Last Modified: Braunschweig, 31.12.2010
Created: Braunschweig, 21.10.2005
But was closed since Dec 14, 2010. I’ve never surfed to that domain, so I assume that malware hidden on my PC connects with this server - I just can’t believe that malware creator would use domain that is tight connected with it’s real personal data. His server must have been infected and used as one of C&C servers. Also, the host 236.81-166-122.customer.lyse.net also must be infected.
Now, how to find this ■■■■? I’ve scanned earlier using F-Secure rescue disk, Kaspersky Rescue disk and Comodo Rescue Disk - every time full scan was made. And nothing was found.
Also I’ve made a scan few days ago using MalwareByte’s Anti-Rootkit - also nothing has been found. Even MS Security Essentials didn’t helped.
Assuming that it may be some evil rootkit, must I use SysInternals suite, because nothing will help me?
I must note that I don’t understand Windows OS registry still - could some of you propose me a could source for learning Windows registry?
Comodo KillSwitch just now informed me with tray pop-up info, that new service has been made: MpKsl3deff94a which is driver and currently running. I assume that rootkit on my system had just an update?
Analysis on VirsuTotal shows that it is some variant of KSLDriver.sys file which belongs to Microsoft Malware Protection. Indeed, few minutes ago MS Security Essentials has started it’s scheduled “Quick Scan”. But this service was reported by KillSwitch few minutes after scan has started. And google has no info on this service name MpKsl3deff94a. So it looks like it’s positive service, but was created by MS Security Essentials during scan with random name…
And this hidden process I’ve reported earlier, is again spying on me - recently it was off, but now again is working.
I can’t address your main issue, but just wanted to say that many anti-malware scanners create a service with random names when you launch the process, and you’ll never find anything on them with Google. Scanning with CCE does this also. Even running KillSwitch creates such a service; try running KS and then look under your system events viewer. You’ll find something like: “The vljmy service was sent a start control.”
But my main concern is that this malicious process, which was described in my first post, is hidden, has no visible name and file associated to and I can’t find this on my HDD.
KillSwitch only sees what connections it is making or sniffing, but can’t stop it or track it down and neutralize, then upload to analysis…
I once presented a similar question here when I noticed connections from a blank process.
The user “Radaghast” had this to say:
Unfortunately, what you're seeing in KillSwitch isn't quite what you think it is, as a vital piece of information is missing, the process name! The connections with a TIME_WAIT condition actually don't belong to svchost but to another process called System Idle Process which always has a Process ID of 0 (zero) Basically, when a connection closes, it's not instantly terminated. The application to which the connection formally belonged, is passed to the operating system (System Idle Process) while the connection is actually terminated. During this time the connection is shown in a TIME_WAIT state.
I’m guessing those connections you see under the blank process, are connections from Firefox that get passed over to System Idle Process once the connection status changes to “Time Wait”. As for whether or not that connection was originally established by malware or not, I won’t try to pretend like I’m qualified to give definite answers. But when visiting certain websites, I also have seen connections being established to other websites that aren’t seemingly related but, at the end of the day, actually are, in one way or another. So the fact that you didn’t specifically visit the website that you see the connection to, (I think) doesn’t necessarily indicate that malware is making that connection.
But hopefully someone more qualified will show up to answer your question.
