Transmission to strange website during startup

[rzn6jw]

I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com . This only lasted for about 10 seconds and disappeared but I have never heard of that '.com' (the 'odd character group' above is my interpretation of the characters that preceded the .com).

I looked up the .com and it's apparently a tracking site for online businesses. Norton IS and SuperAntiSpyware never flagged this as a tracking bug either. I did a search for 'akamai' and found a XML file in C:\Users\me\AppData\LocalLow\Microsoft\InternetExplorer\DOMStore\OSKRU0OM. I looked in the file location but could not find the DOMStore folder but clicking on the file attributes in the search (Open file location) brought up the folder and the XML file. What concerns me is the following content of the XML file where the www.-------.com below is the name of a credit card I have.

[FONT=&quot]<?xml version="1.0"?>[/FONT]
[FONT=&quot]<root><item htime="30329548" ltime="4218607792" value="{"v":1381968498,"t":1413504480}" name="frt"/><item htime="30331353" ltime="2835958512" value="{"v":"http://www.--------------.com/","t":1414279560}" name="location.href"/><item htime="30331353" ltime="2060268512" value="{"v":1382759958819,"t":1414279500}" name="zone::92247::expiration"/></root>[/FONT]


Does anyone think this is a rootkit or spyware that's getting past my firewall? Worse, someone is trying to get to my credit card.

Specs are Win 7 Pro 64bit latest service pack and security updates.

Thanks.

​

 

[ThrashZone]

Hi if you think you've been infected run this scanner and post the scan results,
Review Jacee’s instructions to run Adwcleaner here on post#7,
Ignore the title of the thread,
http://www.sevenforums.com/system-security/316404-instant-savings-app.html
Or download it from bleepingcomputer.com
Screen shot of the download button to use for Adwcleaner
http://www.bleepingcomputer.com/download/adwcleaner/

 

[carwiz]

For sure a data grabber. A lot of tool bars and gadgets "phone home" with a summary of your activities from the web. Google TB and Google update are major ones. "Free" software rarely comes with no overhead so choose your shortcuts wisely. Follow Thrash's suggestions and stay away from driver Fixit offers from the web.

Added: After parsing what you saw as the URL, I remembered this "service". Akamai Technologies drives a lot user targeted web pages or what's called content delivery, especially ads. This will explain it better than me.

 

[rzn6jw]

Hi if you think you've been infected run this scanner and post the scan results,
Review Jacee’s instructions to run Adwcleaner here on post#7,
Ignore the title of the thread,
http://www.sevenforums.com/system-security/316404-instant-savings-app.html
Or download it from bleepingcomputer.com
Screen shot of the download button to use for Adwcleaner
http://www.bleepingcomputer.com/download/adwcleaner/

Here's the report:


# AdwCleaner v3.018 - Report created 16/02/2014 at 16:53:55
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : xxx - xxxxx
# Running from : C:\Users\xxx\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : Application Updater

***** [ Files / Folders ] *****

File Found : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\4np6vnau.default-1375846661371\searchplugins

\safesearch.xml
Folder Found C:\Program Files (x86)\Application Updater
Folder Found C:\Program Files (x86)\Common Files\spigot
Folder Found C:\Program Files (x86)\IObit Apps Toolbar
Folder Found C:\ProgramData\Alawar Stargaze
Folder Found C:\ProgramData\AlawarWrapper
Folder Found C:\ProgramData\Trymedia
Folder Found C:\ProgramData\Uniblue\DriverScanner
Folder Found C:\Users\xxx\AppData\Local\PackageAware
Folder Found C:\Users\xxx\AppData\LocalLow\Search Settings
Folder Found C:\Users\xxx\AppData\Roaming\Alawar Stargaze
Folder Found C:\Users\xxx\AppData\Roaming\thinstall
Folder Found C:\Users\xxx\AppData\Roaming\Uniblue\DriverScanner
Folder Found C:\Users\xxx\AppData\Roaming\Uniblue\SpeedUpMyPC

