2 days ago I came across a service that was connected to this suspicious address: weei.istmein.de:https
So did some google search, and results were some vietnamese pages, translated them and came to know that there's some trojan activity going on, this service is uploading my Firefox saved passwords, and/or other private information to the above mentioned domain.
When I explored this service in procexp, it showed me that it is running through svchost. Then I tried to open file location of the service and Windows Explorer opened svchost.exe dir.
Till now I have tried service manager with no luck. I searched/traversed through every service and none of them were non-Windows services except one "Nalpeiron Licensing Service", which I know is not a trojan.
Edit: blocked weei.istmein.de in Windows\..\hosts file and now there is another service running connected to domain alligator.buyshouses.net:https. I don't know if blocking the istmein.de domain in hosts file was of any help but now the service seems to be connected to a different domain. It could be possible that the coder was clever and used multiple domains that are randombly chosen by the trojan to upload privacy information.
Edit 2: So I have analyzed this trojan for past 2days now and these are all the domains that this trojan has tried to connect to till yet:
alligator.buyshouses.net
examiner.thruhere.net
gssiweb.is-a-chef.net
tmz.is-found.org
wbir.iamallama.com
weei.istmein.de
204-12-250-195.stunna.stond.org
wbir.iamallama.com
I've blocked all these domains in my firewall and now the trojan is not able to connect to these domains. On top of that I've scheduled task to search for the process and kill it every 5 seconds. Though the trojan takes atleast 3minutes:9-12seconds to re-spawn, still I'm going with the 5second strategy just to stay on the safe side.
I installed bitdefender and it didn't detected this process as unsafe and so it didn't took any action against it.
Tried cmd "tasklist /SVC" to detect what is running this service. Sadly, the programmer of the trojan was clever enough to make this trojan process run without a trace. When you try look which commandline invoked the process in procexp it shows this:
C:\Windows\syswow64\svchost.exe
Without arguments, which is weird because every service has some arguments that invoke the service.
And when you try see the service attached to the process in tasklist it shows "N/A", in taskmanager and procexp the option that takes you to the attached service doesn't appears.
