Nod32 and

Discussion in 'NOD32 version 2 Forum' started by thesexiestguy, Oct 18, 2007.

Thread Status:
Not open for further replies.
  1. thesexiestguy

    thesexiestguy Registered Member

    Oct 18, 2007
    i m using nod32 3.0.414.0 RC1
    today when i run omnipeek,
    i found that there is an http connection to which was resolved from this ip address
    i m not opening that website in internet explorer
    so i run port explorer from diamond cs
    i can't find anything there
    i lookup that address in google n found that
    that webpage is connected with a TR/agent.baf.1
    i check the port which is connected to that site by using wireshark
    i found that the port is 2037
    i used a lot of programs to catch it red-handed
    but i found that it just connects to that website for a very short time
    or may b just a ping.
    i don't know
    but i found that it is connected by Nod32 finally in sysinternals tcpview
    may b i can find it in other programs if i wait for it to show up
    the fact is
    why would nod32 connect such a website?
    is it not joy4host?
    if not what is that site?
    is it wrongly resolved by omnipeek?
    waiting for ur answers.
  2. webyourbusiness

    webyourbusiness Registered Member

    Nov 16, 2004
    Throughout the USA and Canada
    that IP is not a known update server to my knowledge, and I do not recognize it as a known IP of any Eset site.

    The fact you said that trojan resides on the site - would you REALLY think that Eset is sending you to this page?

    Today I see this page has ZERO length index - so I am unsure what WAS there... let's wait for a comment from someone at Eset...
  3. ASpace

    ASpace Guest


    With v3 it is really possible for ekrn.exe to have established the connection . As you know the kernel in v3 acts as a local proxy . Something that is monitored by EA (either using HTTP port or marked as web-browser or mail client) has made request to that IP ,the kernel has redirected the traffic, thus it was ekrn.exe to establish that connection .

    As it was mentioned numerous times , I would suggestion that the OP contact ESET Technical support for more help if case he suspects being infected :thumb:
Thread Status:
Not open for further replies.