Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Transmission to strange website during startup

16 Feb 2014   #1
rzn6jw

Windows 7 Pro 64-bit Service Pack 1
 
 
Transmission to strange website during startup

I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com . This only lasted for about 10 seconds and disappeared but I have never heard of that '.com' (the 'odd character group' above is my interpretation of the characters that preceded the .com).

I looked up the .com and it's apparently a tracking site for online businesses. Norton IS and SuperAntiSpyware never flagged this as a tracking bug either. I did a search for 'akamai' and found a XML file in C:\Users\me\AppData\LocalLow\Microsoft\InternetExplorer\DOMStore\OSKRU0OM. I looked in the file location but could not find the DOMStore folder but clicking on the file attributes in the search (Open file location) brought up the folder and the XML file. What concerns me is the following content of the XML file where the www.-------.com below is the name of a credit card I have.

<?xml version="1.0"?>
<root><item htime="30329548" ltime="4218607792" value="{"v":1381968498,"t":1413504480}" name="frt"/><item htime="30331353" ltime="2835958512" value="{"v":"http://www.--------------.com/","t":1414279560}" name="location.href"/><item htime="30331353" ltime="2060268512" value="{"v":1382759958819,"t":1414279500}" name="zone::92247::expiration"/></root>


Does anyone think this is a rootkit or spyware that's getting past my firewall? Worse, someone is trying to get to my credit card.

Specs are Win 7 Pro 64bit latest service pack and security updates.

Thanks.


















My System SpecsSystem Spec
.
16 Feb 2014   #2
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Hi if you think you've been infected run this scanner and post the scan results,
Review Jacee’s instructions to run Adwcleaner here on post#7,
Ignore the title of the thread,
http://www.sevenforums.com/system-security/316404-instant-savings-app.html
Or download it from bleepingcomputer.com
Screen shot of the download button to use for Adwcleaner
http://www.bleepingcomputer.com/download/adwcleaner/
My System SpecsSystem Spec
16 Feb 2014   #3
carwiz

Windows 7 Pro-x64
 
 

For sure a data grabber. A lot of tool bars and gadgets "phone home" with a summary of your activities from the web. Google TB and Google update are major ones. "Free" software rarely comes with no overhead so choose your shortcuts wisely. Follow Thrash's suggestions and stay away from driver Fixit offers from the web.

Added: After parsing what you saw as the URL, I remembered this "service". Akamai Technologies drives a lot user targeted web pages or what's called content delivery, especially ads. This will explain it better than me.
My System SpecsSystem Spec
.

16 Feb 2014   #4
rzn6jw

Windows 7 Pro 64-bit Service Pack 1
 
 

Quote   Quote: Originally Posted by ThrashZone View Post
Hi if you think you've been infected run this scanner and post the scan results,
Review Jacee’s instructions to run Adwcleaner here on post#7,
Ignore the title of the thread,
http://www.sevenforums.com/system-security/316404-instant-savings-app.html
Or download it from bleepingcomputer.com
Screen shot of the download button to use for Adwcleaner
http://www.bleepingcomputer.com/download/adwcleaner/
Here's the report:


# AdwCleaner v3.018 - Report created 16/02/2014 at 16:53:55
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : xxx - xxxxx
# Running from : C:\Users\xxx\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : Application Updater

***** [ Files / Folders ] *****

File Found : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\4np6vnau.default-1375846661371\searchplugins

\safesearch.xml
Folder Found C:\Program Files (x86)\Application Updater
Folder Found C:\Program Files (x86)\Common Files\spigot
Folder Found C:\Program Files (x86)\IObit Apps Toolbar
Folder Found C:\ProgramData\Alawar Stargaze
Folder Found C:\ProgramData\AlawarWrapper
Folder Found C:\ProgramData\Trymedia
Folder Found C:\ProgramData\Uniblue\DriverScanner
Folder Found C:\Users\xxx\AppData\Local\PackageAware
Folder Found C:\Users\xxx\AppData\LocalLow\Search Settings
Folder Found C:\Users\xxx\AppData\Roaming\Alawar Stargaze
Folder Found C:\Users\xxx\AppData\Roaming\thinstall
Folder Found C:\Users\xxx\AppData\Roaming\Uniblue\DriverScanner
Folder Found C:\Users\xxx\AppData\Roaming\Uniblue\SpeedUpMyPC

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\Search Settings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Found : HKCU\Software\Search Settings
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : [x64] HKCU\Software\Search Settings
Key Found : [x64] HKCU\Software\Softonic
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\Application Updater
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_driver-sweeper_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_driver-sweeper_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03EB0E9C-7A91-4381-A220

-9B52B641CDB1}
Key Found : HKLM\Software\Search Settings
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16518


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\4np6vnau.default-1375846661371\prefs.js ]

Line Found : user_pref("keyword.URL", "hxxp://nortonsafe.search.ask.com/web?

