Hello,
I have recently switched to xplorer2_lite, and I'm generally very pleased with this application. One thing concerns me though: it tries to access the internet by using/hijacking other apps with internet access (Firefox, Thunderbird) through OLE Automation.
Is this intentional, or possibly an indication of malware on my system?
If intentional, can it be turned off? I can't find any relevant settings.
Regards
xplorer2_lite attempts to use Firefox via OLE Automation
Moderators: fgagnon, nikos, Site Mods
-
Urwitz
- New Member
- Posts: 6
- Joined: 2007 Oct 21, 14:00
-
nikos
- Site Admin
- Posts: 16296
- Joined: 2002 Feb 07, 15:57
- Location: UK
-
Urwitz
- New Member
- Posts: 6
- Joined: 2007 Oct 21, 14:00
Thanks for the very quick reply!
This is all very intriguing. Definitely explorer2_lite.exe is trying to use Firefox/T-bird via OLE Automation. I don't know what, if any, differences there are between IE's and Mozilla's object models, but both are on the COM platform, right?
How does xplorer2 use IE?
If xplorer2 is not doing this by itself, I guess something must have hijacked xplorer2, driving it to in turn hijack Firefox. Still, this implies that xplorer2 is capable of launching OLE to Firefox.
The address that xplorer2 is trying to connect to this way is 32.107.37.11
All system scans are coming up empty, but I am hoping to get to the bottom of this somehow.
Regards
This is all very intriguing. Definitely explorer2_lite.exe is trying to use Firefox/T-bird via OLE Automation. I don't know what, if any, differences there are between IE's and Mozilla's object models, but both are on the COM platform, right?
How does xplorer2 use IE?
If xplorer2 is not doing this by itself, I guess something must have hijacked xplorer2, driving it to in turn hijack Firefox. Still, this implies that xplorer2 is capable of launching OLE to Firefox.
The address that xplorer2 is trying to connect to this way is 32.107.37.11
All system scans are coming up empty, but I am hoping to get to the bottom of this somehow.
Regards
-
nikos
- Site Admin
- Posts: 16296
- Joined: 2002 Feb 07, 15:57
- Location: UK
-
fgagnon
- Site Admin
- Posts: 3737
- Joined: 2003 Sep 08, 19:56
- Location: Springfield
Now that you mention it, nikos, I recall a discussion from a couple of years ago.
Urwitz, you may be interested in the discussion from this old post.
Per windoze "accounting" x2 gets reported as the app initiating web access when used to view files with embedded links.
Urwitz, you may be interested in the discussion from this old post.
Per windoze "accounting" x2 gets reported as the app initiating web access when used to view files with embedded links.
-
nikos
- Site Admin
- Posts: 16296
- Joined: 2002 Feb 07, 15:57
- Location: UK
i suppose this is you again?
http://forums.comodo.com/empty-t13756.0 ... 9#msg97029
i'd say scanning your system for virus infections or trojans, since xplorer2 especially LITE does not hit the wire for any immoral reasons. I bet something in your system cloaks itself and appears as xplorer2
http://forums.comodo.com/empty-t13756.0 ... 9#msg97029
i'd say scanning your system for virus infections or trojans, since xplorer2 especially LITE does not hit the wire for any immoral reasons. I bet something in your system cloaks itself and appears as xplorer2
-
Urwitz
- New Member
- Posts: 6
- Joined: 2007 Oct 21, 14:00
Yep, it is. Got some screenshots there.nikos wrote:i suppose this is you again?
http://forums.comodo.com/empty-t13756.0 ... 9#msg97029
i'd say scanning your system for virus infections or trojans, since xplorer2 especially LITE does not hit the wire for any immoral reasons. I bet something in your system cloaks itself and appears as xplorer2
Will do some more system scans (sofar coming up clean) and post again if anything comes up. Guess it might also be an embedded shell process under xplorer2 that gets identified this way?
-
fgagnon
- Site Admin
- Posts: 3737
- Joined: 2003 Sep 08, 19:56
- Location: Springfield
You have not indicated what you are doing with x2 when the situation you are concerned about occurs.
Past experience (see the thread I referenced above) is that it has been the file folks are viewing with x2 that triggers the process. (And windows can't differentiate between the file being viewed and app being used to do the viewing.)
HTH
Past experience (see the thread I referenced above) is that it has been the file folks are viewing with x2 that triggers the process. (And windows can't differentiate between the file being viewed and app being used to do the viewing.)
HTH
-
Urwitz
- New Member
- Posts: 6
- Joined: 2007 Oct 21, 14:00
fgagnon,
typically, I am doing nothing with x2 when these situations occur. I.e. the OLE warnings from Comodo are not related to, say, opening a file. This is why my initial thoughts were that this might be related to e.g. a version check. From the feedback here, this can be excluded, so a trojan or another misbehaving app seems likely.
typically, I am doing nothing with x2 when these situations occur. I.e. the OLE warnings from Comodo are not related to, say, opening a file. This is why my initial thoughts were that this might be related to e.g. a version check. From the feedback here, this can be excluded, so a trojan or another misbehaving app seems likely.
