Thread 'Spyware infestation and Boinc or projects'

Message boards : The Lounge : Spyware infestation and Boinc or projects
Message board moderation

To post messages, you must log in.

AuthorMessage
MChristy

Send message
Joined: 3 Apr 08
Posts: 4
United States
Message 16394 - Posted: 3 Apr 2008, 14:58:59 UTC

I recently experienced huge delays in using my computers at home. In trying to discover what was happening I ran every spyware solution known to the human race and found nothing. Then digging deeper I used the 'netstat -a' command and found hundreds of established sessions where the destination was 007guard.com and akamai (sp?) site. Using the command 'netstat -ab' - which tries to show the executable launching or sourcing the link - it showed that boinc.exe was generating the link. I turned off boinc, and still found 1 or two sessions, but none of them can establish. I only get that when I allow boinc.exe to run! I am running seti and rosetta stone. Has anyone seen this phenom??? It's killing my PCs, and I cannot rebuild one of them at this time because of other issues that require this server to be UP 24X7.
ID: 16394 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15572
Netherlands
Message 16396 - Posted: 3 Apr 2008, 15:31:01 UTC

Hi there,

The usual question is, which BOINC do you use and on what OS?
Are you using Akamai on your system for something else?
Did you check for virus infections as well?
Where did you download BOINC from?
ID: 16396 · Report as offensive
MChristy

Send message
Joined: 3 Apr 08
Posts: 4
United States
Message 16397 - Posted: 3 Apr 2008, 15:37:54 UTC - in response to Message 16396.  

Hi there,

The usual question is, which BOINC do you use and on what OS?
Are you using Akamai on your system for something else?
Did you check for virus infections as well?
Where did you download BOINC from?


Good questions. I downloaded boinc from "http://boinc.berkeley.edu/download.php", but probably haven't updated the engine in 9-12 months. I am not at home right now but can check later.

I run Avast antivirus and have scanned with that, HouseCall, SpybotS&D, Spyware Blaster, AdAware, and online scans from MacAffee, Kaspersky.

I ran Symantex Stinger, and I an running TrendMicro's RUBotted and that other freeware System thing (I forget, probably from the trauma).

Akamai - I never knowingly downloaded that at all.

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. My thinking is that 007Guard somehow hijacks common windows DLLs or EXEs and then all hope is lost. What burns my water is that can't the AV or Spyware software compare common DLLS/EXES for a MD5 or CRC and discover if they are hosed up?

Just my thoughts...
ID: 16397 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15572
Netherlands
Message 16398 - Posted: 3 Apr 2008, 15:49:16 UTC - in response to Message 16397.  

Good questions. I downloaded boinc from "http://boinc.berkeley.edu/download.php", but probably haven't updated the engine in 9-12 months. I am not at home right now but can check later.

It's the correct site, you should if possible try to update to a later version though, see if it still does it. The latest stable BOINC for all OSes is 5.10.45

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. My thinking is that 007Guard somehow hijacks common windows DLLs or EXEs and then all hope is lost. What burns my water is that can't the AV or Spyware software compare common DLLS/EXES for a MD5 or CRC and discover if they are hosed up?

Just my thoughts...

That's really a question you should ask at the AV and Spyware companies their forums. I can't answer that.

Akamai is a "Web Application Acceleration and Performance Management application".
It is possible an older version of BOINC used it when the first code introductions were made for adding peer-to-peer networking. But I don't think it was ever in the code, so I asked the developers. Perhaps that one of them has an answer on that.

007guard is what I would define as spyware and should be detected by all the programs you mentioned, as long as you have those up-to-date at least.
ID: 16398 · Report as offensive
marj

Send message
Joined: 29 Sep 06
Posts: 21
United Kingdom
Message 16400 - Posted: 3 Apr 2008, 16:25:07 UTC

Try AVG's anti-rootkit free
http://free.grisoft.com/doc/download-free-anti-rootkit/
I spent days trying to rid my pc of a hidden nasty , none of the spyware stuff you've mentioned even found it but avg anti-rootkit free had it zapped in minutes.

ID: 16400 · Report as offensive
MChristy

Send message
Joined: 3 Apr 08
Posts: 4
United States
Message 16403 - Posted: 3 Apr 2008, 19:21:11 UTC - in response to Message 16400.  

