explorer.exe attempting ssh connection

Hello all,
Recently I have found a slightly disturbing outbound connection attempt from a single folder through explorer.exe. I have a 'Games' folder on my second physical drive and each time I try to open said folder via explorers folder view (ie it's ok when opening it via tree view) there is a long delay before it opens and displays the games within.
This made me suspicious and so I checked my firewall connection log and it seems that explorer.exe wants to connect to 66.54.81.50 from port 22 via SSH protocol (the firewall blocks this- hence the delay)
I have done the obvious and run full TDS3 and Nav 2004 scans and found nothing, I have also ran both Adaware 6.0 and Spybot 1.3 (latest definitions) and found nothing.
As you may have guessed I am perplexed and concerned by this, here is a copy of my Hijack this log;

Logfile of HijackThis v1.97.7
Scan saved at 09:48:28, on 21/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\System32\sstray.exe
c:\program files\powerstrip\pstrip.exe
c:\progra~1\popfile\popfileib.exe
C:\Program Files\The Bat!\TheBat.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
E:\My Files\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search04.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.skysports.com/skysports/football
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search04.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\TheBat.EXE
O4 - Startup: PowerPro.lnk = C:\Program Files\PowerPro\powerpro.exe
O4 - Global Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {3DDF45E0-9271-11D5-B1C2-000255705902} - http://websecure.freedom.net/store/zksproxy.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Many thanks in advance.

 

bump! I can find nothing on the internet and I'm told that you guys are very helpful, so please advise me?

 

Counterquestion:

Does this mean anything to you?
OrgName: NHI Networks
OrgID: NHINE
Address: 530 W 6th St.
Address: Suite 300
City: Los Angeles
StateProv: CA
PostalCode: 90014
Country: US

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search04.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search04.html

O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL

Then reboot.

Regards,

Pieter

 

Thank you for your reply and in answer to your question, no, it means nothing to me. (other than that is the address to which the ip refers)
I tried the selected fix and re-booted, but to no avail, have you any more suggestions please?

 

This is an update which may ring some bells for someone out there (hopefully)

Courtesy of a very helpful person called 'Vanguard';

66.54.81.50 doesn't have a DNS IP name lookup; i.e., "nslookup
66.54.81.50" returns no record. However, ARIN's WhoIs () says that IP
address is allocated to NHI Networks (nhinetworks.com) in Los Angeles,
CA. When I tried to connect to their assumed home page at www.nhinetworks.com using a safe [text-only] web browser, like SamSpade, all I got was a rude push-off message of "Authorization Required" and "This server could not verify you are authorized ...". Apparently they won't let just anyone connect to their home page. I am running Gamespy, but only on demand (I haven't run it for months)
http://www.arealhost.com/Details/nhinetworks.php (found through a Google
search on "nhinetworks.com") says they provide online gaming bandwidth.
There is a note about spamming from this domain, and SPEWS has them
blacklisted (see their record at http://spews.org/html/S2507.html
although I caution that SPEWS is a unresponsive vigilante blacklisting
service that I had to abandon, along with SORBS since they use the SPEWS
lists, for use in SpamPal).

There was mention of nhicolo.com in their nhinetworks.com domain
registration and in their push-off home page so I went to
www.nhicolo.com. No content can be seen as they use Javascript to paint
its content (other than a copyright line noting "NHI Colocation, LLC.").
Using www.anonymizer.com to look at www.nhicolo.com also doesn't show
much since it, by default, will block Javascript. A "nslookup
www.nhicolo.com" returns 66.117.20.14 and a WhoIs lookup says it is for
New Horizon Collocations (also in Los Angeles). All in all,
nhinetworks.com and nhicolo.com are a-holes regarding their web sites so
by their nature make themselves untrustworthy.

Any ideas?

 

I decided to try something and uninstalled a game from Stardock called Galactic Civilizations and eureka it worked, no more sneaky attempted breaches! I'm very annoyed as I only bought the game last week in good faith only to find that it is trying to phone home leaking God knows what! I have sent an email of complaint and await the results, though I still can't see why it would try to phone home via explorer.exe when just opening the parent directory!

Thanks again for your help, much appreciated.