legal contact rss
 

getting the process list/tree from your dump

vol.exe -f vaio_mem.dmp --profile=Win7SP1x64 pstree >pstree.txt

Datei "pstree.txt"

Now find the corresponding program name that owns the PID found in the strange network connection.

So looks like a service being installed for some reason. - Let's try and find out what it's supposed for.

http://searchtasks.answersthatwork.com/tasklist.php?File=Daemonu

Tells me, that it's a Nvida update service.

Going back to the network connections and assuming the nvtray.exe is part of the NVida stuff, it starts making sense.

Keeping the main question in mind, gets me back to searching for known PUA or malware, but deinstalling/deactivating that service is surly worth a try.

(And as there has been an endless amount of HP related connection due to the use of some OfficeJet software, I deinstalled this as well with the effect of a much faster machine) The reason for this seems to be a loop.

strange ...?

While reading and digging around, I found below situation.

The HPNetworkComminucation is the "father" of explorer.exe (Why does that process need the explorer.exe) But more strange is the fact, that the explorer,exe was started be the HP process one day before the HP process was created. ...???...

Well, I'm very new to memory anaylsis and this might be quite normal. But let's put this situation on the list of things to investigate deeper.