explorer.exe trying to access the internet?

[Ice9]

I have been noticing that my Sygate firewall has been blocking some strange things from accessing the internet, and I would like to know if it is normal or something is wrong.

Every time I start the computer, I get a message saying that the file C:\windows\explorer.exe has been blocked. It never seems to try again - it only happens at startup.

I am also seeing the "Win32 Kernel Core Component" C:\windows\system\kernel32.dll trying to access the internet occaisonally.

I already ran a virus check, a trojan check, and adaware (which did find some stuff). Since then, I have not seen the Kernel try and access the internet (could be coincidence) but explorer still does.

[JoJo Gunn]

I don't know about the kernel32, but it apparently is "normal" for Windows Explorer to try and access the Net. It shows up in the list when my firewall (Norton) runs a scan for all internet enabled apps. This old boy blocks it. Except for IE and OE, I see absolutely no need for anything of MS to want to connect to the web.

[sting]

all looks ok ...the kernel is the big boss on your system

[Ice9]

I guess the Kernel _IS_ the big boss, since it did access the internet again, and the firewall let every byte through, even though I have it set to block!

[JoJo Gunn]

Took me a while, but it dawned on me just now why Windows Explorer is internet capable. In it there are the Favorites list, as well as the History list of visited sites. You can click on a link and the modem will fire up and connect to your ISP, but you'll get the usual error page if your firewall blocks Windows Explorer. I never use the Favorites, but i do use the History list to sometimes read things off-line, the things I didn't place a shortcut to on the desktop. So, maybe you should reconsider what I said earlier.

[AnnMarie]

Hi Ice9 - I would be just a bit concerned about the security of my PC if my firewall logged repeated attempts from Windows Explorer and kernel32.dll to access the Internet. Perhaps it might help if we had a look at your startups. Go here (direct download link) and download and run Startup List. It will generate a log. Copy and paste it back in this thread and we will have a look at it for you.

***Hiya JoJo ***

[JoJo Gunn]

Howdy, AnnMarie!

I didn't understand enough about the kernel to try and help, but it does seem strange that it would appear on alerts. What would cause that, except a possible trojan or worm, etc? I suppose thats what you're going to check out, right?

[AnnMarie]

Hi JoJo - yep, possible trojan, worm or spyware (AdAware doesnt target all spyware).

[Ice9]

Hi AnnMarie,

That link didn't work for whatever reason so I just ran msinfo32 and got the list from there (should be the same thing right?).

I could probably use to get rid of some of this c**p anyways...



*StateMgr c:\windows\system\restore\statemgr.exe All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

CSINJECT.EXE c:\program files\norton systemworks\norton cleansweep\csinject.exe All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile rundll32.exe powrprof.dll,loadcurrentpwrscheme All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

LoadPowerProfile rundll32.exe powrprof.dll,loadcurrentpwrscheme All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Machine Debug Manager c:\windows\system\mdm.exe All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Microsoft IntelliType Pro "c:\program files\microsoft hardware\keyboard\speedkey.exe" All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Norton Auto-Protect c:\progra~1\norton~1\norton~2\navapw32.exe /loadquiet All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Norton eMail Protect c:\program files\norton systemworks\norton antivirus\poproxy.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

PCHealth c:\windows\pchealth\support\pchschd.exe -s All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

QuickTime Task "c:\windows\system\qttask.exe" -atboottime All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ScanRegistry c:\windows\scanregw.exe /autorun All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ScriptBlocking "c:\program files\common files\symantec shared\script blocking\sbserv.exe" -reg All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SmcService c:\progra~1\sygate\spf\smc.exe -startgui All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SmcService c:\program files\sygate\spf\smc.exe All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SSDPSRV c:\windows\system\ssdpsrv.exe All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Start WingMan Profiler "c:\program files\logitech\wingman software\lwtest.exe" /detect /quiet /launch "c:\program files\logitech\wingman software\lwemon.exe /noui" .DEFAULT HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SymTray - Norton SystemWorks c:\program files\common files\symantec shared\symtray.exe "norton systemworks" All Users HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SystemTray systray.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[AnnMarie]

Hi Ice9 - I have checked your Startups from the list provided and all seem fairly harmless apart from this entry. See link Invalid Universal Plug and Play Request Can Disrupt Computer Operation however if you are up todate with your critical updates you will have installed the patch for the vulnerability.

SSDPSRV c:\windows\system\ssdpsrv.exe All Users HKLM\Software\Microsoft\Windows\CurrentVersi
on\RunServices

For future Plug and Play devices only. Provides Simple Service Discovery Protocol (SSDP) and General Event Notification Architecture (GENA) services for Universal Plug and Play functionality. You can uninstall it by going to Add/Remove programs in Control Panel -> Windows Setup -> Communications. Starts up a web server on port 5000

There are other places that trojans may start from which will only be logged by Startup List however its up to you whether or not you paste the information.

[Ice9]

Ok, that link is working again so I ran the program, output is pretty long but here it is:

StartupList report, 10/26/2002, 3:43:47 PM
StartupList version: 1.34.0
Started from : C:\MY DOCUMENTS\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\MY DOCUMENTS\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Microsoft IntelliType Pro = "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
Norton eMail Protect = C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
SmcService = C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SmcService = C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Start WingMan Profiler = "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLYI~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 26/10/2002, 15:26:14)

[rename]
NUL=C:\WINDOWS\SYSTEM\Macromed\Flash\Flash.ocx

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET PATH=C:\Perl\bin;C:\WINDOWS;C:\WINDOWS\COMMAND;"C:\j2sdk1.4.0_02\bin "

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

@C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
LH C:\PROGRA~1\MICROS~1\MOUSE\MOUSE.EXE

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Scan for Viruses.job

--------------------------------------------------
End of report, 8,501 bytes
Report generated in 0.395 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[AnnMarie]

Hi again Ice9 - There is nothing in the full list of startups that would alarm me. It might be worth your while running msconfig and unchecking individual startups one by one (with the exception of Explorer and Systray) then rebooting. Its a bit tedious but you might catch the culprit that way.

[Ice9]

Thanks for your help AnnMarie. I might try the one-at-a-time thing later if I have time. For now I just blocked the UDP port 137, which is where all of the kernel traffic was going in and out on. Hopefully that stops it.

As for explorer.exe, I checked where it was trying to connect and I found that the source IP is mine, and the destination is 239.255.255.250, which doesn't seem like a normal address to me. It might be related to some of the other strange issues I am still working on with regards to my firewall and connection (such as this thread ).