Why is explorer.exe trying to connect to an external ip?

[Guest]

[alex29]

Hello,

I have a strange problem which I don't understand. Hopefully the Comodo Community can help me out with this.

So... explorer.exe (located at c:\windows) is trying to contact an IP (port 80). Why?!!  In fact, it's trying to contact a few IP addresses. According to ip-adress.com some of them belong to VeriSign and the other are from an ISP (Romania Data Systems). It's the same ISP provider with the one I have, but that isn't my IP address.

I attached a screenshot of the firewall event log with the explorer.exe... Can anyone help me out? Please!

Thanks!

[Radaghast]

One of the responsibilities Explorer.exe has, is to verify the digital signature on signed software. To do so it will contact the signing authority, which may be Verisign, GoDaddy, Comodo etc, when a digitally signed application is launched. That explains the 199.x.x.x entries.

The other entries may be something your ISP requires when you connect, but to find out you'd need to see what was happening, using something like Wireshark or maybe just ask your ISP. Personally, I'd create rules to allow connections to the certificate authorities and block everything else. That way you can see if the connections to your ISP are important.

[alex29]

Hi! Thanks for your reply and also for sharing Wireshark.

Well, first I was like "what the heck is going on" so I blocked the entire class of IPs from 81.x.x.1 to 81.x.x.255 and this was affecting some web pages including dcuniveronline and facebook (don't know why but it seems that facebook is keeping their images and css files on a server hosting by that ISP from my country... it's still hard for me to believe this but that's what ip-adress.com reports). So I removed that range from being blocked.

I've seen something new yesterday, whenever I run process explorer (a little app from sysinternals) a new connection is made from explorer.exe to one of the IPs in the screenshoot. I was wondering if this app is trying to seek updates or something through windows explorer (explorer.exe).. Any thoughts?

And a last thing... is there any guide for wireshark to explain me which connections are bad (suspicious, used by spyware or other malware, etc)? I installed wireshark and started a live capture but all the information labeled under Info is a bit too much for me at the moment... I am confused as I see some red-written rows and assume that there's something bad happening but don't know where to look nor what to do. I tried searching on google but don't know exactly what to search for, so instead of answers I found only more questions. Need some help with this... Any link/guide is appreciated.

Thanks!

[Radaghast]

Hi! Thanks for your reply and also for sharing Wireshark.

Well, first I was like "what the heck is going on" so I blocked the entire class of IPs from 81.x.x.1 to 81.x.x.255 and this was affecting some web pages including dcuniveronline and facebook (don't know why but it seems that facebook is keeping their images and css files on a server hosting by that ISP from my country... it's still hard for me to believe this but that's what ip-adress.com reports). So I removed that range from being blocked.

I guess anything is possible, though I'd be quite surprised if that were the case. Facebook uses it's own fbcdn.net to host it's data. Do you have ant software from your ISP installed?

I've seen something new yesterday, whenever I run process explorer (a little app from sysinternals) a new connection is made from explorer.exe to one of the IPs in the screenshoot. I was wondering if this app is trying to seek updates or something through windows explorer (explorer.exe).. Any thoughts?

Do you have any screenshots of those connections in PE. I use this application quite often and I don't recall seeing any connections from explorer. As far as I'm aware sysinternals apps don't do automatic updates.

And a last thing... is there any guide for wireshark to explain me which connections are bad (suspicious, used by spyware or other malware, etc)? I installed wireshark and started a live capture but all the information labeled under Info is a bit too much for me at the moment... I am confused as I see some red-written rows and assume that there's something bad happening but don't know where to look nor what to do. I tried searching on google but don't know exactly what to search for, so instead of answers I found only more questions. Need some help with this... Any link/guide is appreciated.

Wireshark can be pretty daunting, especially the first time. However, If you do a little searching, you can find plenty of useful guides. A good place to start is:

Wireshark User's Guide

Also take a look at:

Getting Started with Wireshark

The colours are in fact quite arbitrary and may be customised to your tastes. Take a look at:

Wireshark/View/Colouring Rules  - and -  Edit/Preferences/Colours

You can download other colour sets from:

http://wiki.wireshark.org/ColoringRules

Which OS are you using?

