With a fresh reboot, no browser running, boinc.exe and boincmgr.exe
is continually blasting data 4KB+ / second (and receiving 4KB+ / second)
to us.intellitxt.com, chewing up about 1/3 of my very limited (DSL) bandwidth.

us.intellitxt.com is a infamous advertising server and is usually only associated with web pages.

What's going on here? Surely this is not an isolated problem on my Win7-64
machine, but I have found no other postings in this forum for this issue.
Any help would be appreciated.

Have you run your choice malware detection/removal utility? What projects are you running? BOINC should only be communicating with the projects.

---

My Detailed BOINC Stats

OK thanks, I'll investigate further and report any findings. The connections do go away when I kill the boincmgr.exe process.

I used Task Manager/Resource Monitor/Network (Win7-64) to find where my bandwidth was going.

I've made screen shots of mine:



I'd say, show me yours. :-)

---

Thanks, I'm running various malware scanners: Malbytes, Trend Micro HouseCall, MS Threat Remove, SuperAntiSpyware and McAfre Stinger. It's amazing how much is missed by the various packages.

Now... to embed a screenshot... hmmm.

Can you please send your boinc.exe and boincmgr.exe to https://www.virustotal.com/, if told that a previous version is already available, tell that you want to (reanalyze) scan your copies of the files.

And can you then post the links that the scans made?
Like these for my boinc.exe and my boincmgr.exe.

Also, where did you download BOINC from?
Do you have a cc_config.xml file in your BOINC Data directory, and if so, can you please post all of its contents?

---

BOINC was downloaded when I installed SETI@Home, so... from their web site then?

[EDIT] actually, I downloaded BOINC by clicking on this link: http://boinc.berkeley.edu/dl/boinc_7.2.42_windows_x86_64_vbox.exe. It included some "virtual box" and I noticed, a new network driver.

BOINC: https://www.virustotal.com/en/file/0cf96c0b528c219e4028c8e785b523feafe07500c8e829d181fd19775b7215a2/analysis/1394474081/

BOINCMGR: https://www.virustotal.com/en/file/c3c3d4cdbfd705bb957e2f8594ee0e5594caad6c44c50a4209162e8e49829255/analysis/1394474526/

I noticed that our SHA256 keys don't match. Thanks Jord.

I didn't find a cc_config.xml in the default install location: C:\Program Files\BOINC. Didn't see any Data directory. Could it be somewhere else?

I didn't find a cc_config.xml in the default install location: C:\Program Files\BOINC. Didn't see any Data directory. Could it be somewhere else?

Default data directory is at C:\Programdata\BOINC\ and it's a hidden directory. But if you just insert that address in Windows Explorer and hit Enter, it'll bring you to there, without needing to set "show hidden files and folders".

To check where your data directory lives, you can also exit & restart BOINC, then see what it says in the event log (CTRL+SHIFT+E).

BOINC was downloaded when I installed SETI@Home, so... from their web site then?

Did you get it from http://boinc.berkeley.edu/download.php? You don't install Seti@Home, instead you have to install BOINC, then add Seti as a project under BOINC.

---

That's right. I remember now. Downloaded boinc, then added the SETI project.

Found the data directory, but no cc_*.xml file.

Downloaded from: http://boinc.berkeley.edu/dl/boinc_7.2.42_windows_x86_64_vbox.exe.

[EDIT] A link from the http://boinc.berkeley.edu/download.php page.

Should I install something else, i.e. without the virtual box stuff?

No, as as far as I know, that's not affecting it either.

Checking something.
Can you make sure BOINC is set to not start at Windows Login. (BOINC Manager->Advanced view->Tools->Options->Uncheck "Run Manager at login?"->OK)
Then reboot the computer.
When logged back in, open a command prompt as the administrator: Start->Search->type cmd and now press CTRL+SHIFT+Enter simultaneously. Acknowledge that you want to do this.
In the command line window, type

cd\ (Enter)
netstat -bn >> C:\temp\netlog1.txt (Enter)

Then navigate to C:\temp, open netlog1.txt with Notepad, copy all lines and post them here.

---

Hmmm... comparing our two Resource Monitor dumps, your 5K/s is going to ip 127.0.0.1 which sounds legit, but mine reports it as us.intellitxt.com. I wonder if my ISP's or my DNS table is just screwed up.

Could just be a lost in translation problem.

BOINC (the client, boinc.exe) and BOINC Manager (the graphical user interface, boincmgr.exe) talk to each other through localhost, TCP 127.0.0.1
This is data that doesn't leave your computer, it's only circulating on the computer itself. This update, through remote procedure call (RPC) happens once a second on TCP port 31416. That way you can see in real time what BOINC is doing to tasks, downloads etc.

Now, BOINC itself can contact Google. Usually it does this to check if you have an internet connection, when it fails to make contact with the project servers. It then sends a ping to www.google.com, and listens for the answer.

It is possible to change this address, through cc_config.xml, which is why I asked for it.

When your BOINC Manager is making contact to anything else than BOINC, or the BOINC website (http://boinc.berkeley.edu/), there is something wrong. It won't be something that your ISP has done, nor your DNS table.

So then virus-, adware-, spyware- and other malware infections come to mind, not excluded root kits.

---

Hmmm... comparing our two Resource Monitor dumps, your 5K/s is going to ip 127.0.0.1 which sounds legit, but mine reports it as us.intellitxt.com. I wonder if my ISP's or my DNS table is just screwed up.

Could just be a lost in translation problem.

Check the 'hosts' file in C:\WINDOWS\system32\drivers\etc

Sometimes malware puts rogue entries in there.

