What would cause Win-XP explorer to try to get out to the web?

Windows XP-SP3
Today the firewall alerted that explorer wanted out to 173.201.246.58 just as I was closing a directory. I wasn't doing anything else on the computer. And all other computers were off.
IP is of ip-173-201-246-58.ip.secureserver.net
NetRange: 173.201.0.0 - 173.201.255.255
CIDR: 173.201.0.0/16
OriginAS: AS26496
NetName: GO-DADDY-COM-LLC

I have NEVER seen that sort of attempt by explorer, neither loopback, nor trying to sneak out.
explorer is only allowed on localhost and my LAN - see picture.
Avast scan of explorer.exe says is clean. MBAM scan is clean.
Clearly something weird wanted out, like this:

But what? How do I find out?

 

If the directory contains internet shortcuts, explorer will attempt to obtain a preview image of the site. Hovering over the link for a moment is sufficient to trigger obtaining the preview. I believe this is also dependent on the view settings for the directory.

 

Great idea, thanks. However - no internet shortcuts, just some pics and home video clips. The only thing with anything internet related are few text files containing links. Any other possibility?
I've been on this ruleset for years, this is the first time I've seen a thing like this. Should I start worrying?

 

I'm not aware of any other reasons for explorer seeking internet access when navigating a directory. Prefetching images, media, or pages is the only time I've seen it. Resolving the IP it tried to connect to might point to a reason. Maybe opening the folder again and hovering over each link will find it.

 

It started as the explorer was closing (X) external drive. Or immediately after. So I most likely ended up on the desktop, but maybe in the main explorer window, don't remember at this point. No internet shortcuts that I can think of in either place.
What's "Resolving the IP" ? other than that godaddy IP I posted.

 

https://forums.comodo.com/empty-t81288.0.html

 

Interesting, but then why didn't I see it day before? week ago? month ago? basically for years. I just scanned that thread - good reading - but I don't think it applies. Thanks, aztony, anyway.

 

The IP resolves to flashmyandroid.com. Other than a link to that site, I have no ideas.

 

All trails are cold. I think I'll reimage just in case.

 

Probably the safest way to go when you can't explain an event.

 

Sunbelt Personal Firewall is not that safe anymore.
I ve seen it leaking some years ago while getting some kind of infection
Apart from the Explorer stuff most probable other things were happening in there behind the stage.
Are you using the latest version ,the free beta that was never released to the public ?!

 

4.7.4.0 after they went free, 4.6 before, Kerio before that. Excellent firewall, IMO.
I have no problems with it and not worried about theoretical leaks all that much (yes, tested on several leak-testing places, firewall caught it all just fine). Can it happen? Sure.

Other activity that may have triggered it? No idea. I was on a site that may have been related to what noone_particular named for me, but subsequent repeats yielded nothing. Router log showed nothing special. As I said, I have never seen that sort of thing for explorer, but went back to an older image just in case.

 

It s a decent firewall ,but already old i would say.But to be frank not to many good alternatives for free outthere anyway.
They should of made it for W7 too ,where free alternatives are far from what this one was.

 

It probably doesn't apply to your situation, but there might have been something similar happening. A few years back I obtained a malware sample that functioned much like a rootkit on both 9X and NT systems. This particular malware used explorer.exe to parent another instance of itself, with additional code injected, then terminated the original explorer.exe. This would take place before the user logged on. On both the 9X and NT systems, it hid the registry autostart entries, the DLL, and all of its activities. The files and registry entries were only when viewed from another OS. I saw them with DOS. Most of the HIPS I've looked at that used a default ruleset at startup allowed explorer.exe to parent itself.

 

When windows exe-s start requiring things they never did we should be concerned and we should take action.
Could it be a rootkit ,no doubt.

 

Under most circumstances, that's true. One item that can throw a wrench into that is Windows Update. WU regularly replaces EXEs and DLLs. If your firewall/HIPS isn't configured to accept signed files, they usually treat them as new files that haven't been given permissions.

 

@Sm3K3R,
Re your post #15: I can't prove nonexistence of a rootkit, but 2 rootkit scans saw nothing.

@noone_particular,
Re your post #14: What OS did you use? Linux? how did you go about finding stuff, where did you look?
I could restore the suspicious image and maybe find something using Mint which I can dual boot here. Low priority, but you got me curious.

Regarding Win update - that I did 2+ weeks before, and tiny HIPS in my firewall always alerts on changed .exe and I have to allow. Timewise - unrelated. Also I did check .dll dates, nothing close to trouble time in my judgement.

 

I used a bootable DOS CD I'd built a while ago. Finding the hidden files was fairly simple. I made a filelist from within the infected Windows. I then made the same list from DOS and compared them. With Windows not running, the files weren't hidden. I don't recall if the files were in Windows or the System folder. For the registry, I have a registry editor that runs from DOS.

 

Check your Avast configuration.
Is its email scanner configured to use secureserver.net as SSL cert provider?
If so, there's your answer to what. Probably the "why" (why you never noticed it before) is that Avast is only performing the callout to check cert updates (or revocation list or whatever) infrequently -- once weekly, or monthly

 

I see this happen all the time... Explorer.exe trying to connect out. I wouldn't bother reformatting/imaging, as it'll probably happen again. It happens to me also when I'm installing apps. I agree with the guy that says it's trying to verify signatures being a distinct possibility.

I just set a block rule for it. Things like this is a perfect example of why to have an outbound FW. Even things that seem perfectly legit will try to connect out for seemingly no good reason at all, and I don't just blindly trust anything personally. Who knows what data it's sending out, and to whom.

I see "ping" do it too sometimes when installing software, like CCleaner.

 

@luciddream,
I have my firewall sometimes in silently Block mode, and other times in Ask mode where things list as "Any Other". So the screenie in post#1 was during the Ask mode.

I would buy the verify sigs theory, except that in years of use I have never seen explorer use the loopback rule, nor roam the internet. Also, this was very soon after booting and just navigating an external drive. But I'm repeating myself...
Even though I restored an image, it still nags me a bit.

Yes, I see Ccleaner do its ping when installing and actually wants to connect to piriform. This one is of no concern to me really.

 

Did you install anything recently that added a shell extension to explorer? That could be a possible cause.

 

That's an interesting idea too.
Yes, Ostrodamus, according to my logs, I updated (uninstall/install) VLC two weeks before. So context menu may well have changed, though the path stays the same.
But if this made explorer want to roam out there, you'd think I would see it on other routine changes such as this and I don't and didn't.

 

You'll never know for sure unless you downgrade VLC. Best of luck - I hope you figure it out soon.