Broadband Tech > Security > Security > Windows Explorer trying to get out!

Windows Explorer trying to get out!

First up, is that UDP port 53? You didn't say. It really just looks like Windows Explorer trying to get to a DNS server, but I assume from what you've said that that IP does not belong to your ISP's group of DNS servers. Maybe you need to look through your network adapters and connectoids and see if they are configured properly, or if some additional one was created recently.
--
Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily!
[text was edited by author 2003-09-09 21:07:50]

reply to helpppppp
If certain windows features are activated, they will make explorer act like IE, and explorer can display web pages just like IE among many other features.

reply to LowWaterMark
I don't know if it's UDP because ZA won't give me any details.

Organized Chaos - thanks, that might be it, although, why would it only be going to that IP?

said by helppp:

---

...that might be it, although, why would it only be going to that IP?

---

reply to helppp
Would that be an ip of one of your dns servers? In the program winipcfg(9x only, gui based) or ipconfig(NT based systems run it from the command line) you can see your dns servers.

I have also seen the logs show the protocol so it should list it.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.

On ZA - in the log view panel, this is what it looks like under each column header:
Rating: Medium
Date/Time: 2003/09/09 23:32:12
Type: Program Access
Protocol: - this is blank! -
Program: Windows Explorer
Source IP: 63.73.20.40:53
Direction: Outgoing (connect)
Action Taken: Blocked
Count: 402
Source DNS: - empty-
Destination DNS: (my network name)

It's not the same IP as ISP's DNS or Gateway or Subnet or anything, not even in the same range.

How long has it been doing this? And, has it continued to occur through a reboot of the system?

It started last night, and I did not download anything nor did I visit any unusual websites.
It will not stop. I've even blocked the exe for Win Explorer, and it still keeps trying to connect to that IP.

I've rebooted many times, no help.

reply to helpppppp
This sounds like the problem I'm having.

do you have a file in your recent "documents in the start menu with" html..

Seems IE likes to load HTML when you view a directory or index it.

Bad thing is, If that html has bad code in it then it'll load here just by opening a windows folder, same with files named eml.

The Thumbnail viewer is a nice add but having it set to show pages like this is a secrity risk no one needs.

Also, even if you remove outlook, Microsoft messanger or internet explorer the program is just hidden. If an exploit wasn't patched on your system for any of those programs EVEN THOUGH you removed them you'll still be effected by the exoplote.

Billy Gates wants these programs in your syem if you want them gone because of security tough luck. Explorer has the ability to open html files by default and you don'teven need to click them..

This is probly why your making an out going connection. Something is loading in your descktop or system that is requesting a DNS resolve. Be it an html in exploer or a troggy.

You could download Hijackthis and show everyone your loading, Run a snooper or Run aports. to find out more data on what might be or what is accessing that port.
Admin mode only..

Nothing out of the ordinary here...

Logfile of HijackThis v1.95.1
Scan saved at 11:12:25 PM, on 9/10/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\SPEEDSTREAM DSL\SPDSTRM.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\UNZIPPED\PRCVIEW\PRCVIEW.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\WEIRD\HIJACKTHIS\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···03356481
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/SSC/Shared···absa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/0244a7e4cffdfe4305···E601.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - »security.symantec.com/sscv6/Shar···niff.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - »officeupdate.microsoft.com/Templ···outc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - »security.symantec.com/sscv6/Shar···absa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2003···an53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab

At a very quick glance ...

The "R3 - Default URLSearchHook is missing" item should be fixed, although it shouldn't have anything to do with your main problem. It might be an indication of previous spyware or a browser hijack attempt.

Also, go to your Downloaded Program Files folder, right-click the Symantec RuFSI object, and see what the "Created" date is. If the date is earlier than June 23, 2003, then the "O16 - ... Symantec RuFSI ..." item should also be fixed.

One other trivial thing - the current version of HijackThis is 1.97, so you might want to update your copy.

The presence of Rnaapp.exe in your process list seems weird to me. As far as I know, this is only associated with Dial-Up Networking, and seems out of place if you are using a DSL connection. I don't know too much about that area, but perhaps you might check your DUN properties to see if anything strange has been added, until a more knowledgeable person comes along ...

reply to helpppppp
Here's what Zone Alarm site says about that access:

»pralerts.zonelabs.com/pranalyze.···overview

»pralerts.zonelabs.com/pranalyze.···=details
[text was edited by author 2003-09-11 00:17:02]

reply to helpppppp
Have you changed your folders to view as web page or saved any web pages to your folders recently?

Just highlighting any saved html pages in a folder will cause Explorer to go out to render the saved page if external links are present. You can remove IE completely and Explorer will still function in this manner.

The easiest way to stop it is to use the Windows Classic folder view.

I had this same problem - Explorer would access my designated DNS server and also their most frequently used gateway even though I have not selected to use a remote gateway.

MS Word will also do exactly the same thing and access my DNS and the same remote gateway when HTML content is present.

I was really paranoid about letting explorer out and went so far as replacing the program to be sure it wasn't corrupted.

I finally gave up worrying about Explorer and just blocked it with my firewall in addition to using the Windows Classic desktop and folder views which keep occurrences to a minimum.