[alex29]

I guess anything is possible, though I'd be quite surprised if that were the case. Facebook uses it's own fbcdn.net to host it's data. Do you have ant software from your ISP installed?

No. I have no software from my ISP installed.

As for PE... I attached some screenshots surprising both Windows Explorer and Process Explorer in the firewall alert. I would like to ask, if it isn't too much, to verify that remote IP from the screenshot (I'm not sure I'm allowed to post it here...). The reason I'm asking this is because I ain't sure with ip-adress.com (what site for checking IP addresses do you use/recommend?).

Following a tip I got from clockwork on an older problem, I rebooted my router and got another external IP address. This seems to solve all that traffic between svchost and those weird IPs, but it wasn't quite a solution. Those IPs are still appearing if I run process explorer and strangely it seems to connect to cvhsvc.exe - which belong to "microsoft shared virtualization handler" (don't know what this is either.. google gave me some tips so it might have something to do with microsoft office starter but not sure about this).


A last thing I'd like to know is... how can I harden my security? I have CIS running (latest version), Microsoft Security Essentials and Defender. I also have the Windows firewall enabled. I ran weekly or monthly scans with other antivirus products to be sure it's all clean and safe. Defrags and temp cleaning every week... but how can I make it more secure? I mean... I just want to be sure that my files are safe and there isn't someone spying on me or stealing some of my data. Is there any software that can block and keep all my data inside the system so no malware or remote-annoying-person can steal or damage it? It may sound too much to ask but I'm pretty serious when it comes to privacy and don't like people sneaking around my stuff...

Oh! And my OS is Windows 7 Home Premium SP1 64bit

Thanks!

[Radaghast]

No. I have no software from my ISP installed.

As for PE... I attached some screenshots surprising both Windows Explorer and Process Explorer in the firewall alert. I would like to ask, if it isn't too much, to verify that remote IP from the screenshot (I'm not sure I'm allowed to post it here...). The reason I'm asking this is because I ain't sure with ip-adress.com (what site for checking IP addresses do you use/recommend?).

I don't use any online resources initially, instead I use a combination of IPNetInfo and FastResolver Then, if I need more I go to Robtex

Following a tip I got from clockwork on an older problem, I rebooted my router and got another external IP address. This seems to solve all that traffic between svchost and those weird IPs, but it wasn't quite a solution. Those IPs are still appearing if I run process explorer and strangely it seems to connect to cvhsvc.exe - which belong to "microsoft shared virtualization handler" (don't know what this is either.. google gave me some tips so it might have something to do with microsoft office starter but not sure about this).

You haven't mentioned anything about svchost in this thread? As far as I know the Microsoft Shared Virtualization Handler is something to do with Office Click-to-go and file associations.

A last thing I'd like to know is... how can I harden my security? I have CIS running (latest version), Microsoft Security Essentials and Defender. I also have the Windows firewall enabled. I ran weekly or monthly scans with other antivirus products to be sure it's all clean and safe. Defrags and temp cleaning every week... but how can I make it more secure? I mean... I just want to be sure that my files are safe and there isn't someone spying on me or stealing some of my data. Is there any software that can block and keep all my data inside the system so no malware or remote-annoying-person can steal or damage it? It may sound too much to ask but I'm pretty serious when it comes to privacy and don't like people sneaking around my stuff...

If you're using CIS with D+, it usually disables Windows Defender during installation, but if you also have MSE, you don't need Defender as well. You also shouldn't be running CIS firewall simultaneously with Windows firewall. With regard to 'hardening' and 'Privacy' you're probably better off asking specific questions in the appropriate board.

Going back to the original question concerning these connections to the ISP address, I think now is the time to play with Wireshark. If you want help understanding the trace, you can ask here.

[alex29]

Thanks for sharing IPNetInfo and Fastresolver. I find these two apps very useful!

You haven't mentioned anything about svchost in this thread? As far as I know the Microsoft Shared Virtualization Handler is something to do with Office Click-to-go and file associations.

