Message boards : The Lounge : Spyware infestation and Boinc or projects
Message board moderation
Author | Message |
---|---|
Send message Joined: 3 Apr 08 Posts: 4 |
I recently experienced huge delays in using my computers at home. In trying to discover what was happening I ran every spyware solution known to the human race and found nothing. Then digging deeper I used the 'netstat -a' command and found hundreds of established sessions where the destination was 007guard.com and akamai (sp?) site. Using the command 'netstat -ab' - which tries to show the executable launching or sourcing the link - it showed that boinc.exe was generating the link. I turned off boinc, and still found 1 or two sessions, but none of them can establish. I only get that when I allow boinc.exe to run! I am running seti and rosetta stone. Has anyone seen this phenom??? It's killing my PCs, and I cannot rebuild one of them at this time because of other issues that require this server to be UP 24X7. |
Send message Joined: 29 Aug 05 Posts: 15569 |
Hi there, The usual question is, which BOINC do you use and on what OS? Are you using Akamai on your system for something else? Did you check for virus infections as well? Where did you download BOINC from? |
Send message Joined: 3 Apr 08 Posts: 4 |
Hi there, Good questions. I downloaded boinc from "http://boinc.berkeley.edu/download.php", but probably haven't updated the engine in 9-12 months. I am not at home right now but can check later. I run Avast antivirus and have scanned with that, HouseCall, SpybotS&D, Spyware Blaster, AdAware, and online scans from MacAffee, Kaspersky. I ran Symantex Stinger, and I an running TrendMicro's RUBotted and that other freeware System thing (I forget, probably from the trauma). Akamai - I never knowingly downloaded that at all. BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. My thinking is that 007Guard somehow hijacks common windows DLLs or EXEs and then all hope is lost. What burns my water is that can't the AV or Spyware software compare common DLLS/EXES for a MD5 or CRC and discover if they are hosed up? Just my thoughts... |
Send message Joined: 29 Aug 05 Posts: 15569 |
Good questions. I downloaded boinc from "http://boinc.berkeley.edu/download.php", but probably haven't updated the engine in 9-12 months. I am not at home right now but can check later. It's the correct site, you should if possible try to update to a later version though, see if it still does it. The latest stable BOINC for all OSes is 5.10.45 BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. My thinking is that 007Guard somehow hijacks common windows DLLs or EXEs and then all hope is lost. What burns my water is that can't the AV or Spyware software compare common DLLS/EXES for a MD5 or CRC and discover if they are hosed up? That's really a question you should ask at the AV and Spyware companies their forums. I can't answer that. Akamai is a "Web Application Acceleration and Performance Management application". It is possible an older version of BOINC used it when the first code introductions were made for adding peer-to-peer networking. But I don't think it was ever in the code, so I asked the developers. Perhaps that one of them has an answer on that. 007guard is what I would define as spyware and should be detected by all the programs you mentioned, as long as you have those up-to-date at least. |
Send message Joined: 29 Sep 06 Posts: 21 |
Try AVG's anti-rootkit free http://free.grisoft.com/doc/download-free-anti-rootkit/ I spent days trying to rid my pc of a hidden nasty , none of the spyware stuff you've mentioned even found it but avg anti-rootkit free had it zapped in minutes. |
Send message Joined: 3 Apr 08 Posts: 4 |
Try AVG's anti-rootkit free That would be awesome, I just downloaded it and will try that this evening! What do you think of MD4/5 of Checksum comparators. I'm thinking of making a program that would generate a checksum of all DLLS and EXEs in the OS and then comparing it daily with a scan, reporting anything that is off. The rootkits can't install without effecting an MD4/5 or CRC checksum - can they? |
Send message Joined: 29 Aug 05 Posts: 15569 |
It is possible an older version of BOINC used it when the first code introductions were made for adding peer-to-peer networking. But I don't think it was ever in the code, so I asked the developers. Perhaps that one of them has an answer on that. I asked and got back what I expected: The only communication that BOINC does to check for network failures is a ping to www.google.com That's the reference site message you see. Although one of the projects may use Akamai. So the question is, which project or projects are you attached to? |
Send message Joined: 19 Jan 07 Posts: 1179 |