-
fgagnon
- Site Admin
- Posts: 3737
- Joined: 2003 Sep 08, 19:56
- Location: Springfield
-
Urwitz
- New Member
- Posts: 6
- Joined: 2007 Oct 21, 14:00
No Quick View or Pre View Pane is open.
The alert is never raised at startup. It comes randomly, sometimes rather quickly, sometimes after several hours. Sofar, I have not seen any pattern or any correlation with any file operations.
What's bugging me is that my system is coming up clean in all scans, but I will run a number of further scans and utilities and see if anything pops up.
The alert is never raised at startup. It comes randomly, sometimes rather quickly, sometimes after several hours. Sofar, I have not seen any pattern or any correlation with any file operations.
What's bugging me is that my system is coming up clean in all scans, but I will run a number of further scans and utilities and see if anything pops up.
-
fgagnon
- Site Admin
- Posts: 3737
- Joined: 2003 Sep 08, 19:56
- Location: Springfield
Speaking of your system -- you never indicated your OS.
(It may be significant.)
Rather than spending a lot of time scanning for what may not be the issue, it may be more helpful to pay attention to what tasks you are doing and try to associate those with the alert events.
Things like ... whether x2 is in background while you are doing something else, or does it only happen when you browse certain folders or filetypes in x2, or only when another particular application is also running, etc...
I'm as puzzled as you are, but have never seen the issue myself except as I referenced above. And being a long time xplorer² user since beta-days, I can vouch for its not initiating the type of behavior you report seeing, nor containing mal-ware of any sort.
By the way, I assume you downloaded x2_Lite from a trusted source, and that you are running the current version (v1.7.0.5)
PS, I just did a whois query on the IPA you cited above [32.107.37.11], and it reports being registered as part of the following very legitimate domain:
furthermore, when I attempted to access the site you report as trying to be accessed, I get the following message:
(It may be significant.)
Rather than spending a lot of time scanning for what may not be the issue, it may be more helpful to pay attention to what tasks you are doing and try to associate those with the alert events.
Things like ... whether x2 is in background while you are doing something else, or does it only happen when you browse certain folders or filetypes in x2, or only when another particular application is also running, etc...
I'm as puzzled as you are, but have never seen the issue myself except as I referenced above. And being a long time xplorer² user since beta-days, I can vouch for its not initiating the type of behavior you report seeing, nor containing mal-ware of any sort.
By the way, I assume you downloaded x2_Lite from a trusted source, and that you are running the current version (v1.7.0.5)
PS, I just did a whois query on the IPA you cited above [32.107.37.11], and it reports being registered as part of the following very legitimate domain:
OrgName: AT&T Global Network Services
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US
furthermore, when I attempted to access the site you report as trying to be accessed, I get the following message:
Could it be that this is a false alarm associated with your home network configuration? Of course, when x2 attempts to (auto)refresh its folder panes it necessarily tries to read what you have on your home network. If so, the issue would be why this legitimate access is raising alerts in COMODO. Maybe a firewall setting?Information Alert
Status : 300 Multiple Choices
Description : Your request could not be processed for this multi-homed web site because no host header was present that identifies which host to access
-
Urwitz
- New Member
- Posts: 6
- Joined: 2007 Oct 21, 14:00
fgagnon,
1. XP Prof. SP2
2. From the homepage link to cnet download.com. Being paranoid, even scanned it at VirusTotal...
3. Also did whois, but haven't tried to sniff the packets for the host header, etc., so don't know where it's heading. Note: this is not the only target IP address for the OLE attempts.
4. Unlikely to be a false alarm associated w the home network config, since the IP-addresses are external. I don't know how Comodo identifies the OLE attempts and attributes them to xplorer2_lite.exe, but assume that it does this correctly.
Sincere thanx for your input, fgagnon. I have placed an enquiry with the Comodo developers, and will post here if anything meaningful transpires to shed light on this "phenomenon".
Regards
1. XP Prof. SP2
2. From the homepage link to cnet download.com. Being paranoid, even scanned it at VirusTotal...
3. Also did whois, but haven't tried to sniff the packets for the host header, etc., so don't know where it's heading. Note: this is not the only target IP address for the OLE attempts.
4. Unlikely to be a false alarm associated w the home network config, since the IP-addresses are external. I don't know how Comodo identifies the OLE attempts and attributes them to xplorer2_lite.exe, but assume that it does this correctly.
Sincere thanx for your input, fgagnon. I have placed an enquiry with the Comodo developers, and will post here if anything meaningful transpires to shed light on this "phenomenon".
Regards