Nod32 and joy4host.com

Discussion in 'NOD32 version 2 Forum' started by thesexiestguy, Oct 18, 2007.

Thread Status:
Not open for further replies.
  1. thesexiestguy

    thesexiestguy Registered Member

    Joined:
    Oct 18, 2007
    Posts:
    1
    i m using nod32 3.0.414.0 RC1
    today when i run omnipeek,
    i found that there is an http connection to joy4host.com which was resolved from this ip address 209.190.9.34
    i m not opening that website in internet explorer
    so i run port explorer from diamond cs
    i can't find anything there
    i lookup that address in google n found that
    that webpage is connected with a TR/agent.baf.1
    i check the port which is connected to that site by using wireshark
    i found that the port is 2037
    i used a lot of programs to catch it red-handed
    but i found that it just connects to that website for a very short time
    or may b just a ping.
    i don't know
    but i found that it is connected by Nod32 finally in sysinternals tcpview
    may b i can find it in other programs if i wait for it to show up
    the fact is
    why would nod32 connect such a website?
    is it not joy4host?
    if not what is that site?
    nod32.com?
    is it wrongly resolved by omnipeek?
    waiting for ur answers.
     
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    that IP is not a known update server to my knowledge, and I do not recognize it as a known IP of any Eset site.

    The fact you said that trojan resides on the site - would you REALLY think that Eset is sending you to this page?

    Today I see this page has ZERO length index - so I am unsure what WAS there... let's wait for a comment from someone at Eset...
     
  3. ASpace

    ASpace Guest

    @webyourbusiness

    With v3 it is really possible for ekrn.exe to have established the connection . As you know the kernel in v3 acts as a local proxy . Something that is monitored by EA (either using HTTP port or marked as web-browser or mail client) has made request to that IP ,the kernel has redirected the traffic, thus it was ekrn.exe to establish that connection .

    As it was mentioned numerous times , I would suggestion that the OP contact ESET Technical support for more help if case he suspects being infected :thumb:
     
Thread Status:
Not open for further replies.