Akamai.net [HijackThis log]

Hi,
Hope someone can help me. I have "deploy.akathechnologies.com" blocked by my firewall but it keeps trying to send data to unknown recipient every hour, I would like to stop it if i can.
I have tried with four of the spyware removal tools but no luck. I have removed it from Hkey_current user\softwarmicrosoft\windows\current version\internet settings\zone map\domains\atatechnologies.com\deploy=4.

But it is back so there must be another re-installing it back, I have blocked all traffic coming in, this deploy.akathechnologies.com wants to send on the hour.

I have done a search on this and the initiator is one of over 1000 servers owned by a company Akamai.net. I have put this and all the alternatives I found on the internet into my blocked site list, any other idears?
Thanks,
Bob.

 

Hello Bob,

Post a HijackThis log:

Download from here http://radiosplace.com/ latest version 1.99.1

Download it to it's own folder, for example C:\HijackThis - unzip (double click on zipped folder) - click on the execute - click scan button - click save log and save to the folder you just created *DO NOT FIX ANYTHING* - copy resultant .txt file and paste into your next post.

I have done a search on this and the initiator is one of over 1000 servers owned by a company Akamai.net. I have put this and all the alternatives I found on the internet into my blocked site list
FWIW, Akamai servers are used by Microsoft to deploy updates. One of the side effects of blocking it and it's varients may be blocking MS as well.

Regards - Charles

 

Akamai.net

Logfile of HijackThis v1.99.1
Scan saved at 11:53:30 AM, on 13/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\Vet\isafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet\VetMsg.exe
C:\Program Files\Windows Media Connect\mswmcls.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Plaxo\2.4.0.90\InstallStub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.pnc.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\RaidApplication\SRaid.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Hijack This\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.0.90\InstallStub.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?216b2949d42c4e48988928e18284e898
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?216b2949d42c4e48988928e18284e898
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

 

Hi Bob,

Looking at your log shows nothing bad that I can see.

Your symptoms sound very much like an open port - take the tests below and see if any open ports are detected.

https://www.grc.com/x/ne.dll?bh0bkyd2

http://www.pcflank.com/index.htm

What apps if any have "server rights" in the firewall? Server rights means giving a program permission to listen for communications from the net which also holds a port open.

I have "deploy.akathechnologies.com" blocked by my firewall but it keeps trying to send data to unknown recipient every hour
Sounds like an attempt at updating. I notice that you have MS AS running resident, as a test, either disable it running or shut down the auto update function if you can - I only use MS AS for scanning.

Regards - Charles

 

Akamai.net

Hi Charles,
I ran both programmes you recommended and all my ports are stealthed.
I am running a Netgear DG834v2 ADSL router with firewall and all ports are blocked inward and only open when outward traffic occurs, this is my problem with deploy.akamaitechnologies.com, I am unable to stop it opening a port, even closing all ports out to the internet it still opens one to dump data.

Bob.

 

Akamai.net

This is the log my firewall gives me, every hour. I have block these on a tempory basis but akamaitechnologies.com still opens a port even closed ones.
There are four computers comnnected to my router and a wireless access point and all report this problem. The source is 192.168.0.2 is my server.

TCP Packet - Source:192.168.0.2,1103 Destination:a210-9-135-237.deploy.akamaitechnologies.com,80 - [BLOCK] TCP Packet - Source:192.168.0.2,1105 Destination:a210-9-135-237.deploy.akamaitechnologies.com,80 - [BLOCK] TCP Packet - Source:192.168.0.2,1107 Destination:a210-9-135-237.deploy.akamaitechnologies.com,80 - [BLOCK] TCP Packet - Source:192.168.0.2,1109 Destination:a210-9-135-237.deploy.akamaitechnologies.com,80 - [BLOCK] TCP Packet - Source:192.168.0.2,1117 Destination:a210-9-135-237.deploy.akamaitechnologies.com,80 - [BLOCK] TCP Packet - Source:192.168.0.2,1118 Destination:uuvaadvip3.doubleclick.net,80 - [BLOCK] UDP Packet - Source:4.79.142.206,137 Destination:202.76.181.98,137 - [DOS]

 

Hi Bob,

http://www.theregister.co.uk/2004/06/15/akamai_goes_postal/

I think that the most likely source for the outbound connections are MS processes. And because it's so regular, I think it's either MS AS or Automatic Updates, and a place to begin to narrow this down is going have to be disabling those two from looking for updates. It also could be other apps doing the same thing. Outside of that, I'm fresh out of ideas.

FYI: AU uses a program called wuauclt.exe which piggy-backs out on Generic Host Process for Win32 Services.

If you have AU enabled, which I don't, wuauclt.exe, from what I remember, does appear on a regular basis, at startup, for maybe 5 - 10 minutes, and then at regular intervals, don't remember the interval timing.

Regards - Charles

 

Akamai.net

Hi Charles,
Thanks for the help, it gave me a couple of starting points. I have contacted Akami here in Australia and have been told that deploy.akamaitechnologies.com is not thiers and they will investigate as it puts the company in a bad light, I guess bad publisity gets more of a positive reaction than "cap in hand" asking with some companies. Anyway the person I spoke to told me it would take a week or so to get back to me. As my hardware firewall is now blocking all transmission of data, outward from my computer to thier site i can live with that, for now.

Checked update and that side of the programme is clean and have also contacted Microsoft here in Australia about this problem, the first person i spoke to recommended formating the hard drive/s, so I asked for the supervisor, some people have no idea of the impracticallity of formating a set of hard drives (all 4 machines+ 2 are raid mirror pairs+a server)when you are running a business from that number of machines? Again they will get back to me but didn't specify a time.
I will keep you posted.
Bob.

 

Hi Bob,

I will keep you posted.
Yes, please - would really like to know what this is all about.

Regards - Charles

 

Akamai.net

Hi Charles,

Akamai got back to me briefly and asked me to look in Hkey_current user\software\microsoft
windows
current version\internet settings\zone map\domains\akamaitechnologies.com\deploy=4
The rep asked me to change the =4 to =0 and it has stopped dumping, WONDERFUL, now the rep told me he could duplicate the problem there and this programme dumps it self into four random places, they at Akami are working on a fix but it could take some time, anyway we have the short term fix now.

Bob.

 

Hi Bob,

Thanks for the post back - good news, at least you know what the problem was on your end.

Regards - Charles