Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Windows Security Question?

  1. #1
    Junior Member
    Join Date
    Dec 2001
    Posts
    4

    Question Windows Security Question?

    Hi Folks!

    I am new to this board but i know this is the correct place to come to get some help with a security issue i am worried about.

    In the past i have had Windows 98 & Windows ME installed on my PC. I have always used Norton AntiVirus and ZoneALARM personal Firewall.

    When i had both OS's installed, ZoneALARM kept reporting that explorer.exe wanted to access the internet, is this normal? I ran virus scans frequently on my system, and no viruses were detected. The Virus def's were updated on a weekly bases (sometimes twice a week). But I always noticed Explorer.exe had alot of of activity (indicated in ZoneALARM when the icon Explorer icon flashes).

    I recently done a complete format and installed Windows 2000 with the latest service pack. I also installed Norton AV 2001 & Latest Edition of ZoneALARM. I run a cable connection (Broardband) - but this wasn't installed till recently (I have had it around 3 months).

    When i had Windows ME & 98 in the past i was using a standard 56K Modem, hence Dynamic IP assignment; when i connected. I always gave explorer.exe the ability to access the internet because i thought nothing of it at the time.

    iexplorer.exe is Internet explorer though, and this got me thinking. explorer.exe is the windows shell. Why was explorer.exe wanting to access the internet? Could it be infected with a trojan? I have no way of finding out now if in the past i had a trojan, but i believe Norton AV would have noticed something when i ran the full system scan.

    Last night it happened again with Windows 2000, ZoneALARM for the first time last night reported that explorer.exe was wanting to connect to the internet, this time i didn't allow it access. Can anyone help me out here? I have also installed the Trojan Detection System, The Cleaner. I have also ran full system scan with both Norton AV & The Cleaner on my Windows 2000 Installation, and no viruses were detected; both applications were updated with the latest Def's.

    Can anyone put me further forward here?

    Thanks in advance for your time! and i wish you a merry xmas and a happy new year!

    Kind Regards,
    Dave

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    I appreciate the thouroughness and legibility of your question, it really stands above some of the ones I've seen

    Hmm... explorer.exe? And this is the one residing in c:\windows\ ? Well, if your AV didn't catch it, I'd assume it's just windows being sneaky again. Was it trying to connect to any particular address or ports? If it seems to be going for ports 137-139, then I'd guess it just has to do with your configuration of windows file sharing/NetBEUI/Netbios/That-buncha-stuff.
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    636

    Post No problem

    I also run ZoneAlarm and have found that explorer requests clearance. I don't think that it's a really big deal, as i have scanned all of my ports and performed leak tests on the firewall with explorer.exe on the accepted list, and everything is still a-ok. I noticed that explorer only askes for permission when i open a file on my own computer or from a server, webpage, etc, without saving it. I'm pretty sure that it's just a glitch, or a minor ping of some sort at the most. Anyways, if you are curious to why it requests access, just keep putting it on the "Ask first" list (the little ? mark next to it in the 'Programs' section of ZA), and pay attention to what you have done and are doing around the time it bugs you for access. Like I said, I've never had a problem with it, and all ports are secure when it has access.

    Hope this helps...

    Ouroboros
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    I use zone alarm hwere at home and just looked in ZA program settings. Explorer has not been given permission to access the internet and it never asks.
    Have you run a spy-ware checker like ad-aware, maybe a longshot, but if its not a trojan??have you recently installed any programs that may be trying to send registration info? Are their any cold spots in your house and knocking sounds coming from the wall?(only kidding)
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    304
    yea. One of my computers with win Xp has asked to allow explorer.exe to access the web. I thought this odd too but just denied it.. I have adaware and found nothing.. I have Trojan First Aid Kit again found nothing.. I too ran leak test on Zone Alarm again nothing..

    My conclusion: Windows being sneaky
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  6. #6
    Junior Member
    Join Date
    Nov 2001
    Posts
    10

    Post

    Explorer.exe belongs to Windows-Explorer. You should not mistake it for e.g. explore.exe, patch.exe or sysedit.exe. which are wellknown names for the NetBus-Client. Look in your registry
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

  7. #7
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Originally posted by L@Zy
    Explorer.exe belongs to Windows-Explorer. You should not mistake it for e.g. explore.exe, patch.exe or sysedit.exe. which are wellknown names for the NetBus-Client. Look in your registry
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
    Just a note, c:\windows\system\sysedit.exe is a VALID program. If it has the same name, but is somewhere else, or overwrites the real one, then be suspicious. But Win 9x comes with a program with that name, so don't be immediately alarmed.
    [HvC]Terr: L33T Technical Proficiency

  8. #8
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool

    yer.. ok.. lets juz put it dis way.. if something requests to go through ur firewall and u have no idea what it is.. then thats when u worry.. if its a foreighn program that tries to get connected to the internet from ur box.. dat means it could be a trojan reporting to its owner..

    but if its a normal windows file who wants to go through da internet.. dat means its ok..

    each windows file dat connects to the net has its own protocol which means its supposed to connect...

    Explorer.exe connecting to the internet is quite normal.. M$ enabled that since Explorer.exe is used over a LAN to browse computers.. and the file in it..

    and it runs over NetBeuiand tcp/ip and i bet it also runs in other protocols too but as far as i know it runs on those two protocols..

    and since internet uses TCP/IP protocol.. this enables Explorer.exe to connect to the net.. for some reason it thinks as if it was on a LAN.. but a bigger one..

    and ermm.. if u dunno what explorer.exe is. and im sure u do.. but incase u dont.. hold the "windows" button and press "e".. or u can go to "Start" ---> "Programs"---->"Windows Explorer"


    normally in our class we use windows explorer to browse through the network.. its much more easier that way..

  9. #9
    Junior Member
    Join Date
    Dec 2001
    Posts
    4

    Thanks!

    Thanks for the quick replys guys.

    That means alot to me.

    @Terr


    "Hmm... explorer.exe? And this is the one residing in c:\windows\ ?"

    Yeah Terr, thats the one. I have just noticed that ZA keeps a log of when a program tries to connect to the net and the info about the port & ip it trys to connect to. Here is the 2 lines that i found in the ZALog.txt file:


    PE,2001/12/12,22:40:34 +0:00 GMT,Windows Explorer,127.0.0.1:2988,N/A
    PE,2001/10/25,22:27:19 +1:00 GMT,Windows Explorer,127.0.0.1:1229,N/A


    @L@Zy

    Yeah thats a good point infact. But like i said, Norton AV would have picked it up in the scans i assume... Anyway i have no way of checking now, as i believe "IF" i had the trojan/Virus it was on my Windows 98 or ME installation.

    @Euclid

    I am the same Euclid, i Believe its just windows being sneaky!

    One question though, because i am not on a network (LAN) i didn't set up file-sharing or printer sharing (I dont think i did?) Could it have been possible that a user with my IP could have "Logged-In" to my PC via their PC and browsed my files?

    Sorry for sounding lame with these questions, but i am a 3D Engine programmer after all! not a network admin nor hacker...

    Thanks again for the help guys!

    Cheers,
    Dave

  10. #10
    Junior Member
    Join Date
    Jul 2001
    Posts
    15

    Exclamation

    Dont worry, Explorer requesting a connection to the net, is ok.

    Certain features of explorer.exe take advantage of connectivity if offered.

    If the Anti Virus does not find anything then you only need to worry if zone alarm detects a unknown prog trying to connect.

    Be carefull even Zone Alarm can be a pain in the ass.
    - Voodoo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •