Win Explorer wants to connect to a web site

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

My firewall detects that windows explorer (not Internet Explorer) wants to
connect to a specific web site. This started to occur after I got clobbered
with a virus (trojan), my first after 10years on the web. I have deleted the
virus and cleaned the registry file ( i think). Can anyone point me to the
location where I can find the web address and/or the starter that would make
windows explorer want to start in background and connect to an IP address.
 
bloodnut said:
My firewall detects that windows explorer (not Internet Explorer) wants to
connect to a specific web site. This started to occur after I got clobbered
with a virus (trojan), my first after 10years on the web. I have deleted the
virus and cleaned the registry file ( i think). Can anyone point me to the
location where I can find the web address and/or the starter that would make
windows explorer want to start in background and connect to an IP address.
Click to expand...

Windows explorer wants to do that by default :) I think it's for the
search function, but I've always just block'd it with ZA.

You can use TCPview http://www.sysinternals.com/Utilities/TcpView.html
to see just where it want's to go - when it want's out run the
program.
 
I know the specific IP address and its location (in Europe through a WHOIS
site) where the windows explorer wants to go. Windows Explorer (the place
where you view folders and files) should not need to access the web. It is
the only site it wants to go to. What I want to find is where it is
initiated inside windows and where the web address is stored. The trojan was
CLSPRING.FA which wants file and directory information aparently. But thanks
for info you supplied. I will look at your site and see what it may tell me.
 
Download AUTORUNS from www.sysinternals.com. It is a freeware program that
will show everything that is AUTO started when the system is booted.

Specifically look for something that may be out of place dealing with
explorer.exe, Run registry keys, Winlogon, ...

Also check the Startup folders (All Users, and yourself)

You can always create a new user, and see if that new user does the same
thing. If so, then the problem is system-wide. If not, only your
[USERNAME] is affected.
 
bloodnut said:
I know the specific IP address and its location (in Europe through a WHOIS
site) where the windows explorer wants to go. Windows Explorer (the place
where you view folders and files) should not need to access the web. It is
the only site it wants to go to. What I want to find is where it is
initiated inside windows and where the web address is stored. The trojan was
CLSPRING.FA which wants file and directory information aparently. But thanks
for info you supplied. I will look at your site and see what it may tell me.
Click to expand...

TCPview - right click on the connection and select process properties

Or form the same site:
download and run Process Explorer
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Double click on the process(s), reading it's image and command line
will tell you where to find them. stop the process and delete the
file/directory.

Run Regedit and search for the file name(s) deleting them as you find
them.

Right clicking on the Process and selecting Google will describe the
process.

The above is a macro as I post'd it a few times - what you are looking
for, is what program is starting explorer (started by explorer).

When the program want's to call out it will be red in the listing -
-you can change the update speed-
 
Thanking you for your interest. Your first reply has helped me raise my
awareness. I have not been watching when the process tries to acces the web
but I will keep monitoring. I will also take up your next pointer to see
what it yields. Windows Explorer has tried 14 times to connect to the
particiular web site so far this connected internet session.
 
Thanking you for your interest as well. Like Pennywise's helpful hints I
will download the program you have found helpful as run it to see what it
yields. Long work days just want to make you forget computer problems when
you get home but I will get there. Thanking you in advance.
--
bluedays


Lawrence J. Gardner said:
Download AUTORUNS from www.sysinternals.com. It is a freeware program that
will show everything that is AUTO started when the system is booted.

Specifically look for something that may be out of place dealing with
explorer.exe, Run registry keys, Winlogon, ...

Also check the Startup folders (All Users, and yourself)

You can always create a new user, and see if that new user does the same
thing. If so, then the problem is system-wide. If not, only your
[USERNAME] is affected.

bloodnut said:
My firewall detects that windows explorer (not Internet Explorer) wants to
connect to a specific web site. This started to occur after I got
clobbered
with a virus (trojan), my first after 10years on the web. I have deleted
the
virus and cleaned the registry file ( i think). Can anyone point me to
the
location where I can find the web address and/or the starter that would
make
windows explorer want to start in background and connect to an IP address.
Click to expand...
Click to expand...
 
GREAT, I have found what I am looking for but now I have to find some way of
stopping a malware DLL (vtuvtst.dll) from running at immediate startup inside
Windows explorer and getting it deleted. I cannot delete it or change its
name because it is being used by another program. It does have a registry
entry but it seems to be able to regenerate itself when I delete it. I have
read in other problems of files which alter the registry entry so they cannot
be removed. I think I have to find one of those messages and see what
solutions were offered.

bluedays
 
GREAT, I have found what I am looking for but now I have to find some way of
stopping a malware DLL (vtuvtst.dll) from running at immediate startup inside
Windows explorer and getting it deleted. I cannot delete it or change its
name because it is being used by another program. It does have a registry
entry but it seems to be able to regenerate itself when I delete it. I have
read in other problems of files which alter the registry entry so they cannot
be removed. I think I have to find one of those messages and see what
solutions were offered. It even is running when I start in safe mode so I
cannot delete there. Your solution plus Pennywise's help may have hit the
nail on the head but it taking a bit of defeating.
--
bluedays


Lawrence J. Gardner said:
Download AUTORUNS from www.sysinternals.com. It is a freeware program that
will show everything that is AUTO started when the system is booted.

Specifically look for something that may be out of place dealing with
explorer.exe, Run registry keys, Winlogon, ...

Also check the Startup folders (All Users, and yourself)

You can always create a new user, and see if that new user does the same
thing. If so, then the problem is system-wide. If not, only your
[USERNAME] is affected.

bloodnut said:
My firewall detects that windows explorer (not Internet Explorer) wants to
connect to a specific web site. This started to occur after I got
clobbered
with a virus (trojan), my first after 10years on the web. I have deleted
the
virus and cleaned the registry file ( i think). Can anyone point me to
the
location where I can find the web address and/or the starter that would
make
windows explorer want to start in background and connect to an IP address.
Click to expand...
Click to expand...
 
bloodnut said:
GREAT, I have found what I am looking for but now I have to find some way
of stopping a malware DLL (vtuvtst.dll) from running at immediate startup
inside
Windows explorer and getting it deleted. I cannot delete it or change its
name because it is being used by another program. It does have a registry
entry but it seems to be able to regenerate itself when I delete it. I
have read in other problems of files which alter the registry entry so
they cannot
be removed. I think I have to find one of those messages and see what
solutions were offered. It even is running when I start in safe mode so I
cannot delete there. Your solution plus Pennywise's help may have hit the
nail on the head but it taking a bit of defeating.
Click to expand...

Go through these malware removal steps systematically, doing all
prep/finishing work. Include running with Sysclean or Multi_AV and Ewido
and following instructions to do all scanning in Safe Mode.

http://www.elephantboycomputers.com/page2.html#Removing_Malware

You may need to run HijackThis and post your log to one of the specialty
forums listed at the link above (not here, please).

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a professional computer repair
shop (not your local version of BigStoreUSA).

Malke
 
Back
Top