro on-line scan.
> | Installed Zone Alarm (Free version) to monitor out-going traffic.
> | Installed SP2.
> | After SP2 install Zone Alarm notifies that explorer.exe wants to access
the
> | internet.
> | If I allow it access it sends out a series of pings to a random lot of
IP
> | addresses and ports.
> |
> | Is this normal?
> |
> | Frank Klassen
> |
> |
>
>
Anonymous
January 19, 2005 10:56:18 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Frank I'm not sure you are clean.

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt361.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
4) Reboot your PC into Safe Mode [F8 key during boot]
and shutdown as many applications as possible.
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point


* * * Please report your results ! * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html




"Frank" <someone@microsoft.com> wrote in message
news:uLedqSo$EHA.3840@tk2msftngp13.phx.gbl...
| Thanks for helping.
|
| This is about 40 seconds worth.
|
| 01/19/2005 16:59:50 TCP from 192.168.1.123:1037 to 209.249.114.19:80
| 01/19/2005 16:59:56 TCP from 192.168.1.123:1042 to 213.224.140.57:3574
| 01/19/2005 16:59:56 TCP from 192.168.1.123:1046 to 68.49.91.50:4508
| 01/19/2005 16:59:56 TCP from 192.168.1.123:1045 to 80.171.116.251:4718
| 01/19/2005 16:59:56 TCP from 192.168.1.123:1044 to 24.182.101.208:2666
| 01/19/2005 16:59:56 TCP from 192.168.1.123:1043 to 68.191.17.240:3802
| 01/19/2005 16:59:58 TCP from 192.168.1.123:1047 to
| 80.171.116.251(80.171.116.251):9718
| 01/19/2005 16:59:59 TCP from 192.168.1.123:1048 to 166.82.53.210:3026
| 01/19/2005 17:00:06 TCP from 192.168.1.123:1049 to
| 68.49.91.50(68.49.91.50):9508
| 01/19/2005 17:00:06 TCP from 192.168.1.123:1050 to
| 213.224.140.57(213.224.140.57):8574
| 01/19/2005 17:00:06 TCP from 192.168.1.123:1052 to
| 68.191.17.240(68.191.17.240):8802
| 01/19/2005 17:00:06 TCP from 192.168.1.123:1051 to
| 24.182.101.208(24.182.101.208):7666
| 01/19/2005 17:00:09 TCP from 192.168.1.123:1053 to
| 166.82.53.210(166.82.53.210):8026
| 01/19/2005 17:00:17 TCP from 192.168.1.123:1055 to 165.134.177.105:4880
| 01/19/2005 17:00:17 TCP from 192.168.1.123:1054 to 62.101.231.181:2931
| 01/19/2005 17:00:17 TCP from 192.168.1.123:1056 to 169.254.241.4:1351
| 01/19/2005 17:00:17 TCP from 192.168.1.123:1057 to 68.205.50.196:4187
| 01/19/2005 17:00:20 TCP from 192.168.1.123:1058 to 169.254.12.1:1138
| 01/19/2005 17:00:27 TCP from 192.168.1.123:1059 to
| 165.134.177.105(165.134.177.105):9880
| 01/19/2005 17:00:27 TCP from 192.168.1.123:1061 to
| 68.205.50.196(68.205.50.196):9187
| 01/19/2005 17:00:27 TCP from 192.168.1.123:1062 to
| 169.254.241.4(169.254.241.4):6351
| 01/19/2005 17:00:27 TCP from 192.168.1.123:1060 to
| 62.101.231.181(62.101.231.181):7931
| 01/19/2005 17:00:30 TCP from 192.168.1.123:1063 to
| 169.254.12.1(169.254.12.1):6138
|
| Zone alarm reports the following details on the file:
|
| Product Name: Microsoft Windows Operating System
| File Name: C:\Windows\explorer.EXE (upper case exe by Zone Alarm)
| Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
| Created Date: 04/08/2004
| File Size: 1008 KB
|
| Frank Klassen
|
|
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:uhSLY6n$EHA.2584@TK2MSFTNGP09.phx.gbl...
| > What TCP and/or UDP port(s) does EXPLORER.EXE want to communicate at ?
| > What is the fully qualified path to EXPLORER.EXE that is trying to access
| the Internet ?
| >
| >
| > --
| > Dave
| >
| >
| >
| >
| > "Frank" <someone@microsoft.com> wrote in message
| > news:%23lcyctn$EHA.1564@TK2MSFTNGP09.phx.gbl...
| > | Hi,
| > |
| > | I have a XP PC (Home) that was infected with worms & trojans.
| > | Cleaned with Norton AV and Trend Micro on-line scan.
| > | Installed Zone Alarm (Free version) to monitor out-going traffic.
| > | Installed SP2.
| > | After SP2 install Zone Alarm notifies that explorer.exe wants to access
| the
| > | internet.
| > | If I allow it access it sends out a series of pings to a random lot of
| IP
| > | addresses and ports.
| > |
| > | Is this normal?
| > |
| > | Frank Klassen
| > |
| > |
| >
| >
|
|
January 20, 2005 3:47:06 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