Sorry, clumsy me! The thing is I was quite scared about this problem and wanted to say so much in few words... And I thought I mentioned about svchost in the first place... I must of wrote but then delete it.

The thing with svchost is that when the system starts (after I log in on my account), after a few minutes I usually see [in the firewall active connections] a new row for svchost having as destination IP the one with 81.x.x.186 or in some rare cases 81.x.x.144 but in most part is the first one... This connection doesn't last long. It transfers 66 B IN and about ~1.5 KB OUT and then... it goes away.

And yes, I do use Microsoft Office Click-to-go... I think it was preinstalled. All I did was to.. launch it and was all to go. The weird thing was a new drive in my computer. It has the letter Q and it can't be accessed but sometimes the firewall alerts me about this office pack. I think it's because the program is a free edition and uses some ADS.

Now... I made a screenshot for wireshark when I allowed the connection between explorer and that IP so I can see what's happening. I attached the image bellow and next to it is the log saved from wireshark (don't know if this helps...).

First I thought I got it right. I tried to understand what those infos mean but all I managed to translate is: somehow that IP has to do with akamai.net which according to some articles found on google, akamai has something to do with internet content caching... whatever that is. It seems that it helps users improving page rendering or something like this. Probably this was correct, my mistake was to filter a different IP by a typo...... 

So.. for the right and strange IP... I think it has something to do with this crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl

Any thoughts?



Ok, I've done some more research. First.. to make some light for the first case which I messed up. That akamai thing can be seen if you ping crl.microsoft.com and the IP address for the akamai full dns is 81.x.x.184 and 81.x.x.144 (first I got the 184 ip then on the next ping I got the 144 one.. don't know why). Also, the akamai dns I'm talking about is a1363.g.akamai.net

Now.. about that crl.microsoft.com
I've seen this on most of the entries from those IPs in wireshark at Transmission Control Protocol > Hypertext Transfer Protocol. All of them are using the GET method to pull up something like...
GET /pki/crl/products/CSPCA.crl HTTP/1.1\r\n
GET /pki/crl/products/MicrosoftRootAuthority.crl HTTP/1.1\r\n
GET /pki/crl/products/MicWinHarComPCA_2010-11-01.crl HTTP/1.1\r\n
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\n
GET /pki/crl/products/CSPCA.crl HTTP/1.1\r\n
GET /pki/crl/products/CodeSigPCA.crl HTTP/1.1\r\n
GET /pki/crl/products/WinPCA.crl HTTP/1.1\r\n

All these are happening at the system start when svchost.exe is making the connection.

Google gave me some answers but don't know for sure... Those crl files are some king of certificates and what svchost does is to check if the system is genuine and something about the office-to-go pack. I attached a screenshot (wiresharkpart2.png) with all the connections made by svchost at startup and the ping request for crl.microsoft.com in a text file. And finally the last screenshot (wiresharkpart3.png) has all the connections made with those IPs in about 30 minutes.

What do you think?


Thanks!

[Radaghast]

Thanks for sharing IPNetInfo and Fastresolver. I find these two apps very useful!

Sorry, clumsy me! The thing is I was quite scared about this problem and wanted to say so much in few words... And I thought I mentioned about svchost in the first place... I must of wrote but then delete it.

The thing with svchost is that when the system starts (after I log in on my account), after a few minutes I usually see [in the firewall active connections] a new row for svchost having as destination IP the one with 81.x.x.186 or in some rare cases 81.x.x.144 but in most part is the first one... This connection doesn't last long. It transfers 66 B IN and about ~1.5 KB OUT and then... it goes away.

You're obviously behind some sort of NAT device, is it a router or NAT/Modem? The thing with svchost is, it does a lot of little jobs on behalf of the operating system and other applications. For example, it's svchost that's responsible for acquiring an IP address from your router or ISP. It's also responsible, by default, for performing DNS queries on behalf of all applications. So seeing small amounts of traffic flowing between your PC and your router/ISP is normal.

