Transmission to strange website during startup

carwiz · 16 Feb 2014

Kari said:

rzn6jw said:

I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com .

Geeks, let's not forget that a lot of respected companies use Akamai Download Manager to deliver their digital install media. Microsoft MSDN is a good example (Akamai Download Manager Help for MSDN Subscriptions), Adobe another (Akamai Download Manager FAQ).

For instance all my TechNet subscrition downloads done with IE are downloaded with Akamai Download Manager, which I had to install.

Kari

They may provide a good service in that regard but they're no angel of the network when it comes to personal privacy. IE already has a download manager. Why would ADM be necessary?

Kari · 16 Feb 2014

carwiz said:

They may provide a good service in that regard but they're no angel of the network when it comes to personal privacy. IE already has a download manager. Why would ADM be necessary?

I am not saying it is automatically a good thing, nor am I capable to answer why Microsoft, TechNet, MSDN, Adobe and numerous others have decided to use Akamai Downloader in delivering their stuff.

What I tried to say in between the lines is that sometimes this security hype gets too far. Please do not misunderstand me, security is nothing to play carelessly with, but for instance in this OP's case I believe there's nothing wrong, no reason to panic. Nobody has cracked his router's and Windows' firewalls to steal his credit card information.

Yet, the combined forces of Seven Forums "run to rescue", to solve a non-issue.

Some background: If you allow cookies and you stream videos from a site which uses Flowplayer, you'll find some Akamai stuff in your AppData. The same if you watch Fox News on your Windows PC.

DOM Store is nothing but an advanced method to store cookie information. The fact that OP finds the URL of his / her credit card company most probably is because that site uses Akamai technology to store advanced cookie information in DOM Store.

Safety is one thing. Paranoia something else. If you allow cookies, if you subsribe MSDN or TechNet, if you buy and download something from Adobe, and so on, you need to accept the fact your AppData contains some information about you.

Kari

rzn6jw · 16 Feb 2014

I ran both JRT and RogueKiller. JRT did its business and finished but did not issue a report that I could find. However, RogueKiller seemed to find some stuff. Its report:

RogueKiller V8.8.7 [Feb 11 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : Adlice forum - Index
Website : RogueKiller download
Blog : Adlice Software | malware analysis

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bob [Admin rights]
Mode : Scan -- Date : 02/16/2014 20:52:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] svc.exe -- C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\bu4hwpmi.default\extensions\startup.service@mo zilla.com\svc.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> D:\Users\Bob\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AACS-00G8B1 ATA Device +++++
--- User ---
[MBR] 8b88a8b5c76d68ed48bc800281a3ab01
[BSP] 799d33b1fadcb0dd0284e55666c2139e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476939 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST3160812AS ATA Device +++++
--- User ---
[MBR] 6917538a49de681ef0a6d698b32154d1
[BSP] d08f1131eab0c0dc2336c014afdc8b33 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) ST3160811AS ATA Device +++++
--- User ---
[MBR] 701f2651c2abce488c4b6052a15877bb
[BSP] 99c81368f82de941fd0f7ce5932d9f80 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152624 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ IDE) ST2000DM001-1CH164 ATA Device +++++
--- User ---
[MBR] b7368a7078f5313d807c0b109124b6fd
[BSP] 791f128b2fb88f8f8defe877f283aba1 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02162014_205241.txt >>

ShamrockRig · 16 Feb 2014

Do a quick restart and it should open a JRT log on boot

rzn6jw · 16 Feb 2014

I did a reboot and no JRT file was on the desktop. I reran JRT and had the same results. Did a search and C:\Windows has a folder called ERUNT that has a folder JRT but every file in that folder is unreadable.

ShamrockRig · 17 Feb 2014

Try running this then run JRT again.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1
Link 2

On Windows XP double-click on the Rkill desktop icon to run the tool.
On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.

rzn6jw · 17 Feb 2014

One questions before this issue is closed: Why can't I find the DOMStore folder normally (without a search for something that may be in that folder)? I've got my folder properties to show all hidden folders but I can't find that one.

ThrashZone · 17 Feb 2014

rzn6jw said:

ThrashZone said:

Use these free tools to see if they find anything,
Post the scan results,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Active Free trial from the final install options,
http://www.malwarebytes.org/products/malwarebytes_free
http://www.superantispyware.com/?tag=SUPERANTISPYWARE
Uninstall Adwcleaner,
Open it again and click on Uninstall,
Cheers.

(I can't run MalwareBytes - it has a big conflict with NIS):

What was the exact error with I assume Norton Internet Security "NIS" ?
That I know of Norton should not have any issues with Malwarebytes,
You can download any scanner using Safe Mode with Networking at startup if having issues downloading it,
Run it using safe mode with networking and repeat the scan restarting normally as you always do,

https://www.sevenforums.com/tutorials/69585-safe-mode.html
http://windows.microsoft.com/en-US/windows7/Advanced-startup-options-including-safe-mode

Layback Bear · 17 Feb 2014

Just a little information. I'm not fond of Peer-to- Peer of any kind.

Akamai Technologies - Wikipedia, the free encyclopedia

Jacee · 17 Feb 2014

Let's see if cleaning temp files and Java will stop the problem:

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.