"peradjoka.t35.com"

Discussion in 'ESET Smart Security' started by Tale, May 26, 2009.

Thread Status:
Not open for further replies.
  1. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Greetings to all,

    this morning one of office computers presented an eset notification message:

    "Address has been blocked
    URL address:
    "peradjoka.t35.com/COMPUTER_NAME/1.rar
    IP address:
    66.45.237.219:80"

    It repeated until restart.

    There are no logs of this event in log window.

    What to do?
     
  2. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    It could be an infection of an Autoit malware.
    Older variants were located here:
    c:\Win\lsass.exe
    When you find it submit it if it is undetected.
     
  3. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    But there was nothing to submit..

    Logs are clear.

    Scaning showed no threats.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the file c:\Win\lsass.exe is not detected, locate it on the disk and send it in an archive protected with the password "infected" to samples[at]eset.sk
     
  5. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    I just checked out the url in question and as was reported, ESS blocks this website, meaning the pc didn't connect to the site, therefore no chance of infection. (Networks connection view in ESS and my own Tcp Viewer confirm this...no connection). So no need to worry :)
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What about c:\Win\lsass.exe that I've asked you to check if it actually exists on the disk?
     
  7. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    No, c:\Win\lsass.exe does not exist.

    What I am worried about is that computer was in state in which ESET continuously popped notification window, as if something from the comp. repeatedly tried to connect to that IP address.

    And I could not find that "something".

    The event occurred right after switching on that computer.

    EDIT: found standard lsass file in system32 (WIN XP Pro SP3). Sent them to samples[at]eset.sk.
     
  8. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Perhaps you would like to create a SysInspector log and send it for exemple to Marcos?
     
  9. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Yes, I'd like to, but not until tomorrow.

    Work day is over.
     
  10. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Marcos, any new ideas?
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    If you issue a "netstat -b -f" command at the Command Prompt (filename: CMD.EXE), does it show which program is attempting to access the Internet host in question?

    Regards,

    Aryeh Goretsky
     
  12. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Good morning.

    I just issued "netstat -b" and found no suspicious connections.

    I will try again if I see mentioned notification again.
     
  13. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    @Marcos:

    Can I send you somehow SysInspector log?
     
    Last edited: May 27, 2009
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Send it to samples[at]eset.com with this thread's url in the subject please.
     
  15. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Sent.

    Thx.
     
  16. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Indeed there is a record in the registry referring to the malware:
    Important Registry Entries
    - Standard Autostart
    --"Key" = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ( 5: Unknown ) ;
    --- "run32" = "C:\Win\lsass.exe" ( 5: Unknown ) ;

    Right click to it in SysInspector, choose "Open in RegEdit" and delete the run32 record.
     
  17. Tale

    Tale Registered Member

    Joined:
    May 26, 2009
    Posts:
    9
    Done.

    Thx very much.

    I'll keep observing that computer.
     
Thread Status:
Not open for further replies.