When logged back in, open a command prompt as the administrator: Start->Search->type cmd and now press CTRL+SHIFT+Enter simultaneously. Acknowledge that you want to do this.
In the command line window, type

cd\ (Enter)
netstat -bn >> C:\temp\netlog1.txt (Enter)

Then navigate to C:\temp, open netlog1.txt with Notepad, copy all lines and post them here.

After you've done the above, start BOINC. (Start->All Programs->BOINC->BOINC Manager)
Now type the following in the command line:

cd\ (Enter)
netstat -bn >> C:\temp\netlog2.txt (Enter)

Then navigate to C:\temp, open netlog2.txt with Notepad, copy all lines and post them here.

---

Hmmm... comparing our two Resource Monitor dumps, your 5K/s is going to ip 127.0.0.1 which sounds legit, but mine reports it as us.intellitxt.com. I wonder if my ISP's or my DNS table is just screwed up.

Could just be a lost in translation problem.

Check the 'hosts' file in C:\WINDOWS\system32\drivers\etc

Sometimes malware puts rogue entries in there.

I wonder if it's the other way around, JD trying to block intellitxt by adding it to hosts and pointing it to 127.0.0.1.

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 us.intellitxt.com
127.0.0.1 vibrantmedia.com

Yep, Egg Sucking BASTARDS!

Excellent diagnostic techniques. Thanks for curing a little bit of my ignorance.

"Ignorance can be cured, but stupidity is usually terminal." -JD

Before Boinc:
Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:23401 127.0.0.1:49376 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49377 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49378 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49379 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49380 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49381 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49382 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49383 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49384 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49385 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49386 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49387 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49388 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49389 TIME_WAIT
TCP 127.0.0.1:49234 127.0.0.1:49235 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49235 127.0.0.1:49234 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49223 108.160.162.114:80 ESTABLISHED
[Dropbox.exe]
TCP 192.168.1.101:49291 193.149.73.23:443 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49292 134.170.24.217:443 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49334 23.21.220.140:443 CLOSE_WAIT
[Dropbox.exe]
TCP 192.168.1.101:49357 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49358 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49359 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49360 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49364 94.103.149.120:80 TIME_WAIT
TCP 192.168.1.101:49365 94.103.149.120:80 TIME_WAIT
TCP 192.168.1.101:49368 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49369 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49373 91.121.40.124:80 TIME_WAIT
TCP 192.168.1.101:49374 94.103.149.120:80 TIME_WAIT
TCP 192.168.1.101:49375 94.103.149.120:80 TIME_WAIT

With BOINC running:

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:23401 127.0.0.1:49376 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49377 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49378 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49379 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49380 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49381 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49382 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49383 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49384 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49385 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49386 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49387 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49388 TIME_WAIT
TCP 127.0.0.1:23401 127.0.0.1:49389 TIME_WAIT
TCP 127.0.0.1:49234 127.0.0.1:49235 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49235 127.0.0.1:49234 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49223 108.160.162.114:80 ESTABLISHED
[Dropbox.exe]
TCP 192.168.1.101:49291 193.149.73.23:443 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49292 134.170.24.217:443 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49334 23.21.220.140:443 CLOSE_WAIT
[Dropbox.exe]
TCP 192.168.1.101:49357 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49358 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49359 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49360 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49364 94.103.149.120:80 TIME_WAIT
TCP 192.168.1.101:49365 94.103.149.120:80 TIME_WAIT
TCP 192.168.1.101:49368 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49369 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49373 91.121.40.124:80 TIME_WAIT
TCP 192.168.1.101:49374 94.103.149.120:80 TIME_WAIT
TCP 192.168.1.101:49375 94.103.149.120:80 TIME_WAIT

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:31416 127.0.0.1:49407 ESTABLISHED
[boinc.exe]
TCP 127.0.0.1:49234 127.0.0.1:49235 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49235 127.0.0.1:49234 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49407 127.0.0.1:31416 ESTABLISHED
[boincmgr.exe]
TCP 127.0.0.1:49408 127.0.0.1:31416 TIME_WAIT
TCP 127.0.0.1:49409 127.0.0.1:31416 TIME_WAIT
TCP 192.168.1.101:49223 108.160.162.114:80 ESTABLISHED
[Dropbox.exe]
TCP 192.168.1.101:49291 193.149.73.23:443 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49292 134.170.24.217:443 ESTABLISHED
[firefox.exe]
TCP 192.168.1.101:49390 108.160.166.139:443 CLOSE_WAIT
[Dropbox.exe]
TCP 192.168.1.101:49391 50.16.230.32:443 ESTABLISHED
[Dropbox.exe]
TCP 192.168.1.101:49393 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49394 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49395 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49396 169.229.217.147:80 TIME_WAIT
TCP 192.168.1.101:49402 91.121.40.124:80 TIME_WAIT
TCP 192.168.1.101:49403 94.103.149.120:80 TIME_WAIT
TCP 192.168.1.101:49404 94.103.149.120:80 TIME_WAIT

Undoing the HOSTS file, boinc is now talking to itself. That seems to have fix the problem. THANKS EVERYONE!

The entries in the hosts file directed any traffic into us.intellitxt.com into your own machine, 127.0.0.1=localhost=your machine. Unless you happen to have a web server running on your machine those entries effectively blocked intellitxt.

So even if I prefer to configure such things in the browser, those we not in any way evil.

Windows' resource monitor just tripped over this trick and displayed something misleading.

Interesting. I wonder who or what added the entry the hosts file then... not I, that I can remember.


Scheeesch. Ready to give up on windows and go back to Solaris or Tops-20.