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\Search Settings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Found : HKCU\Software\Search Settings
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : [x64] HKCU\Software\Search Settings
Key Found : [x64] HKCU\Software\Softonic
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\Application Updater
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\CToolbar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\driverscanner_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_driver-sweeper_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_driver-sweeper_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03EB0E9C-7A91-4381-A220

-9B52B641CDB1}
Key Found : HKLM\Software\Search Settings
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16518


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\4np6vnau.default-1375846661371\prefs.js ]

Line Found : user_pref("keyword.URL", "hxxp://nortonsafe.search.ask.com/web?

o=APN10506&gct=kwd&qsrc=2869&l=dis&prt=NIS&chn=retail&geo=US&ver=21&q=");

[ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\bu4hwpmi.default\prefs.js ]


[ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\zu1twmxv.Default User\prefs.js ]


*************************

AdwCleaner[R0].txt - [4085 octets] - [16/02/2014 16:53:55]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4145 octets] ##########

 

[ThrashZone]

Use these free tools to see if they find anything,
Post the scan results,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Active Free trial from the final install options,
http://www.malwarebytes.org/products/malwarebytes_free
http://www.superantispyware.com/?tag=SUPERANTISPYWARE
Uninstall Adwcleaner,
Open it again and click on Uninstall,
Cheers.

 

[ShamrockRig]

A lot of toolbar entries there as well as a few utilities, a lot of unwanted goodies , one must watch out for goodies that come with programs, using the custom install with allow you to have the option of not installing these, conduit for example is often added in with programs and can only be bypassed by checking the box for opting out.

JRT Is a good way to get rid of these, il post the instructions after ive read the logs from Thrashzones Suggestions, don't want to clog up the process. Thanks

 

[carwiz]

OMG! It was full of what I said stay away from. :banghead:

Nice going Thrash.

 

[Kari]

I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com .

Geeks, let's not forget that a lot of respected companies use Akamai Download Manager to deliver their digital install media. Microsoft MSDN is a good example (Akamai Download Manager Help for MSDN Subscriptions), Adobe another (Akamai Download Manager FAQ).

For instance all my TechNet subscrition downloads done with IE are downloaded with Akamai Download Manager, which I had to install.

Kari

 

[rzn6jw]

Use these free tools to see if they find anything,
Post the scan results,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Active Free trial from the final install options,
http://www.malwarebytes.org/products/malwarebytes_free
http://www.superantispyware.com/?tag=SUPERANTISPYWARE
Uninstall Adwcleaner,
Open it again and click on Uninstall,
Cheers.

Here's the log from SuperAntiSpyware (I can't run MalwareBytes - it has a big conflict with NIS):

SUPERAntiSpyware Scan Log
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 02/16/2014 at 07:12 PM

Application Version : 5.7.1018

Core Rules Database Version : 11044
Trace Rules Database Version: 8856

Scan type : Custom Scan
Total Scan Time : 01:49:06

Operating System Information
Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 610
Memory threats detected : 0
Registry items scanned : 79702
Registry threats detected : 0
File items scanned : 123048
File threats detected : 0

 

[ShamrockRig]

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• RogueKiller 32-bit | RogueKiller 64-bit
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• Post Logs back here

 

[carwiz]

I don't know if this is the correct group for this discussion but during startup of my PC this morning, I was watching the resource monitor from Task manager/Performance and noticed that svchost.exe was attached to a 'odd character group.odd character group.akamaitechnologies.com .

Geeks, let's not forget that a lot of respected companies use Akamai Download Manager to deliver their digital install media. Microsoft MSDN is a good example (Akamai Download Manager Help for MSDN Subscriptions), Adobe another (Akamai Download Manager FAQ).

For instance all my TechNet subscrition downloads done with IE are downloaded with Akamai Download Manager, which I had to install.

Kari

They may provide a good service in that regard but they're no angel of the network when it comes to personal privacy. IE already has a download manager. Why would ADM be necessary?

 

[Kari]

They may provide a good service in that regard but they're no angel of the network when it comes to personal privacy. IE already has a download manager. Why would ADM be necessary?

