HELP, explorer.exe tries to connect to SSH!

Tobamore · Jun 21, 2004

Hello all,
Recently I have found a slightly disturbing outbound connection attempt from
a single folder through explorer.exe. I have a 'Games' folder on my second
physical drive and each time I try to open said folder via explorers folder
view (ie it's ok when opening it via tree view) there is a long delay before
it opens and displays the games within.
This made me suspicious and so I checked my firewall connection log and it
seems that explorer.exe wants to connect to 66.54.81.50 from port 22 via SSH
protocol (the firewall blocks this- hence the delay)
I have done the obvious and run full TDS3 and Nav 2004 scans and found
nothing, I have also ran both Adaware 6.0 and Spybot 1.3 (latest
definitions) and found nothing.
As you may have guessed I am perplexed and concerned by this, here is a copy
of my Hijack this log;

Logfile of HijackThis v1.97.7
Scan saved at 09:48:28, on 21/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\System32\sstray.exe
c:\program files\powerstrip\pstrip.exe
c:\progra~1\popfile\popfileib.exe
C:\Program Files\The Bat!\TheBat.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
E:\My Files\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.yyep.com/search/search04.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://msn.skysports.com/skysports/football
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.yyep.com/search/search04.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM
FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 studios\Startup
Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [OutpostFeedBack]
C:\PROGRA~1\Agnitum\OUTPOS~1\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CookieWall] C:\Program
Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Outpost Firewall]
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs]
"C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program
Files\Ontrack\ZipMagic\zm32NT.exe
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\TheBat.EXE
O4 - Startup: PowerPro.lnk = C:\Program Files\PowerPro\powerpro.exe
O4 - Global Startup: Run POPFile.lnk = C:\Program
Files\POPFile\runpopfile.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program
Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window -
C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program
Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet
Explorer\Plugins\NPBelv32.dll
O16 - DPF: symsupportutil -
https://www-secure.symantec.com/tec...supportutil.CAB
O16 - DPF: {3DDF45E0-9271-11D5-B1C2-000255705902} -
http://websecure.freedom.net/store/zksproxy.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
Information Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab

Many thanks in advance.

David · Jun 21, 2004

Usually, to avoid this behavior, I disable Explorer's Internet access via my
firewall. It limits search capabilities, but enhances security.
Most likely, someone has set up telnet access on your computer.

Tobamore said:
Hello all,
Recently I have found a slightly disturbing outbound connection attempt from
a single folder through explorer.exe. I have a 'Games' folder on my second
physical drive and each time I try to open said folder via explorers folder
view (ie it's ok when opening it via tree view) there is a long delay before
it opens and displays the games within.
This made me suspicious and so I checked my firewall connection log and it
seems that explorer.exe wants to connect to 66.54.81.50 from port 22 via SSH
protocol (the firewall blocks this- hence the delay)
I have done the obvious and run full TDS3 and Nav 2004 scans and found
nothing, I have also ran both Adaware 6.0 and Spybot 1.3 (latest
definitions) and found nothing.
As you may have guessed I am perplexed and concerned by this, here is a copy
of my Hijack this log;

Logfile of HijackThis v1.97.7
Scan saved at 09:48:28, on 21/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\System32\sstray.exe
c:\program files\powerstrip\pstrip.exe
c:\progra~1\popfile\popfileib.exe
C:\Program Files\The Bat!\TheBat.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
E:\My Files\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.yyep.com/search/search04.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://msn.skysports.com/skysports/football
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.yyep.com/search/search04.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\PROGRAM
FILES\ZERO KNOWLEDGE\FREEDOM\FREEBHOR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32NT.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 studios\Startup
Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [OutpostFeedBack]
C:\PROGRA~1\Agnitum\OUTPOS~1\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CookieWall] C:\Program
Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Outpost Firewall]
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [BootSkin Startup Jobs]
"C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program
Files\Ontrack\ZipMagic\zm32NT.exe
O4 - HKCU\..\RunOnce: [The Bat!] C:\Program Files\The Bat!\TheBat.EXE
O4 - Startup: PowerPro.lnk = C:\Program Files\PowerPro\powerpro.exe
O4 - Global Startup: Run POPFile.lnk = C:\Program
Files\POPFile\runpopfile.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program
Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window -
C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program
Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet
Explorer\Plugins\NPBelv32.dll
O16 - DPF: symsupportutil -
https://www-secure.symantec.com/tec...supportutil.CAB
O16 - DPF: {3DDF45E0-9271-11D5-B1C2-000255705902} -
http://websecure.freedom.net/store/zksproxy.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
Information Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab

Many thanks in advance.

Tobamore · Jun 21, 2004

I have already created a rule to block access for explorer, but this doesn't
solve the problem, any ideas how to track down and kill the problem please?
I have, as stated already tried TDS3, Nav 04, Spybot 1.3 and Adaware 6
unsuccessfully.

David · Jun 21, 2004

Did a search on Port number assignments, and 22 is the SSH remote login.
I'd say your system has been compromised. If you don't want to do a
complete re-install, which is what I would do, at least block port 22 with
your firewall. Someone is overriding your sytem's security most likely.

Tobamore said:
I have already created a rule to block access for explorer, but this doesn't
solve the problem, any ideas how to track down and kill the problem please?
I have, as stated already tried TDS3, Nav 04, Spybot 1.3 and Adaware 6
unsuccessfully.

Tobamore · Jun 21, 2004

Have you any idea how else I may be able to at least check what program is
using it please?

Tobamore · Jun 21, 2004

I decided to try something and uninstalled a game from Stardock called
Galactic Civilizations and eureka it worked, no more sneaky attempted
breaches! I'm very annoyed as I only bought the game last week in good faith
only to find that it is trying to phone home leaking God knows what! I have
sent an email of complaint and await the results, though I still can't see
why it would try to phone home via explorer.exe when just opening the parent
directory!

Nt Authority System Please Help!!	0	Sep 13, 2008
IE 8 won't start	2	Feb 14, 2009
SVC host problem	3	May 6, 2008
PLEASE HELp.. i can not get rid of this bug on my computer	2	Sep 21, 2007
Problems with pops ups	6	Jul 13, 2008
Slow Computer	2	Jul 21, 2006
Item in system configuration utility lacks information (???)	5	Sep 21, 2007
Desktop Icons Missing at startup	7	Jan 27, 2008

HELP, explorer.exe tries to connect to SSH!

Tobamore

David

Tobamore

David

Tobamore

Tobamore

Ask a Question

Similar Threads