Posts by MChristy

1) Message boards : The Lounge : Spyware infestation and Boinc or projects (Message 16428) Posted 4 Apr 2008 by MChristy Post: BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. That definitely explains everything. A kid with admin privileges can get the computer infected much faster than a hacker can do with remote exploits. Because they're very tempted by "emoticons for your email!" and other such banners that actually install trojans. (especially if any of your "kids" visited any cough "adult website") Yes it does explain everything - sob. The AVG rootkit "finder" didn't. I just don't understand how somebody somewhare can't create a program that can hunt this thing down and kill it... There has got to be a straight forward way to have known dlls, exes, such as winlogon.exe, or other ocx files identified by their MD5/checksum hashes that would scream -- infected. Then if I could find that , I can copy a clean one over and kill it -- I digress. Any other ideas on how to rid 007guard.com!!! It is still trying hard to go to itself, but now itself has an IP of 127.0.0.1 - good fun Just for fun, here is what "netstat -a" looks like whenever I run IE. Enjoy... PS: Oh, BTW - notice that somehow it still seems to find a real IP address and establish a conneciton even with bogus HOST file directing it back here!!!!!!!! OMG! C:\>netstat -a Active Connections Proto Local Address Foreign Address State TCP bajor:epmap bajor:0 LISTENING TCP bajor:microsoft-ds bajor:0 LISTENING TCP bajor:3389 bajor:0 LISTENING TCP bajor:1029 bajor:0 LISTENING TCP bajor:1526 007guard.com:12080 TIME_WAIT TCP bajor:1531 007guard.com:12080 TIME_WAIT TCP bajor:1539 007guard.com:12080 TIME_WAIT TCP bajor:1541 007guard.com:12080 ESTABLISHED TCP bajor:1547 007guard.com:12080 ESTABLISHED TCP bajor:12025 bajor:0 LISTENING TCP bajor:12080 bajor:0 LISTENING TCP bajor:12080 007guard.com:1529 TIME_WAIT TCP bajor:12080 007guard.com:1533 TIME_WAIT TCP bajor:12080 007guard.com:1535 TIME_WAIT TCP bajor:12080 007guard.com:1537 TIME_WAIT TCP bajor:12080 007guard.com:1541 ESTABLISHED TCP bajor:12080 007guard.com:1543 TIME_WAIT TCP bajor:12080 007guard.com:1545 TIME_WAIT TCP bajor:12080 007guard.com:1547 ESTABLISHED TCP bajor:12110 bajor:0 LISTENING TCP bajor:12119 bajor:0 LISTENING TCP bajor:12143 bajor:0 LISTENING TCP bajor:62514 bajor:0 LISTENING
2) Message boards : The Lounge : Spyware infestation and Boinc or projects (Message 16403) Posted 3 Apr 2008 by MChristy Post: Try AVG's anti-rootkit free http://free.grisoft.com/doc/download-free-anti-rootkit/ I spent days trying to rid my pc of a hidden nasty , none of the spyware stuff you've mentioned even found it but avg anti-rootkit free had it zapped in minutes. That would be awesome, I just downloaded it and will try that this evening! What do you think of MD4/5 of Checksum comparators. I'm thinking of making a program that would generate a checksum of all DLLS and EXEs in the OS and then comparing it daily with a scan, reporting anything that is off. The rootkits can't install without effecting an MD4/5 or CRC checksum - can they?
3) Message boards : The Lounge : Spyware infestation and Boinc or projects (Message 16397) Posted 3 Apr 2008 by MChristy Post: Hi there, The usual question is, which BOINC do you use and on what OS? Are you using Akamai on your system for something else? Did you check for virus infections as well? Where did you download BOINC from? Good questions. I downloaded boinc from "http://boinc.berkeley.edu/download.php", but probably haven't updated the engine in 9-12 months. I am not at home right now but can check later. I run Avast antivirus and have scanned with that, HouseCall, SpybotS&D, Spyware Blaster, AdAware, and online scans from MacAffee, Kaspersky. I ran Symantex Stinger, and I an running TrendMicro's RUBotted and that other freeware System thing (I forget, probably from the trauma). Akamai - I never knowingly downloaded that at all. BUT -- I have kids and they had group privs of User and Power User, ... so there ya go. My thinking is that 007Guard somehow hijacks common windows DLLs or EXEs and then all hope is lost. What burns my water is that can't the AV or Spyware software compare common DLLS/EXES for a MD5 or CRC and discover if they are hosed up? Just my thoughts...
4) Message boards : The Lounge : Spyware infestation and Boinc or projects (Message 16394) Posted 3 Apr 2008 by MChristy Post: I recently experienced huge delays in using my computers at home. In trying to discover what was happening I ran every spyware solution known to the human race and found nothing. Then digging deeper I used the 'netstat -a' command and found hundreds of established sessions where the destination was 007guard.com and akamai (sp?) site. Using the command 'netstat -ab' - which tries to show the executable launching or sourcing the link - it showed that boinc.exe was generating the link. I turned off boinc, and still found 1 or two sessions, but none of them can establish. I only get that when I allow boinc.exe to run! I am running seti and rosetta stone. Has anyone seen this phenom??? It's killing my PCs, and I cannot rebuild one of them at this time because of other issues that require this server to be UP 24X7.

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.