http://www.pcworld.com/reviews/article/0,aid,115939,pg,...

your problem looks like normal behavior for the Bagle worm. Page 2 of
the article cited above states the following :


Consider the Bagle worm, which hides its identity by injecting itself
into the Windows Explorer application. When AV-Test infected a system
with this worm, the McAfee, Norton, Sygate, and ZoneAlarm firewalls
asked if Windows Explorer could access the Internet. Attentive users
might wonder why the app was spontaneously trying to access the
Internet, but others might simply click the OK button without
considering the implications.


note that the Bagle worm hides it's identity. other techniques used to
hide viruses include compression and encryption. that's why no
anti-virus program ever catches 100% of Known viruses, much less 100% of
Unknown viruses.


Frank wrote:
> Hi,
>
> I have a XP PC (Home) that was infected with worms & trojans.
> Cleaned with Norton AV and Trend Micro on-line scan.
> Installed Zone Alarm (Free version) to monitor out-going traffic.
> Installed SP2.
> After SP2 install Zone Alarm notifies that explorer.exe wants to access the
> internet.
> If I allow it access it sends out a series of pings to a random lot of IP
> addresses and ports.
>
> Is this normal?
>
> Frank Klassen
>
>
January 21, 2005 2:17:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Well it appears as if I will be doing a clean install of Windows.
SysClean didn't find anything.
Stinger found something called c.bat which it considered dangerous and
Adaware found some cookie.
After it all Explorer.exe still trying to comunicate with the outside.

Thanks for trying to help.

Frank Klassen

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:o UAIbro$EHA.1396@tk2msftngp13.phx.gbl...
> Frank I'm not sure you are clean.
>
> 1) Download the following four items...
>
> McAfee Stinger
> http://vil.nai.com/vil/stinger/
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend Pattern File.
> http://www.trendmicro.com/download/pattern.asp
>
> Adaware SE (free personal version v1.05)
> http://www.lavasoftusa.com/
>
> Create a directory.
> On drive "C:\"
> (e.g., "c:\New Folder")
> or the desktop
> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
>
> Download SYSCLEAN.COM and place it in that directory.
> Download the Trend Pattern File by obtaining the ZIP file.
> For example; lpt361.zip
>
> Extract the contents of the ZIP file and place the contents in the same
directory as
> SYSCLEAN.COM .
>
> 2) Update Adaware with the latest definitions.
> 3) Disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> 4) Reboot your PC into Safe Mode [F8 key during boot]
> and shutdown as many applications as possible.
> 5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of
your
> platform and clean/delete any infectors/parasites found.
> (a few cycles may be needed)
> 6) Restart your PC and perform a "final" Full Scan of your platform
using the three
> utilities; Trend Sysclean, Stinger and Adaware
> 7) Re-enable System Restore and re-apply any System Restore
preferences,
> (e.g. HD space to use suggested 400 ~ 600MB),
> 8) Reboot your PC.
> 9) Create a new Restore point
>
>
> * * * Please report your results ! * * *
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
>
>
>
>
> "Frank" <someone@microsoft.com> wrote in message
> news:uLedqSo$EHA.3840@tk2msftngp13.phx.gbl...
> | Thanks for helping.
> |
> | This is about 40 seconds worth.
> |
> | 01/19/2005 16:59:50 TCP from 192.168.1.123:1037 to 209.249.114.19:80
> | 01/19/2005 16:59:56 TCP from 192.168.1.123:1042 to 213.224.140.57:3574
> | 01/19/2005 16:59:56 TCP from 192.168.1.123:1046 to 68.49.91.50:4508
> | 01/19/2005 16:59:56 TCP from 192.168.1.123:1045 to 80.171.116.251:4718
> | 01/19/2005 16:59:56 TCP from 192.168.1.123:1044 to 24.182.101.208:2666
> | 01/19/2005 16:59:56 TCP from 192.168.1.123:1043 to 68.191.17.240:3802
> | 01/19/2005 16:59:58 TCP from 192.168.1.123:1047 to
> | 80.171.116.251(80.171.116.251):9718
> | 01/19/2005 16:59:59 TCP from 192.168.1.123:1048 to 166.82.53.210:3026
> | 01/19/2005 17:00:06 TCP from 192.168.1.123:1049 to
> | 68.49.91.50(68.49.91.50):9508
> | 01/19/2005 17:00:06 TCP from 192.168.1.123:1050 to
> | 213.224.140.57(213.224.140.57):8574
> | 01/19/2005 17:00:06 TCP from 192.168.1.123:1052 to
> | 68.191.17.240(68.191.17.240):8802
> | 01/19/2005 17:00:06 TCP from 192.168.1.123:1051 to
> | 24.182.101.208(24.182.101.208):7666
> | 01/19/2005 17:00:09 TCP from 192.168.1.123:1053 to
> | 166.82.53.210(166.82.53.210):8026
> | 01/19/2005 17:00:17 TCP from 192.168.1.123:1055 to 165.134.177.105:4880
> | 01/19/2005 17:00:17 TCP from 192.168.1.123:1054 to 62.101.231.181:2931
> | 01/19/2005 17:00:17 TCP from 192.168.1.123:1056 to 169.254.241.4:1351
> | 01/19/2005 17:00:17 TCP from 192.168.1.123:1057 to 68.205.50.196:4187
> | 01/19/2005 17:00:20 TCP from 192.168.1.123:1058 to 169.254.12.1:1138
> | 01/19/2005 17:00:27 TCP from 192.168.1.123:1059 to
> | 165.134.177.105(165.134.177.105):9880
> | 01/19/2005 17:00:27 TCP from 192.168.1.123:1061 to
> | 68.205.50.196(68.205.50.196):9187
> | 01/19/2005 17:00:27 TCP from 192.168.1.123:1062 to
> | 169.254.241.4(169.254.241.4):6351
> | 01/19/2005 17:00:27 TCP from 192.168.1.123:1060 to
> | 62.101.231.181(62.101.231.181):7931
> | 01/19/2005 17:00:30 TCP from 192.168.1.123:1063 to
> | 169.254.12.1(169.254.12.1):6138
> |
> | Zone alarm reports the following details on the file:
> |
> | Product Name: Microsoft Windows Operating System
> | File Name: C:\Windows\explorer.EXE (upper case exe by Zone Alarm)
> | Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
> | Created Date: 04/08/2004
> | File Size: 1008 KB
> |
> | Frank Klassen
> |
> |
> |
> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> | news:uhSLY6n$EHA.2584@TK2MSFTNGP09.phx.gbl...
> | > What TCP and/or UDP port(s) does EXPLORER.EXE want to communicate at ?
> | > What is the fully qualified path to EXPLORER.EXE that is trying to
access
> | the Internet ?
> | >
> | >
> | > --
> | > Dave
> | >
> | >
> | >
> | >
> | > "Frank" <someone@microsoft.com> wrote in message
> | > news:%23lcyctn$EHA.1564@TK2MSFTNGP09.phx.gbl...
> | > | Hi,
> | > |
> | > | I have a XP PC (Home) that was infected with worms & trojans.
> | > | Cleaned with Norton AV and Trend Micro on-line scan.
> | > | Installed Zone Alarm (Free version) to monitor out-going traffic.
> | > | Installed SP2.
> | > | After SP2 install Zone Alarm notifies that explorer.exe wants to
access
> | the
> | > | internet.
> | > | If I allow it access it sends out a series of pings to a random lot
of
> | IP
> | > | addresses and ports.
> | > |
> | > | Is this normal?
> | > |
> | > | Frank Klassen
> | > |
> | > |
> | >
> | >
> |
> |
>
>
Anonymous
January 21, 2005 6:27:16 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Don't give up yet !