And yes, I do use Microsoft Office Click-to-go... I think it was preinstalled. All I did was to.. launch it and was all to go. The weird thing was a new drive in my computer. It has the letter Q and it can't be accessed but sometimes the firewall alerts me about this office pack. I think it's because the program is a free edition and uses some ADS.

Could be, I'm afraid I don't know a great deal about that version.

Now... I made a screenshot for wireshark when I allowed the connection between explorer and that IP so I can see what's happening. I attached the image bellow and next to it is the log saved from wireshark (don't know if this helps...)

Unfortunately, we'll need a little more detail. see the image for how to get what we need.

First I thought I got it right. I tried to understand what those infos mean but all I managed to translate is: somehow that IP has to do with akamai.net which according to some articles found on google, akamai has something to do with internet content caching... whatever that is. It seems that it helps users improving page rendering or something like this. Probably this was correct, my mistake was to filter a different IP by a typo...... 

So.. for the right and strange IP... I think it has something to do with this crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl

Any thoughts?


Ok, I've done some more research. First.. to make some light for the first case which I messed up. That akamai thing can be seen if you ping crl.microsoft.com and the IP address for the akamai full dns is 81.x.x.184 and 81.x.x.144 (first I got the 184 ip then on the next ping I got the 144 one.. don't know why). Also, the akamai dns I'm talking about is a1363.g.akamai.net

Now.. about that crl.microsoft.com
I've seen this on most of the entries from those IPs in wireshark at Transmission Control Protocol > Hypertext Transfer Protocol. All of them are using the GET method to pull up something like...
GET /pki/crl/products/CSPCA.crl HTTP/1.1\r\n
GET /pki/crl/products/MicrosoftRootAuthority.crl HTTP/1.1\r\n
GET /pki/crl/products/MicWinHarComPCA_2010-11-01.crl HTTP/1.1\r\n
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\n
GET /pki/crl/products/CSPCA.crl HTTP/1.1\r\n
GET /pki/crl/products/CodeSigPCA.crl HTTP/1.1\r\n
GET /pki/crl/products/WinPCA.crl HTTP/1.1\r\n

All these are happening at the system start when svchost.exe is making the connection.

Google gave me some answers but don't know for sure... Those crl files are some king of certificates and what svchost does is to check if the system is genuine and something about the office-to-go pack. I attached a screenshot (wiresharkpart2.png) with all the connections made by svchost at startup and the ping request for crl.microsoft.com in a text file. And finally the last screenshot (wiresharkpart3.png) has all the connections made with those IPs in about 30 minutes.

What do you think?

AKAMAI is one of many CDNs (Content Delivery Networks) that's used by company's like MS to service a widely distributed user base. Seeing connections from svchost to AKAMAI, especially during Windows update is quite normal.  They are also use when Windows updates it's root certificate store, which is what you're seeing above.

[alex29]

You're obviously behind some sort of NAT device, is it a router or NAT/Modem? The thing with svchost is, it does a lot of little jobs on behalf of the operating system and other applications. For example, it's svchost that's responsible for acquiring an IP address from your router or ISP. It's also responsible, by default, for performing DNS queries on behalf of all applications. So seeing small amounts of traffic flowing between your PC and your router/ISP is normal.

I do have a router. It's a TP-LINK TL-WR541G.

So... I made a new live caption session, I ran process explorer, firewall tells me about explorer.exe and that IP, I select allow and check wireshark. I exported a new txt file following the tips in your screenshot.. except the "selected packet" because I was not sure which one to select... so I exported with "displayed" and "all packets". See attachment. I added a txt with "selected packet" also but I'm not sure if I selected the right one... The selected packet can be found in the first txt where are all the packets filtered by "ip.addr == [theIP]".
 
If I didn't exported the right thing, please tell me and I'll do it again - hopefully right.

Thanks

[Radaghast]

I do have a router. It's a TP-LINK TL-WR541G.

Is it configured to act as a DNS server, or does it pass your requests to your ISP?

So... I made a new live caption session, I ran process explorer, firewall tells me about explorer.exe and that IP, I select allow and check wireshark. I exported a new txt file following the tips in your screenshot.. except the "selected packet" because I was not sure which one to select... so I exported with "displayed" and "all packets". See attachment. I added a txt with "selected packet" also but I'm not sure if I selected the right one... The selected packet can be found in the first txt where are all the packets filtered by "ip.addr == [theIP]".
 
