Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

explorer.exe accessing remote addresses


  • Please log in to reply
2 replies to this topic

#1 Hippogriff

Hippogriff

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Sheffield, UK
  • Local time:05:18 AM

Posted 16 August 2010 - 10:42 AM

Afternoon all,

First time poster - can usually resolve my issues by using something cool like MBAM, Spybot, HJT, Process Explorer or CurrPorts - but have become stumped by my latest. Any advice and guidance would be really appreciated.

After reboot, the computer works as you'd expect for a while before you can no longer access the Internet. There is another program I use to tunnel into work and that gave me an inkling - it said something about the TCP/IP running out of memory so I started digging around.

Running Process Explorer, I noticed that c:\windows\explorer.exe was running at about 25% CPU every 3 seconds or so - then it would go quiet - before jumping back up to 25% for a moment. If I killed explorer.exe then I could use my browser to access the Internet again.

Right-clicking on explorer.exe in Process Explorer and looking at the performance graph showed me that the process indeed regularly jumping up to 25% CPU (never any more) and then settling down again. I had a look at the TCP/IP page and I saw there were about 12 rows there - most were 217.205.97.[62 to 71]:microsoft-ds with SYN_SENT but one kept reappearing which was valueshells.inc.gs.

I saw other stuff as well, but this one kept appearing - the remote address is 69.42.218.75.

I had a look at the stack when the port was opened and saw the following (I don't know enough to decide if anything is suspicious here):

mswsock.dll+0x6a4a
mswsock.dll+0x542c
WS2_32.dll!connect+0x53
ntoskrnl.exe+0x1b14d
ntoskrnl.exe+0x1aec4
hal.dll+0x10b3

I used CurrPorts and, sure enough, explorer.exe was connecting here - but also to mail.sovereign-stainless.co.uk - which is starting to sound like advertising.

I tried to disable explorer.exe's access to the Internet in my firewall - but that seemed to have no effect.

I can kill explorer.exe and gain access to the Internet again... as soon as I start it back up, within moments, I get "the page could not be displayed" in the browser and my other program starts moaning about TCP/IP having used up all its memory - although there is plenty of memory free on the system itself.

Does anyone know how I might properly track back what is causing explorer.exe to want to continually hook up to these remote addresses?

P.S. - I did run an sfc / scannow and nothing was announced as being replaced... so I think the explorer.exe itself is fine.

Any advice gratefully received.

Cheers, Hippo

BC AdBot (Login to Remove)

 


#2 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:01:18 AM

Posted 16 August 2010 - 05:27 PM

Check this link and tell me if you know this company. http://whatismyipaddress.com/ip/69.42.218.75

you can use this site to quary other IP addresses as well.

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#3 Hippogriff

Hippogriff
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Sheffield, UK
  • Local time:05:18 AM

Posted 17 August 2010 - 03:54 AM

Nope, this is the valueshells thing. I have no idea what it's about. Just that explorer.exe is making a connection to them, and a variety of other addresses. I'm obviously thinking it's not explorer.exe itself, but something using explorer.exe, but several scans have not identified what that might be and the stack trace hasn't provided anything really useful for me either. I'm not sure if anything is suspicious.

Apart from the fact it is making connections, using 25% CPU every couple of seconds and causing my TCP/IP stack to run out of memory... that's suspicious.

Cheers, Hippo

Edited by Hippogriff, 17 August 2010 - 03:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users