ROOTKIT ? : Explorer.exe tries to connect to an unusual address on port 80

I get this firewall events from time to time:

  • explorer.exe tries to connect to sites using the port 80

Here is an example (see image).

The address 199.7.71.190 belongs to Verisign, so maybe that’ ok.

But the other address 212.4.67.72 belongs to “Telezug AG CableTV”. So why is Explorer.exe trying to connect to it ???

Should I be worried that a rootkit has been installed on my machine ?

[attachment deleted by admin]

Verisign is a certificate authority. Explorer is just checking a certificate of a digitally signed application signed by Verisign. Nothing to worry about.

Sorry to step in, but are you sure Eric? cmdagent.exe would certainly connect to check a digital signature, but explorer.exe?

Certificate Revocation checking works slightly differently with more recent versions of Windows (Vista/2008 and above) However, there are different kinds of checks performed. Certificates related to web sites are typically checked by the browser and code signatures are typically checked by explorer.

You can check this behaviour: For browser CRL/OCSP checking:

Internet Explorer - Control Panel/Internet properties/Advanced
Firefox - Options/Advanced/Encryption/Validation

If you’ve downloaded a digitally signed file you can check it’s certificate by:

File/Properties/Digital Signatures/Details

Depending on your rules for Explorer.exe and whether logging is enabled for the process, performing this procedure will cause events to be generated. (image)

[attachment deleted by admin]

Thank you all for your answers. My system is Windows XP with the latest service pack and kept up to date.

I’ll try to see if I can get more info on this behavior.

My apologies to EricJH for having expressed doubt. Really sorry. Ive always thought it was not advised to let explorer.exe access the net, wrongly apparently.