I recently experienced huge delays in using my computers at home. In trying to discover what was happening I ran every spyware solution known to the human race and found nothing. Then digging deeper I used the 'netstat -a' command and found hundreds of established sessions where the destination was 007guard.com and akamai (sp?) site. Using the command 'netstat -ab' - which tries to show the executable launching or sourcing the link - it showed that boinc.exe was generating the link. I turned off boinc, and still found 1 or two sessions, but none of them can establish. I only get that when I allow boinc.exe to run! I am running seti and rosetta stone. Has anyone seen this phenom??? It's killing my PCs, and I cannot rebuild one of them at this time because of other issues that require this server to be UP 24X7.

Hi there,

The usual question is, which BOINC do you use and on what OS?
Are you using Akamai on your system for something else?
Did you check for virus infections as well?
Where did you download BOINC from?

---

Hi there,

The usual question is, which BOINC do you use and on what OS?
Are you using Akamai on your system for something else?
Did you check for virus infections as well?
Where did you download BOINC from?

Good questions. I downloaded boinc from "http://boinc.berkeley.edu/download.php", but probably haven't updated the engine in 9-12 months. I am not at home right now but can check later.

I run Avast antivirus and have scanned with that, HouseCall, SpybotS&D, Spyware Blaster, AdAware, and online scans from MacAffee, Kaspersky.

I ran Symantex Stinger, and I an running TrendMicro's RUBotted and that other freeware System thing (I forget, probably from the trauma).

Akamai - I never knowingly downloaded that at all.

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. My thinking is that 007Guard somehow hijacks common windows DLLs or EXEs and then all hope is lost. What burns my water is that can't the AV or Spyware software compare common DLLS/EXES for a MD5 or CRC and discover if they are hosed up?

Just my thoughts...

Good questions. I downloaded boinc from "http://boinc.berkeley.edu/download.php", but probably haven't updated the engine in 9-12 months. I am not at home right now but can check later.

It's the correct site, you should if possible try to update to a later version though, see if it still does it. The latest stable BOINC for all OSes is 5.10.45

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. My thinking is that 007Guard somehow hijacks common windows DLLs or EXEs and then all hope is lost. What burns my water is that can't the AV or Spyware software compare common DLLS/EXES for a MD5 or CRC and discover if they are hosed up?

Just my thoughts...

That's really a question you should ask at the AV and Spyware companies their forums. I can't answer that.

Akamai is a "Web Application Acceleration and Performance Management application".
It is possible an older version of BOINC used it when the first code introductions were made for adding peer-to-peer networking. But I don't think it was ever in the code, so I asked the developers. Perhaps that one of them has an answer on that.

007guard is what I would define as spyware and should be detected by all the programs you mentioned, as long as you have those up-to-date at least.

---

Try AVG's anti-rootkit free
http://free.grisoft.com/doc/download-free-anti-rootkit/
I spent days trying to rid my pc of a hidden nasty , none of the spyware stuff you've mentioned even found it but avg anti-rootkit free had it zapped in minutes.

---

Try AVG's anti-rootkit free
http://free.grisoft.com/doc/download-free-anti-rootkit/
I spent days trying to rid my pc of a hidden nasty , none of the spyware stuff you've mentioned even found it but avg anti-rootkit free had it zapped in minutes.

That would be awesome, I just downloaded it and will try that this evening!

What do you think of MD4/5 of Checksum comparators. I'm thinking of making a program that would generate a checksum of all DLLS and EXEs in the OS and then comparing it daily with a scan, reporting anything that is off. The rootkits can't install without effecting an MD4/5 or CRC checksum - can they?

It is possible an older version of BOINC used it when the first code introductions were made for adding peer-to-peer networking. But I don't think it was ever in the code, so I asked the developers. Perhaps that one of them has an answer on that.

I asked and got back what I expected: The only communication that BOINC does to check for network failures is a ping to www.google.com
That's the reference site message you see.

Although one of the projects may use Akamai. So the question is, which project or projects are you attached to?

---

What do you think of MD4/5 of Checksum comparators. I'm thinking of making a program that would generate a checksum of all DLLS and EXEs in the OS and then comparing it daily with a scan, reporting anything that is off. The rootkits can't install without effecting an MD4/5 or CRC checksum - can they?

That already exists, it's called System File Checker and is included with Windows. But you need your Windows CD to use it.

Open Start -> Run -> sfc /scannow

---

Akamai is a "Web Application Acceleration and Performance Management application".