Try AVG's anti-rootkit free
http://free.grisoft.com/doc/download-free-anti-rootkit/
I spent days trying to rid my pc of a hidden nasty , none of the spyware stuff you've mentioned even found it but avg anti-rootkit free had it zapped in minutes.

That would be awesome, I just downloaded it and will try that this evening!

What do you think of MD4/5 of Checksum comparators. I'm thinking of making a program that would generate a checksum of all DLLS and EXEs in the OS and then comparing it daily with a scan, reporting anything that is off. The rootkits can't install without effecting an MD4/5 or CRC checksum - can they?
ID: 16403 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15572
Netherlands
Message 16404 - Posted: 3 Apr 2008, 19:43:37 UTC - in response to Message 16398.  

It is possible an older version of BOINC used it when the first code introductions were made for adding peer-to-peer networking. But I don't think it was ever in the code, so I asked the developers. Perhaps that one of them has an answer on that.

I asked and got back what I expected: The only communication that BOINC does to check for network failures is a ping to www.google.com
That's the reference site message you see.

Although one of the projects may use Akamai. So the question is, which project or projects are you attached to?

ID: 16404 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 16415 - Posted: 3 Apr 2008, 22:56:43 UTC - in response to Message 16403.  

What do you think of MD4/5 of Checksum comparators. I'm thinking of making a program that would generate a checksum of all DLLS and EXEs in the OS and then comparing it daily with a scan, reporting anything that is off. The rootkits can't install without effecting an MD4/5 or CRC checksum - can they?

That already exists, it's called System File Checker and is included with Windows. But you need your Windows CD to use it.

Open Start -> Run -> sfc /scannow

ID: 16415 · Report as offensive
Pepo
Avatar

Send message
Joined: 3 Apr 06
Posts: 547
Slovakia
Message 16416 - Posted: 3 Apr 2008, 22:57:22 UTC - in response to Message 16398.  

Akamai is a "Web Application Acceleration and Performance Management application".

Or with other words, Akamai Technologies' huge commercial download network is used by many many companies for supplying their bulk and huge data for download by their customers around the world (e.g. Kasperski Antivirus' hourly virus definitions updates, distribution of installation DVD images, etc.)

Any project might use it to distribute their applications, for offloading their servers. (Not that I've heard of such one, obviously neither did Ageless.) Boinc might too, but is not AFAIK.

Peter
ID: 16416 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 16417 - Posted: 3 Apr 2008, 22:58:01 UTC - in response to Message 16398.  

Akamai is a "Web Application Acceleration and Performance Management application".

Akamai is used by many big companies for their downloads, like Yahoo or Apple.

ID: 16417 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 16418 - Posted: 3 Apr 2008, 23:00:52 UTC - in response to Message 16397.  

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go.

That definitely explains everything. A kid with admin privileges can get the computer infected much faster than a hacker can do with remote exploits. Because they're very tempted by "emoticons for your email!" and other such banners that actually install trojans. (especially if any of your "kids" visited any *cough* "adult website")
ID: 16418 · Report as offensive
MChristy

Send message
Joined: 3 Apr 08
Posts: 4
United States
Message 16428 - Posted: 4 Apr 2008, 4:57:34 UTC - in response to Message 16418.  
Last modified: 4 Apr 2008, 4:59:54 UTC

BUT -- I have kids and they had group privs of User and Power User, ... so there ya go.

That definitely explains everything. A kid with admin privileges can get the computer infected much faster than a hacker can do with remote exploits. Because they're very tempted by "emoticons for your email!" and other such banners that actually install trojans. (especially if any of your "kids" visited any *cough* "adult website")


Yes it does explain everything - sob. The AVG rootkit "finder" didn't. I just don't understand how somebody somewhare can't create a program that can hunt this thing down and kill it... There has got to be a straight forward way to have known dlls, exes, such as winlogon.exe, or other ocx files identified by their MD5/checksum hashes that would scream -- infected. Then if I could find that , I can copy a clean one over and kill it -- I digress.

Any other ideas on how to rid 007guard.com!!! It is still trying hard to go to itself, but now itself has an IP of 127.0.0.1 - good fun

Just for fun, here is what "netstat -a" looks like whenever I run IE. Enjoy...