I am not saying it is automatically a good thing, nor am I capable to answer why Microsoft, TechNet, MSDN, Adobe and numerous others have decided to use Akamai Downloader in delivering their stuff.

What I tried to say in between the lines is that sometimes this security hype gets too far. Please do not misunderstand me, security is nothing to play carelessly with, but for instance in this OP's case I believe there's nothing wrong, no reason to panic. Nobody has cracked his router's and Windows' firewalls to steal his credit card information.

Yet, the combined forces of Seven Forums "run to rescue", to solve a non-issue.

Some background: If you allow cookies and you stream videos from a site which uses Flowplayer, you'll find some Akamai stuff in your AppData. The same if you watch Fox News on your Windows PC.

DOM Store is nothing but an advanced method to store cookie information. The fact that OP finds the URL of his / her credit card company most probably is because that site uses Akamai technology to store advanced cookie information in DOM Store.

Safety is one thing. Paranoia something else. If you allow cookies, if you subsribe MSDN or TechNet, if you buy and download something from Adobe, and so on, you need to accept the fact your AppData contains some information about you.

Kari

 

[rzn6jw]

I ran both JRT and RogueKiller. JRT did its business and finished but did not issue a report that I could find. However, RogueKiller seemed to find some stuff. Its report:

RogueKiller V8.8.7 [Feb 11 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : Adlice forum - Index
Website : RogueKiller download
Blog : Adlice Software | malware analysis

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bob [Admin rights]
Mode : Scan -- Date : 02/16/2014 20:52:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] svc.exe -- C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\bu4hwpmi.default\extensions\[email protected]\svc.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> D:\Users\Bob\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AACS-00G8B1 ATA Device +++++
--- User ---
[MBR] 8b88a8b5c76d68ed48bc800281a3ab01
[BSP] 799d33b1fadcb0dd0284e55666c2139e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476939 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST3160812AS ATA Device +++++
--- User ---
[MBR] 6917538a49de681ef0a6d698b32154d1
[BSP] d08f1131eab0c0dc2336c014afdc8b33 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) ST3160811AS ATA Device +++++
--- User ---
[MBR] 701f2651c2abce488c4b6052a15877bb
[BSP] 99c81368f82de941fd0f7ce5932d9f80 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152624 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ IDE) ST2000DM001-1CH164 ATA Device +++++
--- User ---
[MBR] b7368a7078f5313d807c0b109124b6fd
[BSP] 791f128b2fb88f8f8defe877f283aba1 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02162014_205241.txt >>

 

[ShamrockRig]

Do a quick restart and it should open a JRT log on boot

 

[rzn6jw]

I did a reboot and no JRT file was on the desktop. I reran JRT and had the same results. Did a search and C:\Windows has a folder called ERUNT that has a folder JRT but every file in that folder is unreadable.

 

[ShamrockRig]

Try running this then run JRT again.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1
Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.

 

[rzn6jw]

One questions before this issue is closed: Why can't I find the DOMStore folder normally (without a search for something that may be in that folder)? I've got my folder properties to show all hidden folders but I can't find that one.

 

[ThrashZone]

Use these free tools to see if they find anything,
Post the scan results,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Active Free trial from the final install options,
http://www.malwarebytes.org/products/malwarebytes_free
http://www.superantispyware.com/?tag=SUPERANTISPYWARE
Uninstall Adwcleaner,
Open it again and click on Uninstall,
Cheers.

(I can't run MalwareBytes - it has a big conflict with NIS):

What was the exact error with I assume Norton Internet Security "NIS" ?
That I know of Norton should not have any issues with Malwarebytes,
You can download any scanner using Safe Mode with Networking at startup if having issues downloading it,
Run it using safe mode with networking and repeat the scan restarting normally as you always do,

http://www.sevenforums.com/tutorials/69585-safe-mode.html
http://windows.microsoft.com/en-US/windows7/Advanced-startup-options-including-safe-mode

 

[Layback Bear]

Just a little information. I'm not fond of Peer-to- Peer of any kind.

Akamai Technologies - Wikipedia, the free encyclopedia

 

[Jacee]

Let's see if cleaning temp files and Java will stop the problem:


Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.