Explorer.exe accessing google?
31 January 2005, 04:30 PM
#1
Scooby Regular
Thread Starter
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
Explorer.exe accessing google?
Hello folks,
I recently installed Sygate's Personal Firewall, which has caught explorer.exe trying to access www.google.com.
It doesn't use the same IP every time, it has tried at least three IP addresses (all destination = www.google.com).
Any thoughts on where I should start looking? The process list looks OK, here's the hijackthis log:
And another thing - why can't I preview posts when Sygate's security level is set to normal?
I recently installed Sygate's Personal Firewall, which has caught explorer.exe trying to access www.google.com.
It doesn't use the same IP every time, it has tried at least three IP addresses (all destination = www.google.com).
Any thoughts on where I should start looking? The process list looks OK, here's the hijackthis log:
Originally Posted by hijackthis
Logfile of HijackThis v1.99.0
Scan saved at 20:49:07, on 29/01/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackTh is.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {03EA853F-12E4-450F-B9D8-94144C60C315} - C:\WINNT\system32\ffpo.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {657BA09C-3AB7-45FC-9146-841ADCFBFC67} - (no file)
O2 - BHO: (no name) - {7B75CA51-5C4B-46B5-8D90-E5232B6F3AFE} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O21 - SSODL: ceSfmsMc - {688671FB-C22C-DB51-273F-75E67DD93BCF} - C:\WINNT\system32\hnk.dll
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Scan saved at 20:49:07, on 29/01/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackTh is.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {03EA853F-12E4-450F-B9D8-94144C60C315} - C:\WINNT\system32\ffpo.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {657BA09C-3AB7-45FC-9146-841ADCFBFC67} - (no file)
O2 - BHO: (no name) - {7B75CA51-5C4B-46B5-8D90-E5232B6F3AFE} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O21 - SSODL: ceSfmsMc - {688671FB-C22C-DB51-273F-75E67DD93BCF} - C:\WINNT\system32\hnk.dll
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
31 January 2005, 05:26 PM
#2
Scooby Regular
Join Date: Feb 2000
Location: Please excuse my Spelling - its not the best !!
Posts: 2,538
Likes: 0
Received 0 Likes
on
0 Posts
the message explorer.exe trying to access www.google.com is you trying to access google web page. (explorer being the application, goole the page on theweb want to visit) You want to click yes and put a tick in the remember these setting box.
Google has quite a few differnt ip addresses which all resolve to the name google.com
Richard
Google has quite a few differnt ip addresses which all resolve to the name google.com
Richard
31 January 2005, 05:38 PM
#4
Scooby Regular
Join Date: Feb 2000
Location: Please excuse my Spelling - its not the best !!
Posts: 2,538
Likes: 0
Received 0 Likes
on
0 Posts
i will have a look tonight at home tonight as run sygate on one of my pc's.
I presume you have run the normal ad aware, spybot, virus scanners to be sure nothing nasty in your pc
Richard
I presume you have run the normal ad aware, spybot, virus scanners to be sure nothing nasty in your pc
Richard
31 January 2005, 05:48 PM
#5
Scooby Regular
Thread Starter
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by rsarjantson
i will have a look tonight at home tonight as run sygate on one of my pc's.
I presume you have run the normal ad aware, spybot, virus scanners to be sure nothing nasty in your pc
Richard
I presume you have run the normal ad aware, spybot, virus scanners to be sure nothing nasty in your pc
Richard
I did have a proxy-agent last week, which kept getting into the temp directory, but the firewall has stopped that reappearing.
31 January 2005, 05:57 PM
#6
Scooby Regular
Thread Starter
Join Date: Apr 2003
Location: Location: Location:
Posts: 1,097
Likes: 0
Received 0 Likes
on
0 Posts
I have also removed all references to google in the registry, and references and files relating to gtoolbar from the enormous amount of crap which Real Player put on my system.
I have never had a google toolbar installed on IE or any other program (apart from the above, which I wasn't aware of, with Real Player)
I have never had a google toolbar installed on IE or any other program (apart from the above, which I wasn't aware of, with Real Player)
Thread
Thread Starter
Forum
Replies
Last Post