If I didn't exported the right thing, please tell me and I'll do it again - hopefully right.

Thanks

There's nothing obviously wrong going on here, the main data packets are all legitimate certificate related queries, which suggests  RO-RCS-RDS may be a CDN for MS in Romaina - what happens when you perform a windows update. The only question mark I have is why so many. How frequently do you see these connections happening.

[alex29]

Is it configured to act as a DNS server, or does it pass your requests to your ISP?

I think it passes to my ISP... How can I check this to be sure?

I have a web server installed on my computer (I am using XAMPP) but don't think this is related. I keep the web server only for localhost debugging. Ports are hidden and I don't host anything. I just make some Wordpress templates.

There's nothing obviously wrong going on here, the main data packets are all legitimate certificate related queries, which suggests  RO-RCS-RDS may be a CDN for MS in Romaina - what happens when you perform a windows update. The only question mark I have is why so many. How frequently do you see these connections happening.

Hmm... at every windows startup, svchost.exe connects to that IP, the connection lasts about 1 minute.. more or less.. then.. it doesn't appear. These connection appear again if I run process explorer (and explorer.exe starts the connection), cvhsvc.exe which belongs to office-to-go... and I think that's all. Haven't seen any other weird stuff. I'll try to keep my system a few hours up and running with wireshark keeping an eye on the connections.

Is 'many connections' a bad thing?


Thanks!

[Radaghast]

I think it passes to my ISP... How can I check this to be sure?

Open a command prompt and run ipconfig /all. what does it say for the DNS entries?

I have a web server installed on my computer (I am using XAMPP) but don't think this is related. I keep the web server only for localhost debugging. Ports are hidden and I don't host anything. I just make some Wordpress templates.

It shouldn't make any difference either way.

Hmm... at every windows startup, svchost.exe connects to that IP, the connection lasts about 1 minute.. more or less.. then.. it doesn't appear. These connection appear again if I run process explorer (and explorer.exe starts the connection), cvhsvc.exe which belongs to office-to-go... and I think that's all. Haven't seen any other weird stuff. I'll try to keep my system a few hours up and running with wireshark keeping an eye on the connections.

Is the svchost connection doing the same thing as explorer and PE, or is it doing something like DNS.

I don't really know why these connections are being made every time you open one of these applications, I'm not able to reproduce that here, in fact, PE and explorer don't attempt to make any connections when opened.

Is 'many connections' a bad thing?

I don't believe these connections are bad in any way and the fact there are more of them than seems normal, at least from my perspective, is really neither here nor there. 

[alex29]

Open a command prompt and run ipconfig /all. what does it say for the DNS entries?

DNS entries seem to belong to my ISP, according to ripe.net

Is the svchost connection doing the same thing as explorer and PE, or is it doing something like DNS.

I assume that svchost connection is the same as explorer judging by the fact that both connect on the same port to the same IP and have a similar traffic exchange...

I don't really know why these connections are being made every time you open one of these applications, I'm not able to reproduce that here, in fact, PE and explorer don't attempt to make any connections when opened.

Is there any way to 'dig' more into this so I can find more info?

I tried to reproduce this problem on two other computers. Both of them are running Windows XP Professional SP3, both of them have latest version of CIS and all apps up-to-date. Just one of them is alerting me of explorer.exe, just as I see the alert on my Windows 7. The other one running XP doesn't say a thing nor does it appear in wireshark any weird stuff. None of the XP computers have svchost connections to 81.x.x.184, but both the XP computers and the Win 7 computer have connections with 81.x.x.161 - for what I managed to understand, it has something to do with microsoft update.

I was wondering if this might have something to do with that MS office pack because the XP computer which doesn't alert me doesn't have any office installed. The XP computer with office installed does alert me. The 7 computer with office-to-go alerts me too. Is just a common factor I see... not sure if it's true.

