Windows Explorer.EXE listening ?

Hi,

Decided to look at my logs real fast today (Kerio2.1.5) and WIN98SE and I found
WindowsExplorer listening on port 1167. I made a rule real fast to block it inbound and outbound TCP/UDP until I could get conformation
from someone here that this is acceptable or not. I have never seen
Explorer listening anywhere..why now? Can someone please help me to understand?

Best Regards,
FireDancer

 

Hey

Whats the Exact Filename and Path?

 

Phantom,
The path name is

C:\WINDOWS\EXPLORER.EXE

FireDancer

 

Hey FireDancer

How many EXPLORER.EXE files on yo System? Scan your Host drive...

 

Phantom,

There is one on my system. I dont see what you are getting at .. you want to let me in on your ideas?

I have run NOD32 TDS3 and all available scans that I have and found no viruses or any other types of intrusions.

I dont understand why Explorer is listening on 1167. It has not connected to anything and I show no logs of it connecting as I would be alerted to it and it would of been logged.

I am trying to find out if I need to block Explorer permantly as I have never had to deal with it. Is it dangerous? Is there a certain reason for it needed to connect to a remote endpoint?

I am not trying to be errogant but if you can not give me a few ideas as to what I asked I will wait till someone can. For now Windows Explorer.EXE is blocked both ways until I get a conformation of it's possible intent and wether it is safe or not.

I will continue to do some more google searches to try and find out what it is up to and what it's porpuse is.


Regards,
FireDancer

 

FireDancer

Without asking Questions it’ll not get a person anywhere’s, Explorer.exe is a browser of its own and it’s used for number of things. However most Deny it access to the Internet as it’s privacy issue for Windows XP users…

 

Was thinking a moment of this possible infection like described here
But doesn't see so with only one windows\explorer.exe there.
Win98se has the habit to mix windows explorer and IE a lot, but this is needs deeper investigation.
PE should tell you where it is connected to.
Remote address also localhost port 1167 or different?

 

That’s one of the reasons why I asked that question to verify it’s not possible Infection, after-all he did say “I have never seen Explorer listening anywhere..why now?”. Anyways I’ll know better to ask this dude questions in the future…

 

Well, it _could_ also be a backdoor, which injected itself into explorer.exe...

Have you checked the modules of explorer.exe with e.g. APM?

edit: just saw, that my (now deleted) question has already been aswered...

 

Hello All,

I have opened Port Explorer, and found that Windows Explorer. EXE is listening on local 1167, remote 127.0.0.1


I have run NOD32v2 and find no viruses, TDS3 and find no Trojans. I have blocked the application from being able to connect out. It shows up in PE as lisening for UDP
only.

I would like to say that I am not as computer savy as most here and am still learning. I come to Wilders for that reason ... to seek help from more knowledgable people. I did not mean to upset anyone, but I did not see the reason for Phantoms singular posts/questions as I felt I was in a guessing game..

Jooske,

I took your link and did read it and this application does not seem to be acting like a trojan. All possible scans indicate that it is not.

Anymore input or help/instructions would be greatly appreciated.
NOTE: I am still in the learning process with PE and any help on useing it in this situation would be appreciated. The screen shot here is showing process
71609 that I am concerned with but it seems to only be communicating with the local system.


Regards,
FireDancer

 

Fire Dancer,

Those connections are Kerio's admin connections, it uses the localhost to communicate with itself between the GUI, and the resident program. When you use the firewall status you would see the program communicating with itself on ports like these. Also when explorer.exe starts listeing, like previously said, it can act just like IE.

127.0.0.1 is your localhost, and its on your computer. If you type an address, or do some action explorer.exe can use the internet for some functions. A trojan doesn't have to be installed, you just have to use/enable some feature that makes it use the internet for something. I never use those features so I already have a blocking rule for explorer.exe, but it does do many things just like IE as IE was built into the operating system. IE, and explorer are basically the same program anymore.

You have nothing to worry about since it says your clean, something you did started it, so a reboot should stop it from listening, if not then go over any options you have recently enabled.

I'm surprised with all these people here, they are playing on your fears that its infected when they don't know of any functions of the program, or at least didn't mention them. Anyone every heard of offline files, and active destop? Explorer.exe does these things.

 

BlitzenZeus

Stop excusing and making assumptions bro, go through how I played it. Now you tell me how the heck I was trying to play on his fears? Don’t attempt to be picky how others helps others on here! There is great deal of what you say on here that I could easily find fault in...snipped - disagreements are fine, insults are not - paul

 

I'll make this statement, but I don't want to distract the point of the thread anymore past this comment. Any replies to this message shouldn't be via this thread.