BitDefender:
http://www.bitdefender.com/scan/license.php

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Symantec:
http://security.symantec.com/



--
Dave




"Frank" <someone@microsoft.com> wrote in message
news:erNcvV%23$EHA.2156@TK2MSFTNGP10.phx.gbl...
| Well it appears as if I will be doing a clean install of Windows.
| SysClean didn't find anything.
| Stinger found something called c.bat which it considered dangerous and
| Adaware found some cookie.
| After it all Explorer.exe still trying to comunicate with the outside.
|
| Thanks for trying to help.
|
| Frank Klassen
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:o UAIbro$EHA.1396@tk2msftngp13.phx.gbl...
| > Frank I'm not sure you are clean.
| >
| > 1) Download the following four items...
| >
| > McAfee Stinger
| > http://vil.nai.com/vil/stinger/
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend Pattern File.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Adaware SE (free personal version v1.05)
| > http://www.lavasoftusa.com/
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download SYSCLEAN.COM and place it in that directory.
| > Download the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt361.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same
| directory as
| > SYSCLEAN.COM .
| >
| > 2) Update Adaware with the latest definitions.
| > 3) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
| > 4) Reboot your PC into Safe Mode [F8 key during boot]
| > and shutdown as many applications as possible.
| > 5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of
| your
| > platform and clean/delete any infectors/parasites found.
| > (a few cycles may be needed)
| > 6) Restart your PC and perform a "final" Full Scan of your platform
| using the three
| > utilities; Trend Sysclean, Stinger and Adaware
| > 7) Re-enable System Restore and re-apply any System Restore
| preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| > 8) Reboot your PC.
| > 9) Create a new Restore point
| >
| >
| > * * * Please report your results ! * * *
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| >
| >
| >
| >
| > "Frank" <someone@microsoft.com> wrote in message
| > news:uLedqSo$EHA.3840@tk2msftngp13.phx.gbl...
| > | Thanks for helping.
| > |
| > | This is about 40 seconds worth.
| > |
| > | 01/19/2005 16:59:50 TCP from 192.168.1.123:1037 to 209.249.114.19:80
| > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1042 to 213.224.140.57:3574
| > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1046 to 68.49.91.50:4508
| > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1045 to 80.171.116.251:4718
| > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1044 to 24.182.101.208:2666
| > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1043 to 68.191.17.240:3802
| > | 01/19/2005 16:59:58 TCP from 192.168.1.123:1047 to
| > | 80.171.116.251(80.171.116.251):9718
| > | 01/19/2005 16:59:59 TCP from 192.168.1.123:1048 to 166.82.53.210:3026
| > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1049 to
| > | 68.49.91.50(68.49.91.50):9508
| > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1050 to
| > | 213.224.140.57(213.224.140.57):8574
| > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1052 to
| > | 68.191.17.240(68.191.17.240):8802
| > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1051 to
| > | 24.182.101.208(24.182.101.208):7666
| > | 01/19/2005 17:00:09 TCP from 192.168.1.123:1053 to
| > | 166.82.53.210(166.82.53.210):8026
| > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1055 to 165.134.177.105:4880
| > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1054 to 62.101.231.181:2931
| > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1056 to 169.254.241.4:1351
| > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1057 to 68.205.50.196:4187
| > | 01/19/2005 17:00:20 TCP from 192.168.1.123:1058 to 169.254.12.1:1138
| > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1059 to
| > | 165.134.177.105(165.134.177.105):9880
| > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1061 to
| > | 68.205.50.196(68.205.50.196):9187
| > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1062 to
| > | 169.254.241.4(169.254.241.4):6351
| > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1060 to
| > | 62.101.231.181(62.101.231.181):7931
| > | 01/19/2005 17:00:30 TCP from 192.168.1.123:1063 to
| > | 169.254.12.1(169.254.12.1):6138
| > |
| > | Zone alarm reports the following details on the file:
| > |
| > | Product Name: Microsoft Windows Operating System
| > | File Name: C:\Windows\explorer.EXE (upper case exe by Zone Alarm)
| > | Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
| > | Created Date: 04/08/2004
| > | File Size: 1008 KB
| > |
| > | Frank Klassen
| > |
| > |
| > |
| > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| > | news:uhSLY6n$EHA.2584@TK2MSFTNGP09.phx.gbl...
| > | > What TCP and/or UDP port(s) does EXPLORER.EXE want to communicate at ?
| > | > What is the fully qualified path to EXPLORER.EXE that is trying to
| access
| > | the Internet ?
| > | >
| > | >
| > | > --
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| > | > "Frank" <someone@microsoft.com> wrote in message
| > | > news:%23lcyctn$EHA.1564@TK2MSFTNGP09.phx.gbl...
| > | > | Hi,
| > | > |
| > | > | I have a XP PC (Home) that was infected with worms & trojans.
| > | > | Cleaned with Norton AV and Trend Micro on-line scan.
| > | > | Installed Zone Alarm (Free version) to monitor out-going traffic.
| > | > | Installed SP2.
| > | > | After SP2 install Zone Alarm notifies that explorer.exe wants to
| access
| > | the
| > | > | internet.
| > | > | If I allow it access it sends out a series of pings to a random lot
| of
| > | IP
| > | > | addresses and ports.
| > | > |
| > | > | Is this normal?
| > | > |
| > | > | Frank Klassen
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
January 24, 2005 8:42:21 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

