explorer.exe listening on udp 3961

Discussion in 'malware problems & news' started by znokmobile, Sep 7, 2007.

Thread Status:
Not open for further replies.
  1. znokmobile

    znokmobile Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    2
    Since a few days, I noticed (using Sysinternals Process Explorer) that explorer.exe became a .NET process and is listening on UDP port 3961.

    I looked for some infos without success, I need help to understand what's happening.

    I assume my computer is clean and I'm pretty well aware of how to protect myself (I'm a computer technician) but for that particular issue, I am lost.
     
  2. ASpace

    ASpace Guest

    Use Process Explorer to first ensure you use the legitimate explorer.exe , not something else .

    Open Process Explorer
    1. Choose View -> Select Columns . Place a tick on both Verified Signer and Image Path
    2. Choose Options -> Verify image signature . Your system may be slowed down for seconds until it checks the applications
    3. Close Process Explorer
    4. Re-open Process Explorer
    5. Wait some time until PE checks the files and verifies their digital signatures.

    Check if Explorer.exe is from Microsoft , is in C:\Windows\ and is (Verified) Microsoft Corporation

    If yes , then you have a legitimate MS application , not something else.
    If no , fins a way to delete this file and replace it with the original Microsoft explorer.exe (either from another known clean system - must be the same OS , the same Service Pack level) .

    If the application is legitimate , check for malware , something injected into it.
    Also check using http://www.eset.com/onlinescan/


    Good luck! :thumb:
     
  3. znokmobile

    znokmobile Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    2
    explorer.exe is what it is supposed to be, I've already checked that that way.

    I'm using System Safety Monitor (a ProcessGuard like) so it would hardly be something else than the original file without I've noticed it, and nothing could normally inject code into it either.

    Also, I'm using NOD32 antivirus so the online scan from eset is redundant.
    I've checked explorer.exe with that online test : http://www.virustotal.com/
    which submits the file to 32 different antivirus scanners. Result: nothing.

    More, my firewall (ZoneAlarm Pro) is set not to allow incoming connections on explorer.exe

    I've checked for malware with different anti-spywares solutions (AVG antispyware (formally Ewido), eTrust PestPatrol, Spybot S&D) but they only find a few indesirable cookies, as usual.

    Gmer (antirootkit scanner) doesn't find anything unusual either.



    (Sorry for my erratic grammar, I'm french)
     
    Last edited: Sep 7, 2007
  4. ASpace

    ASpace Guest

    With all the tools , programs and the checks you have performed you are really less likely to be infested with something .

    Can you please post in the Official Sysinternals forum:
    http://forum.sysinternals.com/default.asp

    I am sure they will be able to help you better! It shouldn't be malware related but something with PE itself , e.g. with v10 I could see and check/uncheck .NET processes on my computer , now with v11 I can't because it is blank(grey) , you know.

    Good luck! :thumb:
     
Thread Status:
Not open for further replies.