Explorer.exe modifying cpf.exe in memory? [Resolved]

When I try to run update from CPF a firewall message pops up telling me that explorer.exe is trying to modify cpf.exe (or was it cpfupdate?) in memory. Is this normal? I’ve run multiple virus and spyware scans and come up with nothing.

If I allow the action the update runs fine. However, I then seem to have some issue with closing Firefox. It takes 5 to 10 seconds for the Windows Start bar to become responsive.

Any ideas?

Supposed to be cpfupdate using cpf.exe not explorer which is normal AFAIK. Could you double check that by deleting those entries in app mon for cpfupdate (need to restart cpf after deleting) and run update again.


The firewall notice details say the application is cpfupdat.exe with a parent of cpf.exe.
That all makes perfect sense. The thing that bothers me is that security considerations says
that C:\WINDOWS\explorer.exe has modified the Parent application cpf.exe in memory.
That doesn’t seem right. And if I allow it the update proceeds correctly, but the start bar which seems to be part of explorer.exe becomes unresponsive after closing Firefox for 5 to 10 seconds. Maybe this happens with other apps also and I haven’t noticed. If I deny the action of course the update fails, but the start bar is not affected.


AFAIK that’s ok. That’s what I got as well.

For the start bar, my mouse click responses have been slower as well since I have started using the comodo firewall (not only on start bar). It is annoying sometimes but I am sort of used to it. I would like to see if others having the same problem.


Personally, I don’t have the problem. What I’d like to know though is if upon a fresh reboot and manually asking CPF to check for updates if you’d get the same prompt. What at times happens is that Explorer (which I have denied internet access by the way for seeing it’s too tied up with IE) along with other applications get tied up in memory since Windows itself (subject to correction) doesn’t do an excellent job in dumping left over dll’s from other programs from memory. Seeing that certain applications uses the same port over and over, it may be that Explorer.exe (verify it’s C:\Windows\explorer.exe [doesn’s start with a capital letter]. If it starts with a capital letter, then it’s not the real one and could be a trojan masking as explorer.exe) has been granted internet access priveldges.

If that’s the case, I suggest denying it access, reboot, and try again. I’m not a rocket or computer scientist, just from my own experiences as an Admin that works. Note, I have no problems using the net or CPF with explorer.exe denied from accessing the Internet.

I have scanned the file, explorer.exe, with a number of virus scanners and it always comes up clean. Spyware checks come up clean. Also, there is only the one explorer.exe in the c:\windows directory.

I suppose I could deny the suspicious activity and then just deal with updating the firewall manually by either temporarily allowing it or downloading the install and doing the remove/install operation.

I am curious about what explorer.exe is doing (dll injection?) and why. I will probably do a little more snooping when I get home tonight.

Okay, I have resolved the issue.

I have removed SpyCatcher Express and removed/reinstalled CPF.

I believe SpyCatcher was the real problem and source of DLL injection. It also prevented .Net 3.0 setup from completing.

Without SpyCatcher I no longer get messages telling me that explorer.exe is modifying other executables in memory.

With that resolved to being an issue with SpyCatcher, I will mark the topic Resolved and closed. If you continue to have this issue, please PM myself or another Moderator to reopen the topic.