warnings about windows.exe (ports 81 TCP & 35 UDP)

Hi Guys,
Windows XP Pro, SP2
Comodo Pro 2.4.18.184, DB version 3.0

Lately Comodo started to display notifications on system startup about
Explorer.exe accessing port 81 TCP and dns(53) UPD
with the following message:
C:\WINDOWS\system32\windows.exe modified the memory of the Parent application C:\WINDOWS\explorer.exe…
with a warning about typical Trojan behaviour
That was happening not every restart though.
I was denying access without “remembering” and eventually checked Remember.
System works fine. AVG, a-squared, Prevx1 do not report anything. I did run Kaspersky and Panda on-line and checked with McAfee Stinger. Sorta all clear but there some places where you can read that windows.exe file must be removed immediately e.g
http://www.processlibrary.com/directory/files/windows/
Any known issues with ports 81 TCP / 35 UDP and windows.exe?
Thanks in advance

there is no file called “windows.exe” on a clean windows .
It is very likely that your computer is infected with Trojan.W32.Zotob. ( a worm )

Isn’t that reassuring? :cry: Gordon is right.

http://www.liutilities.com/products/wintaskspro/processlibrary/windows/

Try this thread for great removal programs: https://forums.comodo.com/index.php/topic,4845.0.html

Thanks 4 replying, Guys.
I have practically everything in that “removal” list.
Stinger, for example, specifically targeting Zotob.
In addition I checked with most of known On-line scanners(except Trend Micro). None of them complained about windows.exe.
Anyway… I removed the file myself.
System still working fine (I duno what it has in mind but it doesn’t show any signs of naughtiness yet :-). We’ll see
Regards

Can you please submit “windows.exe” to Comodo for analysis. From your description, it certainly smells funny.

ewen :slight_smile:

Hi panic,
Yes it does (rather did) smell. Unfortunately I cannot send it because “I removed the file myself” (quoting myself).
In addition I ran Symantec’s FixZotob post factum and it found nothing.
I looked inside the Registry to check those startup related places. There are correct entries known to Spybot’s Teatimer, Defender and me :slight_smile:
So how the thing could be active on startup sometimes as described? Mystery.
All quiet now.
Regards

We can unravel this mystery if you’re willing to undelete this windows.exe, assuming you deleted via Windows and not really delete it like via CCleaner’s NSA (7 passes) secure file deletion.

Hi Soya,
Thanks 4 offering but it’s too late. I tried to recover it with several utilities.
The file not listed even among marked as “poor” concerning unerasing.
It was KillBox-ed with “on reboot” option.
I haven’t heard about any specific wiping technics used by KillBox but what is 4 sure some disk writing took place since “evaporation”
Cheers

That’s the end of that story :-*