PS: Oh, BTW - notice that somehow it still seems to find a real IP address and establish a conneciton even with bogus HOST file directing it back here!!!!!!!! OMG!

C:\>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP bajor:epmap bajor:0 LISTENING
TCP bajor:microsoft-ds bajor:0 LISTENING
TCP bajor:3389 bajor:0 LISTENING
TCP bajor:1029 bajor:0 LISTENING
TCP bajor:1526 007guard.com:12080 TIME_WAIT
TCP bajor:1531 007guard.com:12080 TIME_WAIT
TCP bajor:1539 007guard.com:12080 TIME_WAIT
TCP bajor:1541 007guard.com:12080 ESTABLISHED
TCP bajor:1547 007guard.com:12080 ESTABLISHED
TCP bajor:12025 bajor:0 LISTENING
TCP bajor:12080 bajor:0 LISTENING
TCP bajor:12080 007guard.com:1529 TIME_WAIT
TCP bajor:12080 007guard.com:1533 TIME_WAIT
TCP bajor:12080 007guard.com:1535 TIME_WAIT
TCP bajor:12080 007guard.com:1537 TIME_WAIT
TCP bajor:12080 007guard.com:1541 ESTABLISHED
TCP bajor:12080 007guard.com:1543 TIME_WAIT
TCP bajor:12080 007guard.com:1545 TIME_WAIT
TCP bajor:12080 007guard.com:1547 ESTABLISHED
TCP bajor:12110 bajor:0 LISTENING
TCP bajor:12119 bajor:0 LISTENING
TCP bajor:12143 bajor:0 LISTENING
TCP bajor:62514 bajor:0 LISTENING
ID: 16428 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1179
Argentina
Message 16429 - Posted: 4 Apr 2008, 5:10:54 UTC - in response to Message 16428.  

Just for fun, here is what "netstat -a" looks like whenever I run IE. Enjoy...

PS: Oh, BTW - notice that somehow it still seems to find a real IP address and establish a conneciton even with bogus HOST file directing it back here!!!!!!!! OMG!

C:>netstat -a

Use netstat -b to know what *program* is holding those connections.
ID: 16429 · Report as offensive
Chris Sutton

Send message
Joined: 29 Aug 05
Posts: 117
Message 16431 - Posted: 4 Apr 2008, 7:09:35 UTC - in response to Message 16429.  

Use netstat -b to know what *program* is holding those connections.

I'd suggest TCPView for Windows for (near) realtime monitoring of network connections in windows.
ID: 16431 · Report as offensive
marj

Send message
Joined: 29 Sep 06
Posts: 21
United Kingdom
Message 16437 - Posted: 4 Apr 2008, 9:40:33 UTC
Last modified: 4 Apr 2008, 9:41:08 UTC

Google entries say its ad/spyware.
http://forum.kaspersky.com/index.php?showtopic=64867

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview
do a hijack this before you start but before you go through all that try running spybot (and/or something similar)in safe mode with network connections off.
ID: 16437 · Report as offensive
KSB9

Send message
Joined: 27 Apr 08
Posts: 1
United States
Message 16900 - Posted: 27 Apr 2008, 2:35:12 UTC

I just came across what I beleive a 2nd virus incident via Rosetta stone, reported by NOD32.

File:
http://srv3.bakerlab.org/rosetta/download/minirosetta_graphics_1.15_windows_intelx86.exe

Threat indicator:
probably a variant of a Win32/Statik.app

ID: 16900 · Report as offensive
ProfileKSMarksPsych
Avatar

Send message
Joined: 30 Oct 05
Posts: 1239
United States
Message 16901 - Posted: 27 Apr 2008, 3:19:27 UTC - in response to Message 16900.  

I just came across what I beleive a 2nd virus incident via Rosetta stone, reported by NOD32.

File:
http://srv3.bakerlab.org/rosetta/download/minirosetta_graphics_1.15_windows_intelx86.exe

Threat indicator:
probably a variant of a Win32/Statik.app



It's a false positive. See the Rosetta message boards.
Kathryn :o)
ID: 16901 · Report as offensive

Message boards : The Lounge : Spyware infestation and Boinc or projects

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.