o=APN10506&gct=kwd&qsrc=2869&l=dis&prt=NIS&chn=retail&geo=US&ver=21&q=");

[ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\bu4hwpmi.default\prefs.js ]


[ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\zu1twmxv.Default User\prefs.js ]


*************************

AdwCleaner[R0].txt - [4085 octets] - [16/02/2014 16:53:55]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4145 octets] ##########
My System SpecsSystem Spec
16 Feb 2014   #5
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Use these free tools to see if they find anything,
Post the scan results,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Active Free trial from the final install options,
http://www.malwarebytes.org/products/malwarebytes_free
http://www.superantispyware.com/?tag=SUPERANTISPYWARE
Uninstall Adwcleaner,
Open it again and click on Uninstall,
Cheers.
My System SpecsSystem Spec
16 Feb 2014   #6
Devlin1888

Windows 7 Home Premium 64Bit
 
 

A lot of toolbar entries there as well as a few utilities, a lot of unwanted goodies , one must watch out for goodies that come with programs, using the custom install with allow you to have the option of not installing these, conduit for example is often added in with programs and can only be bypassed by checking the box for opting out.

JRT Is a good way to get rid of these, il post the instructions after ive read the logs from Thrashzones Suggestions, don't want to clog up the process. Thanks
My System SpecsSystem Spec
16 Feb 2014   #7
carwiz

Windows 7 Pro-x64
 
 

OMG! It was full of what I said stay away from.

Nice going Thrash.
My System SpecsSystem Spec
16 Feb 2014   #8
Kari

Microsoft Community Contributor Award Recipient

 

Quote   Quote: Originally Posted by rzn6jw View Post
I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com .
Geeks, let's not forget that a lot of respected companies use Akamai Download Manager to deliver their digital install media. Microsoft MSDN is a good example (Akamai Download Manager Help for MSDN Subscriptions), Adobe another (Akamai Download Manager FAQ).

For instance all my TechNet subscrition downloads done with IE are downloaded with Akamai Download Manager, which I had to install.

Kari
My System SpecsSystem Spec
16 Feb 2014   #9
rzn6jw

Windows 7 Pro 64-bit Service Pack 1
 
 

Quote   Quote: Originally Posted by ThrashZone View Post
Use these free tools to see if they find anything,
Post the scan results,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Active Free trial from the final install options,
http://www.malwarebytes.org/products/malwarebytes_free
http://www.superantispyware.com/?tag=SUPERANTISPYWARE
Uninstall Adwcleaner,
Open it again and click on Uninstall,
Cheers.
Here's the log from SuperAntiSpyware (I can't run MalwareBytes - it has a big conflict with NIS):

SUPERAntiSpyware Scan Log
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 02/16/2014 at 07:12 PM

Application Version : 5.7.1018

Core Rules Database Version : 11044
Trace Rules Database Version: 8856

Scan type : Custom Scan
Total Scan Time : 01:49:06

Operating System Information
Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 610
Memory threats detected : 0
Registry items scanned : 79702
Registry threats detected : 0
File items scanned : 123048
File threats detected : 0
My System SpecsSystem Spec
16 Feb 2014   #10
Devlin1888

Windows 7 Home Premium 64Bit
 
 

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit


  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • Post Logs back here
My System SpecsSystem Spec
Reply

 Transmission to strange website during startup




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Strange startup behavior
For the last few weeks, my morning startup has been hit or miss. Right after the blue Welcome screen, the desktop shows up and starts to populate with all the icons, then I will hear the Windows error bump sound, two or three times. I have a CPU monitor program and an ASUS GPU Tweak program that...
General Discussion
Startup Strange
Howdy Ive been doing some work on my friends computer. He has a Gigabyte Ultra Durable 3 Motherboard. (he has windows 7 ultimate x86) Firstly when you start it up it goes to the Gigabyte Ultra Durable 3 screen (normal) and then the display flashes off and then the Gigabyte Durable 3 screen...
Installation & Setup
Kana webhop website opening browser on startup without request
On startup, my browser has started automatically and attempted to open the page http://www.kana.webhop.net. I have tried searching the internet to find out what this relates to but there seems to be nothing mentioned. The website itself doesn't seem to exist (I get the normal 'This webpage is not...
Browsers & Mail
Website link returns strange messsage
I have sent a link to a website to 5 colleagues each as an individual email. Each message was slightly different but they all contained this link: Welcome All worked OK bar one who got this message: When I try the link in the email that is in my "Sent" folder I get the same message but...
Browsers & Mail
Strange startup bug?
When I turn on my computer, the HP logo flashes appears as normal, but instead of saying: "Windows is starting up" as normal, a strange series of colored dots appear at the top of the screen. The computer refuses to start up 2 times out of 3, and I have to force the computer to shut down, and then...
BSOD Help and Support
Why I want a manual transmission car....
Police: Carjackers foiled by manual transmission - U.S. news- msnbc.com
Chillout Room


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 13:43.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App