explorer.exe

This is a discussion on explorer.exe within the A Brief History of Cprogramming.com forums, part of the Community Boards category; Can somebody find or does somebody know why explorer.exe would hold a port open? I have checked extensively for trojans ...

  1. #1
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412

    explorer.exe

    Can somebody find or does somebody know why explorer.exe would hold a port open? I have checked extensively for trojans with updated virus software, trojan removers and more.

    This is the info...

    Checked C:\WINDOWS\EXPLORER.EXE (PID=4294588673)
    Found UDP port 1058 bound at 127.0.0.1 by C:\WINDOWS\EXPLORER.EXE (PID=4294588673) [UDP client]

    I think it is posible that this is normal as 127.0.0.1 is the loopback. I would be terribly concerned if it said 0.0.0.0 and if I didn't have a firewall.

    So does anyone know if this is a normal activity for explorer.exe?

    Thanks,

    Betazep
    Blue

  2. #2
    Caffienated jinx's Avatar
    Join Date
    Oct 2001
    Posts
    235
    If you are running Millenium or later vs. of windoze, don't fret, I remember reading about this and it being so interwoven with IE that it always is running odd ports and yours using a udp protocol, it really wouldn't concern me.
    Weeel, itss aboot tieme wee goo back too Canada, eeehy boyss.

  3. #3
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    Yeah... I assumed as such. Only the UDP port is shown in that particular software. netstat -a reveals a listening TCP port on that port.

    And it is win98. I will do some more research and let you guys know what I can find out. I have a freshly installed win98 partition on my computer. I will go into that one and see if the instance exists...

    Oh... and I extracted a new explorer.exe file from the cabs on the win98 disk and overwrote the old one. The open port went away until reboot. Then I checked my entire registry for all run commands on startup or otherwise. Nothing seemed out of the ordinary. I am probably over-killing this, but my security is looking pretty tight (other than this possible issue).
    Blue

  4. #4
    train spotter
    Join Date
    Aug 2001
    Location
    near a computer
    Posts
    3,856
    Have you checked your ports on GRC.com to see their state?
    Bit of a sniff, scan and probe?
    (Is free and has some good info even if he does go on a bit about the raw sockets in XP)
    "Man alone suffers so excruciatingly in the world that he was compelled to invent laughter."
    Friedrich Nietzsche

    "I spent a lot of my money on booze, birds and fast cars......the rest I squandered."
    George Best

    "If you are going through hell....keep going."
    Winston Churchill

  5. #5
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    Yeah... I use Steve Gibson's site regularly. Doesn't look for that port.

    My other installation of windows 98 does not have explorer.exe holding a port open. I am going to slowly add programs (like norton antivirus with pop & smtp protection) to see if one of the programs is utilizing explorer.exe to keep a listening port to the loopback.

    This is really ........ing me off. I wish somebody just had the answer... somewhere. I have emailed countless friends and professionals, and they don't know... short of a trojan... how this can happen. Like I said though, my antivirus files are solid and I deleted the orig explorer.exe from the hard disk and wrote in a new copy.

    This is going to take some serious work to figure out. Now I am angry, but I am still intrigued. I could just reinstall... but that would be to admit failure. (Besides that... it doesn't seem to be doing anything bad...)
    Blue

  6. #6
    train spotter
    Join Date
    Aug 2001
    Location
    near a computer
    Posts
    3,856
    Some RAT's (trojans) impersonate a registered program to get by your firewall.

    Try re-nameing windows/explorer.exe and see if there is still one holding open the port.
    "Man alone suffers so excruciatingly in the world that he was compelled to invent laughter."
    Friedrich Nietzsche

    "I spent a lot of my money on booze, birds and fast cars......the rest I squandered."
    George Best

    "If you are going through hell....keep going."
    Winston Churchill

  7. #7
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    Well... I sent an email to grc.com and got the "we don't have the time to help you, but there are some sites that may..." answer.

    I spoke with a friend of mine, and he stated that since the port is bound to 127.0.0.1, that it is only available to my computer. (I thought this was a possibility...)

    He asked me if I have file and printer sharing enabled and a myriad of other questions. I do not have fps enabled so there has to be something else that is utilizing the port.

