Transmission to strange website during startup

Page 1 of 3 123 LastLast

  1. Posts : 114
    Windows 7 Pro 64-bit Service Pack 1
       #1

    Transmission to strange website during startup


    I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com . This only lasted for about 10 seconds and disappeared but I have never heard of that '.com' (the 'odd character group' above is my interpretation of the characters that preceded the .com).

    I looked up the .com and it's apparently a tracking site for online businesses. Norton IS and SuperAntiSpyware never flagged this as a tracking bug either. I did a search for 'akamai' and found a XML file in C:\Users\me\AppData\LocalLow\Microsoft\InternetExplorer\DOMStore\OSKRU0OM. I looked in the file location but could not find the DOMStore folder but clicking on the file attributes in the search (Open file location) brought up the folder and the XML file. What concerns me is the following content of the XML file where the www.-------.com below is the name of a credit card I have.

    <?xml version="1.0"?>
    <root><item htime="30329548" ltime="4218607792" value="{"v":1381968498,"t":1413504480}" name="frt"/><item htime="30331353" ltime="2835958512" value="{"v":"http://www.--------------.com/","t":1414279560}" name="location.href"/><item htime="30331353" ltime="2060268512" value="{"v":1382759958819,"t":1414279500}" name="zone::92247::expiration"/></root>


    Does anyone think this is a rootkit or spyware that's getting past my firewall? Worse, someone is trying to get to my credit card.

    Specs are Win 7 Pro 64bit latest service pack and security updates.

    Thanks.















      My Computer


  2. Posts : 20,583
    Win-7-Pro64bit 7-H-Prem-64bit
       #2

    Hi if you think you've been infected run this scanner and post the scan results,
    Review Jacee’s instructions to run Adwcleaner here on post#7,
    Ignore the title of the thread,
    https://www.sevenforums.com/system-security/316404-instant-savings-app.html
    Or download it from bleepingcomputer.com
    Screen shot of the download button to use for Adwcleaner
    http://www.bleepingcomputer.com/download/adwcleaner/
      My Computer


  3. Posts : 4,161
    Windows 7 Pro-x64
       #3

    For sure a data grabber. A lot of tool bars and gadgets "phone home" with a summary of your activities from the web. Google TB and Google update are major ones. "Free" software rarely comes with no overhead so choose your shortcuts wisely. Follow Thrash's suggestions and stay away from driver Fixit offers from the web.

    Added: After parsing what you saw as the URL, I remembered this "service". Akamai Technologies drives a lot user targeted web pages or what's called content delivery, especially ads. This will explain it better than me.
      My Computer


  4. Posts : 114
    Windows 7 Pro 64-bit Service Pack 1
    Thread Starter
       #4

    ThrashZone said:
    Hi if you think you've been infected run this scanner and post the scan results,
    Review Jacee’s instructions to run Adwcleaner here on post#7,
    Ignore the title of the thread,
    https://www.sevenforums.com/system-security/316404-instant-savings-app.html
    Or download it from bleepingcomputer.com
    Screen shot of the download button to use for Adwcleaner
    http://www.bleepingcomputer.com/download/adwcleaner/
    Here's the report:


    # AdwCleaner v3.018 - Report created 16/02/2014 at 16:53:55
    # Updated 28/01/2014 by Xplode
    # Operating System : Windows 7 Professional Service Pack 1 (64 bits)
    # Username : xxx - xxxxx
    # Running from : C:\Users\xxx\Downloads\AdwCleaner.exe
    # Option : Scan

    ***** [ Services ] *****

    Service Found : Application Updater

    ***** [ Files / Folders ] *****

    File Found : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\4np6vnau.default-1375846661371\searchplugins

    \safesearch.xml
    Folder Found C:\Program Files (x86)\Application Updater
    Folder Found C:\Program Files (x86)\Common Files\spigot
    Folder Found C:\Program Files (x86)\IObit Apps Toolbar
    Folder Found C:\ProgramData\Alawar Stargaze
    Folder Found C:\ProgramData\AlawarWrapper
    Folder Found C:\ProgramData\Trymedia
    Folder Found C:\ProgramData\Uniblue\DriverScanner
    Folder Found C:\Users\xxx\AppData\Local\PackageAware
    Folder Found C:\Users\xxx\AppData\LocalLow\Search Settings
    Folder Found C:\Users\xxx\AppData\Roaming\Alawar Stargaze
    Folder Found C:\Users\xxx\AppData\Roaming\thinstall
    Folder Found C:\Users\xxx\AppData\Roaming\Uniblue\DriverScanner
    Folder Found C:\Users\xxx\AppData\Roaming\Uniblue\SpeedUpMyPC

