explorer.exe attempting ssh connection

Discussion in 'adware, spyware & hijack cleaning' started by tobamore, Jun 21, 2004.

Thread Status:
Not open for further replies.
  1. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Hello all,
    Recently I have found a slightly disturbing outbound connection attempt from a single folder through explorer.exe. I have a 'Games' folder on my second physical drive and each time I try to open said folder via explorers folder view (ie it's ok when opening it via tree view) there is a long delay before it opens and displays the games within.
    This made me suspicious and so I checked my firewall connection log and it seems that explorer.exe wants to connect to 66.54.81.50 from port 22 via SSH protocol (the firewall blocks this- hence the delay)
    I have done the obvious and run full TDS3 and Nav 2004 scans and found nothing, I have also ran both Adaware 6.0 and Spybot 1.3 (latest definitions) and found nothing.
    As you may have guessed I am perplexed and concerned by this, here is a copy of my Hijack this log;

    Logfile of HijackThis v1.97.7
    Scan saved at 09:48:28, on 21/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\DriveCrypt\DcrServ.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Stardock\SDMCP.exe
    C:\Program Files\Stardock\WindowBlinds\wbload.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
    C:\WINDOWS\System32\Grxp4exe.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\AnalogX\CookieWall\cookie.exe
    C:\WINDOWS\System32\sstray.exe
    c:\program files\powerstrip\pstrip.exe
    c:\progra~1\popfile\popfileib.exe
    C:\Program Files\The Bat!\TheBat.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    E:\My Files\Downloads\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search04.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.skysports.com/skysports/football
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search04.html
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
    O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 studios\Startup Delayer\Startup Launcher.exe"
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1\feedback.exe /dump:eek:s_startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
    O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\TheBat.EXE
    O4 - Startup: PowerPro.lnk = C:\Program Files\PowerPro\powerpro.exe
    O4 - Global Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {3DDF45E0-9271-11D5-B1C2-000255705902} - http://websecure.freedom.net/store/zksproxy.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    Many thanks in advance.
     
  2. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    bump! I can find nothing on the internet and I'm told that you guys are very helpful, so please advise me? :)
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Counterquestion:

    Does this mean anything to you?
    OrgName: NHI Networks
    OrgID: NHINE
    Address: 530 W 6th St.
    Address: Suite 300
    City: Los Angeles
    StateProv: CA
    PostalCode: 90014
    Country: US

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search04.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search04.html

    O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL

    Then reboot.

    Regards,

    Pieter
     
  4. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Thank you for your reply and in answer to your question, no, it means nothing to me. (other than that is the address to which the ip refers)
    I tried the selected fix and re-booted, but to no avail, have you any more suggestions please?
     
    Last edited: Jun 21, 2004
  5. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    This is an update which may ring some bells for someone out there (hopefully)

    Courtesy of a very helpful person called 'Vanguard';

    66.54.81.50 doesn't have a DNS IP name lookup; i.e., "nslookup
    66.54.81.50" returns no record. However, ARIN's WhoIs () says that IP
    address is allocated to NHI Networks (nhinetworks.com) in Los Angeles,
    CA. When I tried to connect to their assumed home page at www.nhinetworks.com using a safe [text-only] web browser, like SamSpade, all I got was a rude push-off message of "Authorization Required" and "This server could not verify you are authorized ...". Apparently they won't let just anyone connect to their home page. I am running Gamespy, but only on demand (I haven't run it for months)
    http://www.arealhost.com/Details/nhinetworks.php (found through a Google
    search on "nhinetworks.com") says they provide online gaming bandwidth.
    There is a note about spamming from this domain, and SPEWS has them
    blacklisted (see their record at http://spews.org/html/S2507.html
    although I caution that SPEWS is a unresponsive vigilante blacklisting
    service that I had to abandon, along with SORBS since they use the SPEWS
    lists, for use in SpamPal).

    There was mention of nhicolo.com in their nhinetworks.com domain
    registration and in their push-off home page so I went to
    www.nhicolo.com. No content can be seen as they use Javascript to paint
    its content (other than a copyright line noting "NHI Colocation, LLC.").
    Using www.anonymizer.com to look at www.nhicolo.com also doesn't show
    much since it, by default, will block Javascript. A "nslookup
    www.nhicolo.com" returns 66.117.20.14 and a WhoIs lookup says it is for
    New Horizon Collocations (also in Los Angeles). All in all,
    nhinetworks.com and nhicolo.com are a-holes regarding their web sites so
    by their nature make themselves untrustworthy.

    Any ideas?
     
  6. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    I decided to try something and uninstalled a game from Stardock called Galactic Civilizations and eureka it worked, no more sneaky attempted breaches! I'm very annoyed as I only bought the game last week in good faith only to find that it is trying to phone home leaking God knows what! I have sent an email of complaint and await the results, though I still can't see why it would try to phone home via explorer.exe when just opening the parent directory!

    Thanks again for your help, much appreciated.
     
Thread Status:
Not open for further replies.