Phantom, the reply wasn't directed toward you personally, even though you took it personally. Calm down, hold off the caffeine, and don't take everything so seriously.

Ever since IE which you could download for Win95, explorer.exe has become a internet tool, in which I'm surprised that some people might assume it a trojan before going to the features of the program which have been around for years. There were even times in older versions where explorer.exe would run all internet traffic even if you launched IE. However yes, there are explorer.exe trojans, and virii out there.

After the scan was negative the focus changed to mainly trying to prove, or dis-prove it was part of the IE intregation. Which seems like the like the most possible case at this moment.

Anyway, don't worry, be happy. Life is too short to take everything seriously

 

BlitzenZues,

Yes you were right.. I rebooted and Explorer.EXE is no longer listening.. thanks for the heads up. As far as making or changing settings ...yes lastnight I did make changes to OE allthough I am not sure that would be one in the same as IE. I am going to go through my system now and double check all settings I have made in the past 24 hours or so and see what if anything I did to cause this problem.

I am going to continue with my Block rule for Explorer.EXE though for the reason that if it should try again I will be prepared and know what I am looking at next time.
Again your expertise is always appreciated.

Side Subject: Phantom I was not trying to make you feel like you could not help me. I felt that your questions though were a little incompleate and what your reasoning might be. You did not state what your reasoning was. The next few post I recieved was about possible trojans.

In as much as I belive that BlitzenZues, was not doing that either, but you do have to admit your post did lean in that direction. I have always respected opinions here at wilders but.. I like to do a little resaerch on answers I do get when I am not familiar with the poster. (Second Opinion)

You never know who might give you a answer that might be TOTAL disaster. And with me still being a novice at the computing world I feel that is the best policy for me right now. I hope you have not taken any offence here as I appreciate you replying and trying to help.

I think BlitzenZues with his experiance with firewalls read what I wrote and analized the situation a little differantly and was able to help. maybe I wasnt clear enough in my original post and I will be more cautious of that in the future. My appoligies to all

Thanks all for the responces and
very best regards,

FireDancer

 

Since you rebooted, and it didn't listen, test it by opening OE again since that was the only program you changed. If its not listening again, your fine, if it does listen again its calling on some feature, and you have it blocked anyway. Make the rule logging, but I don't believe you will see it make any outbound attempts to the internet unless something got enabled by mistake.

IE is tied into OE with many of the features, just like Explorer, that is why so many of these exploits in windows are much more dangerious than other operating systems. If Microsoft didn't intregate the browser, and its functions into the OS it would be much more stable, along with far less exploits possible.

 

Helping on the forums is like building a house out of bricks for an example; you go to fast you possibly end up making mistakes, and if you go to slow the workers gets frustrated. And how I seen it BlitzenZeus continued from what we currently had completed, and since there was enough Information possibly to jump onto a new theory…

In any case I’m glad your problem was temporary resolved.

 

I found that sometimes the kerio admin program is viciously attempting connects to the NET just after I connected and sometimes it aint and I think it is how your ISPs DHCP Server configures you on Connect.

 

Dean, your comment had nothing to do with this thread, and you don't even understand what your talking about.

If you have it enabled to check for updates it will check for updates on startup, and if its enabled it will lookup dns entries for your logs so you see the rDNS name with the ip address. Your operating system has their own programs to get the DHCP lease, you just have to permit it with Kerio, just like any rule based firewall.

 

Phantom,

It was fixxed permantly, I now understand what the app does and why it was there I have now taken care of it for good

FireDancer

 

Don't worry or feel bad to ask questions as we all learn from it and other visitors.
Of course it's good always to be alert on a possibility of trojans or other infections, like Phantom said, as those are the most dangerous and urgent to take care of, when these are excluded one can look at other possibilities.
One of the tests after scanning and nothing found could be looking at the file properties for a possible recent modification date.
(In your PE - rightclick or doubleclick the process to see the info)
The other steps you did too, looking at what you changed in your settings.
True, OE, IE and explorer are very much integrated and an error in one of the three can rather often be solved by a repair install of IE via the add/remove (with all av/at down for that moment) and reboot.
Active desktop i only allow when really needed and i disable it immediately after (security).

There are some OE security settings specialists here in the forum, so fireup your questions and we dance through the options to fine settings; we all can learn from that!
Best to do that in a new thread in another place in the forums, unless it is specific related to the firewall section, for which Phantom is one of the specialists here.