What do you think of MD4/5 of Checksum comparators. I'm thinking of making a program that would generate a checksum of all DLLS and EXEs in the OS and then comparing it daily with a scan, reporting anything that is off. The rootkits can't install without effecting an MD4/5 or CRC checksum - can they? That already exists, it's called System File Checker and is included with Windows. But you need your Windows CD to use it. Open Start -> Run -> sfc /scannow |
Send message Joined: 3 Apr 06 Posts: 547 |
Akamai is a "Web Application Acceleration and Performance Management application". Or with other words, Akamai Technologies' huge commercial download network is used by many many companies for supplying their bulk and huge data for download by their customers around the world (e.g. Kasperski Antivirus' hourly virus definitions updates, distribution of installation DVD images, etc.) Any project might use it to distribute their applications, for offloading their servers. (Not that I've heard of such one, obviously neither did Ageless.) Boinc might too, but is not AFAIK. Peter |
Send message Joined: 19 Jan 07 Posts: 1179 |
Akamai is a "Web Application Acceleration and Performance Management application". Akamai is used by many big companies for their downloads, like Yahoo or Apple. |
Send message Joined: 19 Jan 07 Posts: 1179 |
BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. That definitely explains everything. A kid with admin privileges can get the computer infected much faster than a hacker can do with remote exploits. Because they're very tempted by "emoticons for your email!" and other such banners that actually install trojans. (especially if any of your "kids" visited any *cough* "adult website") |
Send message Joined: 3 Apr 08 Posts: 4 |
BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. Yes it does explain everything - sob. The AVG rootkit "finder" didn't. I just don't understand how somebody somewhare can't create a program that can hunt this thing down and kill it... There has got to be a straight forward way to have known dlls, exes, such as winlogon.exe, or other ocx files identified by their MD5/checksum hashes that would scream -- infected. Then if I could find that , I can copy a clean one over and kill it -- I digress. Any other ideas on how to rid 007guard.com!!! It is still trying hard to go to itself, but now itself has an IP of 127.0.0.1 - good fun Just for fun, here is what "netstat -a" looks like whenever I run IE. Enjoy... PS: Oh, BTW - notice that somehow it still seems to find a real IP address and establish a conneciton even with bogus HOST file directing it back here!!!!!!!! OMG! C:\>netstat -a Active Connections Proto Local Address Foreign Address State TCP bajor:epmap bajor:0 LISTENING TCP bajor:microsoft-ds bajor:0 LISTENING TCP bajor:3389 bajor:0 LISTENING TCP bajor:1029 bajor:0 LISTENING TCP bajor:1526 007guard.com:12080 TIME_WAIT TCP bajor:1531 007guard.com:12080 TIME_WAIT TCP bajor:1539 007guard.com:12080 TIME_WAIT TCP bajor:1541 007guard.com:12080 ESTABLISHED TCP bajor:1547 007guard.com:12080 ESTABLISHED TCP bajor:12025 bajor:0 LISTENING TCP bajor:12080 bajor:0 LISTENING TCP bajor:12080 007guard.com:1529 TIME_WAIT TCP bajor:12080 007guard.com:1533 TIME_WAIT TCP bajor:12080 007guard.com:1535 TIME_WAIT TCP bajor:12080 007guard.com:1537 TIME_WAIT TCP bajor:12080 007guard.com:1541 ESTABLISHED TCP bajor:12080 007guard.com:1543 TIME_WAIT TCP bajor:12080 007guard.com:1545 TIME_WAIT TCP bajor:12080 007guard.com:1547 ESTABLISHED TCP bajor:12110 bajor:0 LISTENING TCP bajor:12119 bajor:0 LISTENING TCP bajor:12143 bajor:0 LISTENING TCP bajor:62514 bajor:0 LISTENING |
Send message Joined: 19 Jan 07 Posts: 1179 |
Just for fun, here is what "netstat -a" looks like whenever I run IE. Enjoy... Use netstat -b to know what *program* is holding those connections. |
Send message Joined: 29 Aug 05 Posts: 117 |
Use netstat -b to know what *program* is holding those connections. I'd suggest TCPView for Windows for (near) realtime monitoring of network connections in windows. |
Send message Joined: 29 Sep 06 Posts: 21 |
Google entries say its ad/spyware. http://forum.kaspersky.com/index.php?showtopic=64867 http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview do a hijack this before you start but before you go through all that try running spybot (and/or something similar)in safe mode with network connections off. |
Send message Joined: 27 Apr 08 Posts: 1 |
I just came across what I beleive a 2nd virus incident via Rosetta stone, reported by NOD32. File: http://srv3.bakerlab.org/rosetta/download/minirosetta_graphics_1.15_windows_intelx86.exe Threat indicator: probably a variant of a Win32/Statik.app |
Send message Joined: 30 Oct 05 Posts: 1239 |
I just came across what I beleive a 2nd virus incident via Rosetta stone, reported by NOD32. It's a false positive. See the Rosetta message boards. Kathryn :o) |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.