I hate to admit failure but I gave up and took the easy route. A clean
install fixed the problem.
I do appreciate your help.

Frank



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23jTeae$$EHA.1908@TK2MSFTNGP15.phx.gbl...
> Don't give up yet !
>
> BitDefender:
> http://www.bitdefender.com/scan/license.php
>
> Computer Associates:
> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
>
> F-Secure:
> http://support.f-secure.com/enu/home/ols.shtml
>
> Freedom Online scanner:
> http://www.freedom.net/viruscenter/index.html
>
> Kaspersky:
> http://www.kaspersky.com/de/scanforvirus
>
> McAfee:
> http://www.mcafee.com/myapps/mfs/default.asp
>
> Panda:
> http://www.pandasoftware.com/activescan/
>
> Symantec:
> http://security.symantec.com/
>
>
>
> --
> Dave
>
>
>
>
> "Frank" <someone@microsoft.com> wrote in message
> news:erNcvV%23$EHA.2156@TK2MSFTNGP10.phx.gbl...
> | Well it appears as if I will be doing a clean install of Windows.
> | SysClean didn't find anything.
> | Stinger found something called c.bat which it considered dangerous and
> | Adaware found some cookie.
> | After it all Explorer.exe still trying to comunicate with the outside.
> |
> | Thanks for trying to help.
> |
> | Frank Klassen
> |
> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> | news:o UAIbro$EHA.1396@tk2msftngp13.phx.gbl...
> | > Frank I'm not sure you are clean.
> | >
> | > 1) Download the following four items...
> | >
> | > McAfee Stinger
> | > http://vil.nai.com/vil/stinger/
> | >
> | > Trend Sysclean Package
> | > http://www.trendmicro.com/download/dcs.asp
> | >
> | > Latest Trend Pattern File.
> | > http://www.trendmicro.com/download/pattern.asp
> | >
> | > Adaware SE (free personal version v1.05)
> | > http://www.lavasoftusa.com/
> | >
> | > Create a directory.
> | > On drive "C:\"
> | > (e.g., "c:\New Folder")
> | > or the desktop
> | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
> | >
> | > Download SYSCLEAN.COM and place it in that directory.
> | > Download the Trend Pattern File by obtaining the ZIP file.
> | > For example; lpt361.zip
> | >
> | > Extract the contents of the ZIP file and place the contents in the
same
> | directory as
> | > SYSCLEAN.COM .
> | >
> | > 2) Update Adaware with the latest definitions.
> | > 3) Disable System Restore
> | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> | > 4) Reboot your PC into Safe Mode [F8 key during boot]
> | > and shutdown as many applications as possible.
> | > 5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan
of
> | your
> | > platform and clean/delete any infectors/parasites found.
> | > (a few cycles may be needed)
> | > 6) Restart your PC and perform a "final" Full Scan of your
platform
> | using the three
> | > utilities; Trend Sysclean, Stinger and Adaware
> | > 7) Re-enable System Restore and re-apply any System Restore
> | preferences,
> | > (e.g. HD space to use suggested 400 ~ 600MB),
> | > 8) Reboot your PC.
> | > 9) Create a new Restore point
> | >
> | >
> | > * * * Please report your results ! * * *
> | >
> | > --
> | > Dave
> | > http://www.claymania.com/removal-trojan-adware.html
> | >
> | >
> | >
> | >
> | > "Frank" <someone@microsoft.com> wrote in message
> | > news:uLedqSo$EHA.3840@tk2msftngp13.phx.gbl...
> | > | Thanks for helping.
> | > |
> | > | This is about 40 seconds worth.
> | > |
> | > | 01/19/2005 16:59:50 TCP from 192.168.1.123:1037 to 209.249.114.19:80
> | > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1042 to
213.224.140.57:3574
> | > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1046 to 68.49.91.50:4508
> | > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1045 to
80.171.116.251:4718
> | > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1044 to
24.182.101.208:2666
> | > | 01/19/2005 16:59:56 TCP from 192.168.1.123:1043 to
68.191.17.240:3802
> | > | 01/19/2005 16:59:58 TCP from 192.168.1.123:1047 to
> | > | 80.171.116.251(80.171.116.251):9718
> | > | 01/19/2005 16:59:59 TCP from 192.168.1.123:1048 to
166.82.53.210:3026
> | > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1049 to
> | > | 68.49.91.50(68.49.91.50):9508
> | > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1050 to
> | > | 213.224.140.57(213.224.140.57):8574
> | > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1052 to
> | > | 68.191.17.240(68.191.17.240):8802
> | > | 01/19/2005 17:00:06 TCP from 192.168.1.123:1051 to
> | > | 24.182.101.208(24.182.101.208):7666
> | > | 01/19/2005 17:00:09 TCP from 192.168.1.123:1053 to
> | > | 166.82.53.210(166.82.53.210):8026
> | > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1055 to
165.134.177.105:4880
> | > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1054 to
62.101.231.181:2931
> | > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1056 to
169.254.241.4:1351
> | > | 01/19/2005 17:00:17 TCP from 192.168.1.123:1057 to
68.205.50.196:4187
> | > | 01/19/2005 17:00:20 TCP from 192.168.1.123:1058 to 169.254.12.1:1138
> | > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1059 to
> | > | 165.134.177.105(165.134.177.105):9880
> | > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1061 to
> | > | 68.205.50.196(68.205.50.196):9187
> | > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1062 to
> | > | 169.254.241.4(169.254.241.4):6351
> | > | 01/19/2005 17:00:27 TCP from 192.168.1.123:1060 to
> | > | 62.101.231.181(62.101.231.181):7931
> | > | 01/19/2005 17:00:30 TCP from 192.168.1.123:1063 to
> | > | 169.254.12.1(169.254.12.1):6138
> | > |
> | > | Zone alarm reports the following details on the file:
> | > |
> | > | Product Name: Microsoft Windows Operating System
> | > | File Name: C:\Windows\explorer.EXE (upper case exe by Zone
Alarm)
> | > | Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
> | > | Created Date: 04/08/2004
> | > | File Size: 1008 KB
> | > |
> | > | Frank Klassen
> | > |
> | > |
> | > |
> | > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> | > | news:uhSLY6n$EHA.2584@TK2MSFTNGP09.phx.gbl...
> | > | > What TCP and/or UDP port(s) does EXPLORER.EXE want to communicate
at ?
> | > | > What is the fully qualified path to EXPLORER.EXE that is trying to
> | access
> | > | the Internet ?
> | > | >
> | > | >
> | > | > --
> | > | > Dave
> | > | >
> | > | >
> | > | >
> | > | >
> | > | > "Frank" <someone@microsoft.com> wrote in message
> | > | > news:%23lcyctn$EHA.1564@TK2MSFTNGP09.phx.gbl...
> | > | > | Hi,
> | > | > |
> | > | > | I have a XP PC (Home) that was infected with worms & trojans.
> | > | > | Cleaned with Norton AV and Trend Micro on-line scan.
> | > | > | Installed Zone Alarm (Free version) to monitor out-going
traffic.
> | > | > | Installed SP2.
> | > | > | After SP2 install Zone Alarm notifies that explorer.exe wants
to
> | access
> | > | the
> | > | > | internet.
> | > | > | If I allow it access it sends out a series of pings to a random
lot
> | of
> | > | IP
> | > | > | addresses and ports.
> | > | > |
> | > | > | Is this normal?
> | > | > |
> | > | > | Frank Klassen
> | > | > |
> | > | > |
> | > | >
> | > | >
> | > |
> | > |
> | >
> | >
> |
> |
>
>
!