This started yesterday, initially my firewall popped up blocking explorer.exe from calling out to an IP, which resolved to a domain that did not look familiar or to any legit MS server. I have done enough removals, that I went through some forensics before starting the cleanup.
After running every scan I could think of, nothing was coming back with anything, minus this one odd reg entry (which came back today, hence this post).
I found there was another instance of a legit explorer.exe which was responsible for calling out over and over and over and over (as I had the IP blocked FW/Router level at this time for extra measure while I diagnosed. If I disabled the NIC, then I wouldn't get any logs). I verified the signatures of running processes, loaded dlls, everything I could think of. Checked what stacks/modules each explorer.exe was running, again, all looked normal. Unfortunately, I was unable to get a dump of that instance of explorer.exe, as it crashed when I tried.
I checked the IP/Server of what was being called, does not look like anything legit nor anything I would or should be connecting to. This was calling out over port 5000 upnp, which upnp is disabled on my system.
Upon reboot, nothing ever attempted a call out again. I thought perhaps it could have been something in temporary space that was cleared, re-scanned with the usual scanners again, plus a few other, nothing.
Today, mbam overnight did an auto scan, and this one unusual reg entry was all it found (same as the previous days scan, which I cleared out). I am not sure if this is related to the explorer thing, as I ..
Support the originator by clicking the read the rest link below.