    I have a sneaking suspicion that it is my norton antivirus that is holding the port open, but why it would use explorer.exe to do it is beyond my understanding at this time.
    Blue

  8. #8
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412

    You might have seen something like this when running inzider:
    Checked C:\Program Files\Internet Explorer\IEXPLORE.EXE (PID=1244)
    - Found UDP port 1056 bound at 127.0.0.1 [UDP client]
    This line refers to a UDP socket allocated by IE. It is bound at the
    loopback address 127.0.0.1 and at a dynamically allocated port in the range
    1024-5000. As the note at the end of the line says, this is a UDP client,
    and so one naturally asks "where is the server?". I have received a few
    mails from people who were worried that this might be a way for Microsoft to
    collect information from their computers while they browse the web with IE.
    But in fact the server is not located at Microsoft, but in your own
    computer - in IE itself. IE simply sends UDP packets from this port, through
    the loopback address, and back to the same port. The packets never go out on
    the Internet, and the port is not visible from the outside since it is only
    bound at the loopback address. IE sends one byte large packets to itself
    this way more or less constantly while you browse, and the purpose is most likely some kind of diagnostics.
    But the thing is that it isn't iexplore.exe that is in the loopback. It is explorer.exe and my firewall is showing that explorer.exe is accessing the web when I browse. If I do not allow explorer.exe to pass the firewall, then I am unable to browse.
    Blue

  9. #9
    train spotter
    Join Date
    Aug 2001
    Location
    near a computer
    Posts
    3,856
    Wierd.

    Will check my WIN98 machine at home for similar. Use a wingate here.

    You could get a packetsniffer and find where explorer.exe is sending.

    Is there a way to trace the app by its PID?
    "Man alone suffers so excruciatingly in the world that he was compelled to invent laughter."
    Friedrich Nietzsche

    "I spent a lot of my money on booze, birds and fast cars......the rest I squandered."
    George Best

    "If you are going through hell....keep going."
    Winston Churchill

  10. #10
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    I am still working it. This situation isn't on my other win98 OS, as I stated. I am going to upgrade to IE 5.5 and install some programs to see if I can duplicate it....
    Blue

  11. #11
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    Blue

  12. #12
    train spotter
    Join Date
    Aug 2001
    Location
    near a computer
    Posts
    3,856
    So it is KaZaA checking for updates and pretending to be explorer.exe to bypass your firewall?

    How did you track it down?

    It was hidden in the KaZaA contract you signed to install. Not that hiding a security hole in the 'we are liable for nothing' warranties and terms of use is not just willfully wrong but hopefully voids their disclaimers.

    Try using Netscape (ect) and blocking the explorer.exe. Can you still browse?
    "Man alone suffers so excruciatingly in the world that he was compelled to invent laughter."
    Friedrich Nietzsche

    "I spent a lot of my money on booze, birds and fast cars......the rest I squandered."
    George Best

    "If you are going through hell....keep going."
    Winston Churchill

  13. #13
    _B-L-U-E_ Betazep's Avatar
    Join Date
    Aug 2001
    Posts
    1,412
    I figured it out finally. Seemed too obvious now. I did have some BDE trojans from kazaa, but that didn't fit the description of the problem as the kazaa trojans are only for their updates with apropriate (possibly exploitable) signatures.

    iexplore.exe wasn't accessing the internet. explorer.exe was.... hmmm... I repaired the IE installation and it must have overwrote the appropriate files to make it work correctly. Now IE accesses the internet and no explorer.exe bound ports.

    HOOOORRRAAAAAAY! God that sucked.

    If you would like to see if you have BDE or other trojans, the only trojan removal kit I found that finds these types of trojans can be downloaded here...

    http://www.moosoft.com/index.php

    Now to keep everything updated so my IIS server doesn't get exploited. Ahhhh... it never ends.

    Thanks for all of your help, everybody, and for following me along my journey for the mysterious (still unknown as to why, but solved) listening-port-extravaganza.
    Blue

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Comparing String Question
    By ew16301 in forum C++ Programming
    Replies: 4
    Last Post: 03-16-2005, 03:07 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21