Or with other words, Akamai Technologies' huge commercial download network is used by many many companies for supplying their bulk and huge data for download by their customers around the world (e.g. Kasperski Antivirus' hourly virus definitions updates, distribution of installation DVD images, etc.)

Any project might use it to distribute their applications, for offloading their servers. (Not that I've heard of such one, obviously neither did Ageless.) Boinc might too, but is not AFAIK.

Peter

Akamai is a "Web Application Acceleration and Performance Management application".

Akamai is used by many big companies for their downloads, like Yahoo or Apple.

---

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go.

That definitely explains everything. A kid with admin privileges can get the computer infected much faster than a hacker can do with remote exploits. Because they're very tempted by "emoticons for your email!" and other such banners that actually install trojans. (especially if any of your "kids" visited any *cough* "adult website")

---

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go.

That definitely explains everything. A kid with admin privileges can get the computer infected much faster than a hacker can do with remote exploits. Because they're very tempted by "emoticons for your email!" and other such banners that actually install trojans. (especially if any of your "kids" visited any *cough* "adult website")

Yes it does explain everything - sob. The AVG rootkit "finder" didn't. I just don't understand how somebody somewhare can't create a program that can hunt this thing down and kill it... There has got to be a straight forward way to have known dlls, exes, such as winlogon.exe, or other ocx files identified by their MD5/checksum hashes that would scream -- infected. Then if I could find that , I can copy a clean one over and kill it -- I digress.

Any other ideas on how to rid 007guard.com!!! It is still trying hard to go to itself, but now itself has an IP of 127.0.0.1 - good fun

Just for fun, here is what "netstat -a" looks like whenever I run IE. Enjoy...

PS: Oh, BTW - notice that somehow it still seems to find a real IP address and establish a conneciton even with bogus HOST file directing it back here!!!!!!!! OMG!

C:\>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP bajor:epmap bajor:0 LISTENING
TCP bajor:microsoft-ds bajor:0 LISTENING
TCP bajor:3389 bajor:0 LISTENING
TCP bajor:1029 bajor:0 LISTENING
TCP bajor:1526 007guard.com:12080 TIME_WAIT
TCP bajor:1531 007guard.com:12080 TIME_WAIT
TCP bajor:1539 007guard.com:12080 TIME_WAIT
TCP bajor:1541 007guard.com:12080 ESTABLISHED
TCP bajor:1547 007guard.com:12080 ESTABLISHED
TCP bajor:12025 bajor:0 LISTENING
TCP bajor:12080 bajor:0 LISTENING
TCP bajor:12080 007guard.com:1529 TIME_WAIT
TCP bajor:12080 007guard.com:1533 TIME_WAIT
TCP bajor:12080 007guard.com:1535 TIME_WAIT
TCP bajor:12080 007guard.com:1537 TIME_WAIT
TCP bajor:12080 007guard.com:1541 ESTABLISHED
TCP bajor:12080 007guard.com:1543 TIME_WAIT
TCP bajor:12080 007guard.com:1545 TIME_WAIT
TCP bajor:12080 007guard.com:1547 ESTABLISHED
TCP bajor:12110 bajor:0 LISTENING
TCP bajor:12119 bajor:0 LISTENING
TCP bajor:12143 bajor:0 LISTENING
TCP bajor:62514 bajor:0 LISTENING

Just for fun, here is what "netstat -a" looks like whenever I run IE. Enjoy...

PS: Oh, BTW - notice that somehow it still seems to find a real IP address and establish a conneciton even with bogus HOST file directing it back here!!!!!!!! OMG!

C:>netstat -a

Use netstat -b to know what *program* is holding those connections.

---

Use netstat -b to know what *program* is holding those connections.

I'd suggest TCPView for Windows for (near) realtime monitoring of network connections in windows.

Google entries say its ad/spyware.
http://forum.kaspersky.com/index.php?showtopic=64867

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview
do a hijack this before you start but before you go through all that try running spybot (and/or something similar)in safe mode with network connections off.

---

I just came across what I beleive a 2nd virus incident via Rosetta stone, reported by NOD32.

File:
http://srv3.bakerlab.org/rosetta/download/minirosetta_graphics_1.15_windows_intelx86.exe

Threat indicator:
probably a variant of a Win32/Statik.app

I just came across what I beleive a 2nd virus incident via Rosetta stone, reported by NOD32.

File:
http://srv3.bakerlab.org/rosetta/download/minirosetta_graphics_1.15_windows_intelx86.exe

Threat indicator:
probably a variant of a Win32/Statik.app

It's a false positive. See the Rosetta message boards.

---

Kathryn :o)