Infection with unknow malware - KillSwitch pointed to ""

I’ve seen such process in Comodo KillSwitch many times and always wondered what’s that:

See that unnamed process?

I made quick research - this current address points to this address → which belongs to Norwegian ISP.

Also, earlier I noticed that this process point to domain which is owned by:

Embedded, Microcontroller (AVR & ARM), (Postgres)SQL, C, Python, PHP, Web (HTML, Ajax, Javascript), *nix Programming and Consulting.

Contact me for details

Trixing Jan Dittmer

Jan Dittmer
Rankestrasse 17
38102 Braunschweig

Mail info[at]
Phone +49 531 3884121
Fax +49 531 3884124

Steuernummer 2314 01410900344
Umsatzsteuerid DE245062019

Last Modified: Braunschweig, 31.12.2010
Created: Braunschweig, 21.10.2005

But was closed since Dec 14, 2010. I’ve never surfed to that domain, so I assume that malware hidden on my PC connects with this server - I just can’t believe that malware creator would use domain that is tight connected with it’s real personal data. His server must have been infected and used as one of C&C servers. Also, the host also must be infected.

Now, how to find this ■■■■? I’ve scanned earlier using F-Secure rescue disk, Kaspersky Rescue disk and Comodo Rescue Disk - every time full scan was made. And nothing was found.
Also I’ve made a scan few days ago using MalwareByte’s Anti-Rootkit - also nothing has been found. Even MS Security Essentials didn’t helped.

Assuming that it may be some evil rootkit, must I use SysInternals suite, because nothing will help me?
I must note that I don’t understand Windows OS registry still - could some of you propose me a could source for learning Windows registry?

Thanks and cheers!

first of all, this is the power of Killswitch, difficult to hide from it.

can u upload the file for analysis so that our guys can see what it is for you.


But I can’t find this file. I even don’t know what I have to search for. Just check:

It also can sniff my connections.

Comodo KillSwitch just now informed me with tray pop-up info, that new service has been made: MpKsl3deff94a which is driver and currently running. I assume that rootkit on my system had just an update?

Analysis on VirsuTotal shows that it is some variant of KSLDriver.sys file which belongs to Microsoft Malware Protection. Indeed, few minutes ago MS Security Essentials has started it’s scheduled “Quick Scan”. But this service was reported by KillSwitch few minutes after scan has started. And google has no info on this service name MpKsl3deff94a. So it looks like it’s positive service, but was created by MS Security Essentials during scan with random name…
And this hidden process I’ve reported earlier, is again spying on me - recently it was off, but now again is working.

Another connections that were else logged or made by this malware:, and Looks like I’ll have to use SysInternals.

I can’t address your main issue, but just wanted to say that many anti-malware scanners create a service with random names when you launch the process, and you’ll never find anything on them with Google. Scanning with CCE does this also. Even running KillSwitch creates such a service; try running KS and then look under your system events viewer. You’ll find something like: “The vljmy service was sent a start control.”

Yeah, I already realized that.

But my main concern is that this malicious process, which was described in my first post, is hidden, has no visible name and file associated to and I can’t find this on my HDD.
KillSwitch only sees what connections it is making or sniffing, but can’t stop it or track it down and neutralize, then upload to analysis…

I once presented a similar question here when I noticed connections from a blank process.

The user “Radaghast” had this to say:

Unfortunately, what you're seeing in KillSwitch isn't quite what you think it is, as a vital piece of information is missing, the process name! The connections with a TIME_WAIT condition actually don't belong to svchost but to another process called System Idle Process which always has a Process ID of 0 (zero) Basically, when a connection closes, it's not instantly terminated. The application to which the connection formally belonged, is passed to the operating system (System Idle Process) while the connection is actually terminated. During this time the connection is shown in a TIME_WAIT state.

I’m guessing those connections you see under the blank process, are connections from Firefox that get passed over to System Idle Process once the connection status changes to “Time Wait”. As for whether or not that connection was originally established by malware or not, I won’t try to pretend like I’m qualified to give definite answers. But when visiting certain websites, I also have seen connections being established to other websites that aren’t seemingly related but, at the end of the day, actually are, in one way or another. So the fact that you didn’t specifically visit the website that you see the connection to, (I think) doesn’t necessarily indicate that malware is making that connection.

But hopefully someone more qualified will show up to answer your question.

Thanks for reply, I’ll check this more carefully. But it would be nice, to have KillSwitch and AutoRuns integrated into Comodo Rescue Disk.