Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
www.markmonitor.com
447 views
Skip to first unread message
The Razor's Edge
Sep 21, 2015, 6:52:14 AM9/21/15
to
Hello;
Anyone have an explanation why explore.exe would be connecting to
www.markmonitor.com.
I do not have explore.exe open nor iexplore.exe either. I have checked
startup and nothing has been added or removed for quite some time and the
only thing different is my change of nntp provider.
Anyone have an explanation why explore.exe would be connecting to
www.markmonitor.com.
I do not have explore.exe open nor iexplore.exe either. I have checked
startup and nothing has been added or removed for quite some time and the
only thing different is my change of nntp provider.
VanguardLH
Sep 21, 2015, 7:47:20 AM9/21/15
to
explore.exe). It is the desktop. Window Explorer is both a file
manager and a desktop manager. If you use Task Manager's Processes tab
to kill all instanced of explorer.exe then your desktop disappears.
If you enter a URL into the address bar of Windows Explorer, your
default web browser opens. So what is your default web browser?
Internet Explorer (iexplore.exe)? Did you try loading IE by itself in
its safe mode (-extoff command-line switch to eliminate loading add-ons)
to see if IE still connected to www.markmonitor.exe?
How did you determine explorer.exe (Windows Explorer) was connecting to
www.markmonitor.com? Did you use SysInternals' TCPview or some other
network monitoring software?
If you have exited IE (iexplore.exe) and still see connections from it,
like running "netstat -a -b -f", are you sure there are no remnant
instances of iexplore.exe running? After exiting IE, or after you
exited and thought all of IE got unloaded, go to Task Manager's
Processes tab and check if there are any remaining instances of
iexplore.exe (be sure to check the option to see processes from all
users).
MarkMonitor is a domain registrar along with providing services for
anti-piracy, anti-fraud, and brand protection. Several large companies
have many of their domains registered through MarkMonitor (e.g., Google
with their 1e100.net domain). So you could be loading a home page or
using extensions that connect to a domain protected by MarkMonitor. For
example, when using TPLs (tracking protection lists) in IE, it has to
get the updated adblocking blacklists from somewhere. When the TPLs get
updated, new blacklists get uploaded.
Not sure how this has anything to do with Windows Update.
The Razor's Edge
Sep 22, 2015, 6:29:12 AM9/22/15
to
I guess I should have mentioned that I am using Windows 8.
The Razor's Edge
Sep 22, 2015, 6:29:19 AM9/22/15
to
On 21-Sep-2015, VanguardLH <V...@nguard.LH> wrote:
> You ALWAYS have an instance of explorer.exe running (there is no
> explore.exe). It is the desktop. Window Explorer is both a file
> manager and a desktop manager. If you use Task Manager's Processes tab
> to kill all instanced of explorer.exe then your desktop disappears.
>
> If you enter a URL into the address bar of Windows Explorer, your
> default web browser opens. So what is your default web browser?
> Internet Explorer (iexplore.exe)? Did you try loading IE by itself in
> its safe mode (-extoff command-line switch to eliminate loading add-ons)
> to see if IE still connected to www.markmonitor.exe?
>
add-ons enabled are Java, with two others, my download manager link verifier
and systran desktop translator disabled. A clean ship no frills.
> How did you determine explorer.exe (Windows Explorer) was connecting to
> www.markmonitor.com? Did you use SysInternals' TCPview or some other
> network monitoring software?
in question is new
>
> If you have exited IE (iexplore.exe) and still see connections from it,
> like running "netstat -a -b -f", are you sure there are no remnant
> instances of iexplore.exe running? After exiting IE, or after you
> exited and thought all of IE got unloaded, go to Task Manager's
> Processes tab and check if there are any remaining instances of
> iexplore.exe (be sure to check the option to see processes from all
> users).
>
Yes, I opened IE and about:blank and from sysinternals clicked on about and
> If you have exited IE (iexplore.exe) and still see connections from it,
> like running "netstat -a -b -f", are you sure there are no remnant
> instances of iexplore.exe running? After exiting IE, or after you
> exited and thought all of IE got unloaded, go to Task Manager's
> Processes tab and check if there are any remaining instances of
> iexplore.exe (be sure to check the option to see processes from all
> users).
>
launched the URL to www.sysinternals.com then closed it. 8 connections
remain established
6 to EDGECAST-NETBLK-03
1 to AKAMAI
1 to MICROSOFT
These do not bother me because I know who and what they are but why is is
Explorer.exe connecting to markmonitor.com when it is only the desktop
loaded along with sysinternals
> MarkMonitor is a domain registrar along with providing services for
> anti-piracy, anti-fraud, and brand protection. Several large companies
> have many of their domains registered through MarkMonitor (e.g., Google
> with their 1e100.net domain). So you could be loading a home page or
> using extensions that connect to a domain protected by MarkMonitor. For
> example, when using TPLs (tracking protection lists) in IE, it has to
> get the updated adblocking blacklists from somewhere. When the TPLs get
> updated, new blacklists get uploaded.
>
concerned about an open 443 connection established because the amount of
data in is minimal, I still want to know why?
> Not sure how this has anything to do with Windows Update.
