What would cause Win-XP explorer to try to get out to the web?

Discussion in 'other firewalls' started by act8192, Dec 4, 2013.

Thread Status:
Not open for further replies.
  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Windows XP-SP3
    Today the firewall alerted that explorer wanted out to 173.201.246.58 just as I was closing a directory. I wasn't doing anything else on the computer. And all other computers were off.
    IP is of ip-173-201-246-58.ip.secureserver.net
    NetRange: 173.201.0.0 - 173.201.255.255
    CIDR: 173.201.0.0/16
    OriginAS: AS26496
    NetName: GO-DADDY-COM-LLC

    I have NEVER seen that sort of attempt by explorer, neither loopback, nor trying to sneak out.
    explorer is only allowed on localhost and my LAN - see picture.
    Avast scan of explorer.exe says is clean. MBAM scan is clean.
    Clearly something weird wanted out, like this:
    ExplorerAlert.jpg
    But what? How do I find out?
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If the directory contains internet shortcuts, explorer will attempt to obtain a preview image of the site. Hovering over the link for a moment is sufficient to trigger obtaining the preview. I believe this is also dependent on the view settings for the directory.
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Great idea, thanks. However - no internet shortcuts, just some pics and home video clips. The only thing with anything internet related are few text files containing links. Any other possibility?
    I've been on this ruleset for years, this is the first time I've seen a thing like this. Should I start worrying?
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not aware of any other reasons for explorer seeking internet access when navigating a directory. Prefetching images, media, or pages is the only time I've seen it. Resolving the IP it tried to connect to might point to a reason. Maybe opening the folder again and hovering over each link will find it.
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    It started as the explorer was closing (X) external drive. Or immediately after. So I most likely ended up on the desktop, but maybe in the main explorer window, don't remember at this point. No internet shortcuts that I can think of in either place.
    What's "Resolving the IP" ? other than that godaddy IP I posted.
     
    Last edited: Dec 4, 2013
  6. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
    https://forums.comodo.com/empty-t81288.0.html
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Interesting, but then why didn't I see it day before? week ago? month ago? basically for years. I just scanned that thread - good reading - but I don't think it applies. Thanks, aztony, anyway.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The IP resolves to flashmyandroid.com. Other than a link to that site, I have no ideas.
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    All trails are cold. I think I'll reimage just in case.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Probably the safest way to go when you can't explain an event.
     
  11. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Sunbelt Personal Firewall is not that safe anymore.
    I ve seen it leaking some years ago while getting some kind of infection
    Apart from the Explorer stuff most probable other things were happening in there behind the stage.
    Are you using the latest version ,the free beta that was never released to the public ?! :)
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    4.7.4.0 after they went free, 4.6 before, Kerio before that. Excellent firewall, IMO.
    I have no problems with it and not worried about theoretical leaks all that much (yes, tested on several leak-testing places, firewall caught it all just fine). Can it happen? Sure.

    Other activity that may have triggered it? No idea. I was on a site that may have been related to what noone_particular named for me, but subsequent repeats yielded nothing. Router log showed nothing special. As I said, I have never seen that sort of thing for explorer, but went back to an older image just in case.
     
  13. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    It s a decent firewall ,but already old i would say.But to be frank not to many good alternatives for free outthere anyway.:)
    They should of made it for W7 too ,where free alternatives are far from what this one was.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It probably doesn't apply to your situation, but there might have been something similar happening. A few years back I obtained a malware sample that functioned much like a rootkit on both 9X and NT systems. This particular malware used explorer.exe to parent another instance of itself, with additional code injected, then terminated the original explorer.exe. This would take place before the user logged on. On both the 9X and NT systems, it hid the registry autostart entries, the DLL, and all of its activities. The files and registry entries were only when viewed from another OS. I saw them with DOS. Most of the HIPS I've looked at that used a default ruleset at startup allowed explorer.exe to parent itself.
     
  15. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    When windows exe-s start requiring things they never did we should be concerned and we should take action.
    Could it be a rootkit ,no doubt.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Under most circumstances, that's true. One item that can throw a wrench into that is Windows Update. WU regularly replaces EXEs and DLLs. If your firewall/HIPS isn't configured to accept signed files, they usually treat them as new files that haven't been given permissions.
     
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    @Sm3K3R,
    Re your post #15: I can't prove nonexistence of a rootkit, but 2 rootkit scans saw nothing.

    @noone_particular,
    Re your post #14: What OS did you use? Linux? how did you go about finding stuff, where did you look?
    I could restore the suspicious image and maybe find something using Mint which I can dual boot here. Low priority, but you got me curious.

    Regarding Win update - that I did 2+ weeks before, and tiny HIPS in my firewall always alerts on changed .exe and I have to allow. Timewise - unrelated. Also I did check .dll dates, nothing close to trouble time in my judgement.
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I used a bootable DOS CD I'd built a while ago. Finding the hidden files was fairly simple. I made a filelist from within the infected Windows. I then made the same list from DOS and compared them. With Windows not running, the files weren't hidden. I don't recall if the files were in Windows or the System folder. For the registry, I have a registry editor that runs from DOS.
     
  19. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Check your Avast configuration.
    Is its email scanner configured to use secureserver.net as SSL cert provider?
    If so, there's your answer to what. Probably the "why" (why you never noticed it before) is that Avast is only performing the callout to check cert updates (or revocation list or whatever) infrequently -- once weekly, or monthly
     
  20. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I see this happen all the time... Explorer.exe trying to connect out. I wouldn't bother reformatting/imaging, as it'll probably happen again. It happens to me also when I'm installing apps. I agree with the guy that says it's trying to verify signatures being a distinct possibility.

    I just set a block rule for it. Things like this is a perfect example of why to have an outbound FW. Even things that seem perfectly legit will try to connect out for seemingly no good reason at all, and I don't just blindly trust anything personally. Who knows what data it's sending out, and to whom.

    I see "ping" do it too sometimes when installing software, like CCleaner.
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    @luciddream,
    I have my firewall sometimes in silently Block mode, and other times in Ask mode where things list as "Any Other". So the screenie in post#1 was during the Ask mode.

    I would buy the verify sigs theory, except that in years of use I have never seen explorer use the loopback rule, nor roam the internet. Also, this was very soon after booting and just navigating an external drive. But I'm repeating myself...
    Even though I restored an image, it still nags me a bit.

    Yes, I see Ccleaner do its ping when installing and actually wants to connect to piriform. This one is of no concern to me really.
     
  22. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Did you install anything recently that added a shell extension to explorer? That could be a possible cause.
     
  23. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    That's an interesting idea too.
    Yes, Ostrodamus, according to my logs, I updated (uninstall/install) VLC two weeks before. So context menu may well have changed, though the path stays the same.
    But if this made explorer want to roam out there, you'd think I would see it on other routine changes such as this and I don't and didn't.
     
  24. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    You'll never know for sure unless you downgrade VLC. Best of luck - I hope you figure it out soon.
     
Loading...
Thread Status:
Not open for further replies.