explorer.exe attempting ssh connection

Discussion in 'adware, spyware & hijack cleaning' started by tobamore, Jun 21, 2004.

Thread Status:
Not open for further replies.
  1. tobamore

    tobamore Registered Member

    Jun 21, 2004
    Hello all,
    Recently I have found a slightly disturbing outbound connection attempt from a single folder through explorer.exe. I have a 'Games' folder on my second physical drive and each time I try to open said folder via explorers folder view (ie it's ok when opening it via tree view) there is a long delay before it opens and displays the games within.
    This made me suspicious and so I checked my firewall connection log and it seems that explorer.exe wants to connect to from port 22 via SSH protocol (the firewall blocks this- hence the delay)
    I have done the obvious and run full TDS3 and Nav 2004 scans and found nothing, I have also ran both Adaware 6.0 and Spybot 1.3 (latest definitions) and found nothing.
    As you may have guessed I am perplexed and concerned by this, here is a copy of my Hijack this log;

    Logfile of HijackThis v1.97.7
    Scan saved at 09:48:28, on 21/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\DriveCrypt\DcrServ.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Stardock\SDMCP.exe
    C:\Program Files\Stardock\WindowBlinds\wbload.exe
    C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\AnalogX\CookieWall\cookie.exe
    c:\program files\powerstrip\pstrip.exe
    C:\Program Files\The Bat!\TheBat.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    E:\My Files\Downloads\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search04.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.skysports.com/skysports/football
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search04.html
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
    O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 studios\Startup Delayer\Startup Launcher.exe"
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1\feedback.exe /dump:eek:s_startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
    O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\TheBat.EXE
    O4 - Startup: PowerPro.lnk = C:\Program Files\PowerPro\powerpro.exe
    O4 - Global Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {3DDF45E0-9271-11D5-B1C2-000255705902} - http://websecure.freedom.net/store/zksproxy.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    Many thanks in advance.
  2. tobamore

    tobamore Registered Member

    Jun 21, 2004
    bump! I can find nothing on the internet and I'm told that you guys are very helpful, so please advise me? :)
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002

    Does this mean anything to you?
    OrgName: NHI Networks
    OrgID: NHINE
    Address: 530 W 6th St.
    Address: Suite 300
    City: Los Angeles
    StateProv: CA
    PostalCode: 90014
    Country: US

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search04.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search04.html

    O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL

    Then reboot.


  4. tobamore

    tobamore Registered Member

    Jun 21, 2004
    Thank you for your reply and in answer to your question, no, it means nothing to me. (other than that is the address to which the ip refers)
    I tried the selected fix and re-booted, but to no avail, have you any more suggestions please?
    Last edited: Jun 21, 2004
  5. tobamore

    tobamore Registered Member

    Jun 21, 2004
    This is an update which may ring some bells for someone out there (hopefully)

    Courtesy of a very helpful person called 'Vanguard'; doesn't have a DNS IP name lookup; i.e., "nslookup" returns no record. However, ARIN's WhoIs () says that IP
    address is allocated to NHI Networks (nhinetworks.com) in Los Angeles,
    CA. When I tried to connect to their assumed home page at www.nhinetworks.com using a safe [text-only] web browser, like SamSpade, all I got was a rude push-off message of "Authorization Required" and "This server could not verify you are authorized ...". Apparently they won't let just anyone connect to their home page. I am running Gamespy, but only on demand (I haven't run it for months)
    http://www.arealhost.com/Details/nhinetworks.php (found through a Google
    search on "nhinetworks.com") says they provide online gaming bandwidth.
    There is a note about spamming from this domain, and SPEWS has them
    blacklisted (see their record at http://spews.org/html/S2507.html
    although I caution that SPEWS is a unresponsive vigilante blacklisting
    service that I had to abandon, along with SORBS since they use the SPEWS
    lists, for use in SpamPal).

    There was mention of nhicolo.com in their nhinetworks.com domain
    registration and in their push-off home page so I went to
    www.nhicolo.com. No content can be seen as they use Javascript to paint
    its content (other than a copyright line noting "NHI Colocation, LLC.").
    Using www.anonymizer.com to look at www.nhicolo.com also doesn't show
    much since it, by default, will block Javascript. A "nslookup
    www.nhicolo.com" returns and a WhoIs lookup says it is for
    New Horizon Collocations (also in Los Angeles). All in all,
    nhinetworks.com and nhicolo.com are a-holes regarding their web sites so
    by their nature make themselves untrustworthy.

    Any ideas?
  6. tobamore

    tobamore Registered Member

    Jun 21, 2004
    I decided to try something and uninstalled a game from Stardock called Galactic Civilizations and eureka it worked, no more sneaky attempted breaches! I'm very annoyed as I only bought the game last week in good faith only to find that it is trying to phone home leaking God knows what! I have sent an email of complaint and await the results, though I still can't see why it would try to phone home via explorer.exe when just opening the parent directory!

    Thanks again for your help, much appreciated.
Thread Status:
Not open for further replies.