Thanks

[Radaghast]

DNS entries seem to belong to my ISP, according to ripe.net

You will get svchost traffic over UDP to port 53 for DNS.

I assume that svchost connection is the same as explorer judging by the fact that both connect on the same port to the same IP and have a similar traffic exchange...

Sounds likely. Certificate checks are performed by the OS (svchost) at startup and on certain triggers, such as installing a signed application (explorer)

Is there any way to 'dig' more into this so I can find more info?

You could download Autoruns to see if there are any startup entries that may be responsible. You could also try Process Monitor to see which processes are involved.

I tried to reproduce this problem on two other computers. Both of them are running Windows XP Professional SP3, both of them have latest version of CIS and all apps up-to-date. Just one of them is alerting me of explorer.exe, just as I see the alert on my Windows 7. The other one running XP doesn't say a thing nor does it appear in wireshark any weird stuff. None of the XP computers have svchost connections to 81.x.x.184, but both the XP computers and the Win 7 computer have connections with 81.x.x.161 - for what I managed to understand, it has something to do with microsoft update.

If you're connecting to that address for crl checks, it doesn't surprise me it's the same address used as an entry point for Windows updates. On my system, with the provider I now have, I get updates via level 3 on port 80 for the update check, then Microsoft on port 443, for the actual update.

I was wondering if this might have something to do with that MS office pack because the XP computer which doesn't alert me doesn't have any office installed. The XP computer with office installed does alert me. The 7 computer with office-to-go alerts me too. Is just a common factor I see... not sure if it's true.

I installed office click-to-run and I haven't seen any unsolicited traffic from explorer. However, it's still possible these connections are related to office.

[alex29]

You will get svchost traffic over UDP to port 53 for DNS.

Wasn't sure about this so I rebooted my system. At startup, I get some UDP OUT traffic to an IP 213.x.x.1 (same IP as the one from DNS Servers when I type ipconfig /all in a cmd window) on port 53.

You could download Autoruns to see if there are any startup entries that may be responsible. You could also try Process Monitor to see which processes are involved.

I already had Autoruns (see below more info about it). I don't saw anything suspicious listed here... 
Thanks for Process monitor. I see here that 'explorer.exe' is a busy guy... Added a filter to display only explorer and has about 17.000 entires - OMG! Is this normal? 

If you're connecting to that address for crl checks, it doesn't surprise me it's the same address used as an entry point for Windows updates. On my system, with the provider I now have, I get updates via level 3 on port 80 for the update check, then Microsoft on port 443, for the actual update.

Yes, connections link to crl.microsoft.com - according to wireshark. After the connection is made, I save (export) the file and search for "Hypertext Transfer Protocol", here I see a some details (host: crl.microsoft.com and request URL and other.. finally there is a "Full request URI http://crl.microsoft.com/pki/crl/products/MicWinHarComPCA_2010-11-01.crl" )



Before I rebooted my system, I had it turned on for about 8 hours with Wireshark running. At startup svchost did his number in checking those crl files and after a while made a windows update check too. Then nothing.. for about 30-40 minutes nothing suspicious. I ran some random programs, no weird connections. Then I made a list of all the apps I downloaded and all the apps that were preinstalled. Tried some random preinstalled apps and nothing strange. Tried some downloaded apps and only two were bothering explorer.exe.. The two are Process Explorer and Autoruns. Whenever I started one of these two apps, the firewall was alerting me about explorer.exe making a connection. Looking at wireshark.. all it did was to check those crl stuff. So I assume there is nothing wrong with this, right?

I tried to compare the logs between now and yesterday, I haven't found any differences but the "Packet Bytes" was slightly different - this probably has to do with the fact that the the bytes IN and OUT were more or less.

Now.. after I rebooted my system to check those UDP connections on port 53, I tried again Autoruns and this time it didn't bother explorer. Tried PE also, and some connections appeared.. I think it was checking something with VeriSign. That was all. Maybe Win7 on x64 need more checking to do... This is my first x64 OS, I don't see big differences but I'm no expert.


I'll try to see if I can find something suspicious with Process Monitor - hopefully there will be none and my system is clean.


Thanks!

[Tags:]