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Found : HKCU\Software\AppDataLow\Software\Search Settings
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
    Key Found : HKCU\Software\Search Settings
    Key Found : HKCU\Software\Softonic
    Key Found : HKCU\Software\YahooPartnerToolbar
    Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
    Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    Key Found : [x64] HKCU\Software\Search Settings
    Key Found : [x64] HKCU\Software\Softonic
    Key Found : [x64] HKCU\Software\YahooPartnerToolbar
    Key Found : HKLM\Software\Application Updater
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_driver-sweeper_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_driver-sweeper_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03EB0E9C-7A91-4381-A220

    -9B52B641CDB1}
    Key Found : HKLM\Software\Search Settings
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.16518


    -\\ Mozilla Firefox v27.0.1 (en-US)

    [ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\4np6vnau.default-1375846661371\prefs.js ]

    Line Found : user_pref("keyword.URL", "hxxp://nortonsafe.search.ask.com/web?

    o=APN10506&gct=kwd&qsrc=2869&l=dis&prt=NIS&chn=retail&geo=US&ver=21&q=");

    [ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\bu4hwpmi.default\prefs.js ]


    [ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\zu1twmxv.Default User\prefs.js ]


    *************************

    AdwCleaner[R0].txt - [4085 octets] - [16/02/2014 16:53:55]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4145 octets] ##########
      My Computer


  5. Posts : 20,583
    Win-7-Pro64bit 7-H-Prem-64bit
       #5

    Use these free tools to see if they find anything,
    Post the scan results,
    Manually Update them before running full scans,
    Try not to use your computer while the scans are running, (one at a time of course).
    Uncheck the box to Active Free trial from the final install options,
    http://www.malwarebytes.org/products/malwarebytes_free
    http://www.superantispyware.com/?tag=SUPERANTISPYWARE
    Uninstall Adwcleaner,
    Open it again and click on Uninstall,
    Cheers.
      My Computer


  6. Posts : 1,413
    Windows 7 Home Premium 64Bit
       #6

    A lot of toolbar entries there as well as a few utilities, a lot of unwanted goodies , one must watch out for goodies that come with programs, using the custom install with allow you to have the option of not installing these, conduit for example is often added in with programs and can only be bypassed by checking the box for opting out.

    JRT Is a good way to get rid of these, il post the instructions after ive read the logs from Thrashzones Suggestions, don't want to clog up the process. Thanks
      My Computer


  7. Posts : 4,161
    Windows 7 Pro-x64
       #7

    OMG! It was full of what I said stay away from.

    Nice going Thrash.
      My Computer


  8. Posts : 17,545
    Windows 10 Pro x64 EN-GB
       #8

    rzn6jw said:
    I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com .
    Geeks, let's not forget that a lot of respected companies use Akamai Download Manager to deliver their digital install media. Microsoft MSDN is a good example (Akamai Download Manager Help for MSDN Subscriptions), Adobe another (Akamai Download Manager FAQ).

    For instance all my TechNet subscrition downloads done with IE are downloaded with Akamai Download Manager, which I had to install.

    Kari
      My Computer


  9. Posts : 114
    Windows 7 Pro 64-bit Service Pack 1
    Thread Starter
       #9

    ThrashZone said:
    Use these free tools to see if they find anything,
    Post the scan results,
    Manually Update them before running full scans,
    Try not to use your computer while the scans are running, (one at a time of course).
    Uncheck the box to Active Free trial from the final install options,
    http://www.malwarebytes.org/products/malwarebytes_free
    http://www.superantispyware.com/?tag=SUPERANTISPYWARE
    Uninstall Adwcleaner,
    Open it again and click on Uninstall,
    Cheers.
    Here's the log from SuperAntiSpyware (I can't run MalwareBytes - it has a big conflict with NIS):

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 02/16/2014 at 07:12 PM

    Application Version : 5.7.1018

    Core Rules Database Version : 11044
    Trace Rules Database Version: 8856

    Scan type : Custom Scan
    Total Scan Time : 01:49:06

    Operating System Information
    Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)
    UAC On - Limited User

    Memory items scanned : 610
    Memory threats detected : 0
    Registry items scanned : 79702
    Registry threats detected : 0
    File items scanned : 123048
    File threats detected : 0
      My Computer


  10. Posts : 1,413
    Windows 7 Home Premium 64Bit
       #10

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    Please download RogueKiller and save it to your desktop.

    You can check here if you're not sure if your computer is 32-bit or 64-bit



    • RogueKiller 32-bit | RogueKiller 64-bit
    • Quit all running programs.
    • For Windows XP, double-click to start.
    • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
    • Read and accept the EULA (End User Licene Agreement)
    • Click Scan to scan the system.
    • Post Logs back here
      My Computer


 
Page 1 of 3 123 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:10.
Find Us