I have WinXP Pro SP2 with all available updates.
I am running Comodo Firewall Pro V 3.5.57173.439.
I use AVG free, AVG anti Spyware, Spybot S&D, and SpywareBlaster.
Behind a NAT firewall in my Dlink DIR-300 router.
This is not about Comodo firewall, I use that to block this.
I have checked and scanned my system to the hilt.
With everything that exists that I can think of.
And there is no viruses or spyware I can find.
Rootkit revealer, DrWeb, MalwareBytes, AVG anti spy, AVG anti Virus, Trend Micro housecall, Mcafee free scan, symantec security check, Spybot S&D, Adaware, Hijack this, the lot.(Other things ive forgotten)
There is nothing on here loading up weird, nothing out of the ordinary at all.
But every time I go to file explorer to look through files, or every time I do a windows search to find files.
Explorer.exe, the proper file in the proper place, try’s to connect to the internet.
It gives me my DNS ip it try’s to connect to, but once I allowed it and it showed the actual IP.
And it was Microsoft in Washington.
I looked through event logs, nothing happened when this happens so its not time or anything like that.
On my connections in Comodo, I have svchost.exe listening for port 135.
Because if I take that away, I cant network with my other pc’s.
The problem is, because I block Explorer.exe from connecting, it lags me because of all the connection attempts.
I have ran wireshark, but all it shows is it trying to connect to DNS like the firewall.
And if I allow it wireshark shows connecting to Microsoft ip.
I have no automatic updates, no DHCP, I have static ip’s.
I have nothing that would want to connect to Microsoft.
Any idea’s why Explorer.exe the base process of winxp, wants to constantly connect to Microsoft?
Just got the IP.
207.46.248.249
Location: Unknown
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 1997-03-31
Updated: 2004-12-09
RTechHandle: ZM39-ARIN
RTechName: Microsoft
RTechPhone: +1-425-882-8080
RTechEmail: ***@microsoft.com
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: *****@msn.com
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: *****@hotmail.com
OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: *****@msn.com
OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: ***@microsoft.com
OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: ******@microsoft.com
More info here.
http://www.governmentsecurity.org/forum/lofiversion/index.php/t21657.html
http://sa.windows.com/privacy/
No reason for this to happen.
Nothing in logs about it.
Ok so I thought it might be internet search assistant companion thing.
In the search options, it only gives you a choice between choosing an internet search place.
Or this.
With Search companion - provides task suggestions and automatically sends your search to other search engines.
Basically you don’t get a choice.
So I went to this reg key.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Navigate to the Key
“Use Search Asst”
and changed it to “no”.
Then rebooted.
But it still try’s to call up Microshaft.
Hi, I block explorer.exe with a firewall rule without any ill effects.
But every time I go to file explorer to look through files, or every time I do a windows search to find files.windows search still works.
[attachment deleted by admin]
I have had a rule to block this specific IP address for awhile. I prefer to not have the text of my Internet search queries sent to Microsoft, if I ever were to use this feature.
This is a good idea. I have had this rule for months now in my application rules for explorer.exe:
Block and log IP out from IP any to IP any where protocol is any.
Everytime I do a search I get a log entry.
John
I had this same problem. On a new setup computer, (before I installed the Comodo Firewall) I only had Windows Firewall on and tcpview. Explorer.exe made a connection to an akamai.net website. Anyone see this? I doubt I was infected or anything because it was a clean reformat.
Even on an unpatched machine, having the firewall turned on will block everything, as long as you don’t downloading anything yourself while unpatched (example, worms will scan you pc and get nothing - unless you surf to the website and get the worm).
But anyone know anything about akamai.net?
What I mean is that should explorer.exe should be connecting to akamai technologies? I know svchost.exe does since microsoft has a deal with them, but explorer.exe?
You can block it and see if any functionality you need breaks. My policy for explorer.exe has just 1 rule now - the block of the IP 207.46.248.249.