VanguardLH
Sep 23, 2015, 3:22:56 AM9/23/15
to
The Razor's Edge wrote:
> VanguardLH wrote:
>
>> MarkMonitor is a domain registrar along with providing services for
>> anti-piracy, anti-fraud, and brand protection. Several large companies
>> have many of their domains registered through MarkMonitor (e.g., Google
>> with their 1e100.net domain). So you could be loading a home page or
>> using extensions that connect to a domain protected by MarkMonitor. For
>> example, when using TPLs (tracking protection lists) in IE, it has to
>> get the updated adblocking blacklists from somewhere. When the TPLs get
>> updated, new blacklists get uploaded.
>
> I visited their site to verify who they are and although I am not that
> concerned about an open 443 connection established because the amount of
> data in is minimal, I still want to know why?
Markmonitor is the nameserver for many domains. When you visit a domain
>
>> MarkMonitor is a domain registrar along with providing services for
>> anti-piracy, anti-fraud, and brand protection. Several large companies
>> have many of their domains registered through MarkMonitor (e.g., Google
>> with their 1e100.net domain). So you could be loading a home page or
>> using extensions that connect to a domain protected by MarkMonitor. For
>> example, when using TPLs (tracking protection lists) in IE, it has to
>> get the updated adblocking blacklists from somewhere. When the TPLs get
>> updated, new blacklists get uploaded.
>
> I visited their site to verify who they are and although I am not that
> concerned about an open 443 connection established because the amount of
> data in is minimal, I still want to know why?
that requires using Markmonitor's DNS server (to get an IP address for
the target site), the lookup may go back to Markmonitor's name server.
DNS requests go out via port 53. As yet, I've not heard there is a
ratified protocol to encrypt DNS requests although I remember reading a
draft or proposal to secure DNS connections (eliminate sniffing or MITM
attack to change who responds to the client's DNS request). I haven't
checked into DNScrypt for awhile to know if anyone is using it yet
https://www.opendns.com/about/innovations/dnscrypt/). Notice I say
*encrypted* DNS, not secure DNS because "secure" rarely means encrypted
versus filtering.
Yet you mentioned port 443 which is the port for encrypted HTTP (HTTPS).
So that takes out the DNS request from your computer via port 53. Do
you have auto-update enabled in any application? They could be
connecting to an update server via HTTPS which uses MarkMonitor's
services.
When you use SysInternals' TCPview to show current connections (well,
current and those waiting to get killed), is the PID (process ID) of the
explorer.exe instance (probably has the lowest PID number) with the
marmonitor connection the one for your desktop or another instance of
explorer.exe?
If you load SysInternals' TCPview and then run "taskkill /im
explorer.exe /f" (which means your desktop disappears), do TCPview show
the connection went away? It should disappear if all instances of
explorer.exe got killed. In TCPview, what is the state of those
markmonitor connections? Are they in CLOSE_WAIT state? All those will
disappear if you configure TCPview to *not* show unconnected endpoints.
Those are old connections whose client-side resources remain defined for
awhile to reduce the overhead should a process reconnect to that same
endpoint.
http://blogs.technet.com/b/janelewis/archive/2010/03/09/explaining-close-wait.aspx
If the process that created the connection doesn't complete the close
process then Windows is going to keep that limbo state in place. You
have something that is connecting to MarkMonitor but the defunct old
connections still in CLOSE_WAIT status aren't going to point you at what
created the connection. You need to configure TCPview to *not* show the
connections with unconnected endpoints (the server disconnected but the
client has yet to complete the close) and then watch for want process
creates a new and LISTENING state for a connection to MarkMonitor.
I suspect that explorer.exe is listed as the owning process because it
inherited the connections left behind an application badly exited or
crashed. Configure TCPview to *not* show unconnected endpoints (it will
still show CLOSE_WAIT pending disconnects) and watch for what process
creates new connections to MarkMonitor (those in LISTENING or
ESTABLISHED state).
All the LISTENING, CLOSE_WAIT, ESTABLISHED connections can be a bit much
to wade through in TCPview. That tool has no filtering function; i.e.,
you cannot tell it to show connections in specific states or look for
connections with specific endpoints (to where the connection goes).
Nirsoft's CurrPorts (haven't used this much) has filtering but it seems
basic (you cannot pick in which the criteria is applied). Nmap (there
is a Windows version) might allow better filtering but I've not use it
yet (it's in my Software of Interest folder) so you'll have to find out
it if will let you filter on connects just for MarkMonitor.
SysInternals TCPview just doesn't give you enough control over the data
it presents.
The Razor's Edge
Sep 25, 2015, 5:01:06 AM9/25/15
to
Thanks for your input.
I created a registry entries to disable application push notifications and
then a firewall rule to deny explorer.exe public acess to the intenert.
This "SO FAR" seems to have done the trick because there are no more
instances of explorer.exe showing up in sysinternals.
Thanks and should it happen again, I will investigate and reply.
I created a registry entries to disable application push notifications and
then a firewall rule to deny explorer.exe public acess to the intenert.
This "SO FAR" seems to have done the trick because there are no more
instances of explorer.exe showing up in sysinternals.
Thanks and should it happen again, I will investigate and reply.
The Razor's Edge
Sep 26, 2015, 10:40:58 PM9/26/15
to
On 25-Sep-2015, "The Razor's Edge" <siete-y-me...@muy-profundo.cum>
wrote:
> I created a registry entries to disable application push notifications and
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications
REG_DWORD – NoToastApplicationNotification
1: Enable
0: Disable
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications
REG_DWORD – NoApplicationNotification
1: Enable
0: Disable
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications
REG_DWORD – NoCloudApplicationNotification
1: Enable
0: Disable
Problem solved.
Thanks for your input.
0 new messages