00:00 *** Atratus__ has quit IRC
00:17 *** nicolas17 has quit IRC
00:23 *** yoyo[RKN] has joined #boinc
00:32 *** yoyo[RKN] has quit IRC
01:24 *** Syconaut has quit IRC
01:25 *** Syconaut has joined #boinc
02:26 *** Atratus___ has joined #boinc
02:28 *** Atratus has quit IRC
02:39 *** AquaL1te has joined #boinc
02:48 *** Atratus____ has joined #boinc
02:48 *** Atratus____ is now known as Atratus
02:51 *** Atratus___ has quit IRC
02:51 *** Caterpillar has joined #boinc
03:03 *** redblade7 has joined #boinc
03:58 *** huppdiwupp has quit IRC
03:58 *** huppdiwupp has joined #boinc
06:08 *** redblade7 has quit IRC
06:17 *** Caterpillar has quit IRC
06:27 *** Caterpillar has joined #boinc
07:44 *** Atratus has quit IRC
07:45 *** Atratus has joined #boinc
08:09 *** Atratus has quit IRC
08:10 *** Atratus has joined #boinc
09:12 *** nicolas17 has joined #boinc
10:56 *** Nycti has joined #boinc
11:18 *** efc has quit IRC
11:32 *** AquaL1te has quit IRC
13:23 *** pppingme has left #boinc
13:27 *** huppdiwupp has quit IRC
13:46 *** huppdiwupp has joined #boinc
14:47 *** yoyo[RKN] has joined #boinc
15:46 *** kier_ has joined #boinc
15:47 *** kier has quit IRC
15:57 *** yoyo[RKN] has quit IRC
15:59 *** whatisthis has joined #boinc
15:59 <whatisthis> Hi. I found BOINC installed on my computer. I am CERTAIN that I have not installed it. What is this?
16:00 <whatisthis> it got installed 28.02.2017.
16:00 <nicolas17> someone installed it to get his fake points using your electricity
16:01 <whatisthis> That's awful. Is there any way I check configs etc for where the research is going?
16:02 <nicolas17> open boinc manager and see what projects it's attached to
16:02 <whatisthis> I've been into BOINC myself, but it's quite a lot of years since I've peeked into it. I'll do that... Shit I got scared..
16:03 <whatisthis> mm.. I cannot find the manager?
16:03 <nicolas17> how do you know boinc is installed then?
16:03 <nicolas17> what OS?
16:03 <Romulus> hmm... what OS is running on that 386, nicolas17
16:03 <nicolas17> shutup Romulus
16:04 <nicolas17> forget what OS
16:04 <Romulus> Got it.
16:04 <whatisthis> Windows 10. Really high CPU usage from BOINC processes.
16:04 <whatisthis> Located in program files / BOINC
16:04 <nicolas17> does C:\Program Files\BOINC exist?
16:04 <nicolas17> is boincmgr.exe in there?
16:05 <whatisthis> Nope
16:05 <Romulus> Title: Ubuntu Pastebin (at paste.ubuntu.com)
16:06 <nicolas17> shady...
16:06 <nicolas17> I don't remember where data files are by default
16:06 <nicolas17> C:\ProgramData\BOINC?
16:06 <nicolas17> or something like that
16:07 <whatisthis> The files doesn't seem to be tampered with. I take computer security seriously so I'm sorta freaked out. Lemme check.
16:07 <nicolas17> stdoutdae.txt would show its log
16:07 * nicolas17 has 77 minutes left of Internet...
16:08 <whatisthis> Oh dear!
16:08 <whatisthis> 01-Mar-2017 18:28:31 [---] Contacting account manager at https://bam.boincstats.com/ 01-Mar-2017 18:28:34 [---] Account manager: BAM! User: 204272, kikipope 01-Mar-2017 18:28:34 [---] Account manager: BAM! Host: 695330
16:08 <whatisthis> Is that it?
16:08 <nicolas17> does that 'kikipope' username sound familiar?
16:09 <whatisthis> Not at all for me..
16:10 <whatisthis> Multiple projects..
16:11 <whatisthis> fffff... I'll likely image my HDD and reinstall the whole PC! I'm not done here. This isn't okay :)
16:12 <nicolas17> he has so many computers attached that my browser hanged loading the list
16:12 <whatisthis> Let's get to the bottom of this :)
16:12 <nicolas17> 2600 computers or so
16:12 <whatisthis> wth!
16:12 <nicolas17> on the VGTU@Home project
16:14 <whatisthis> --> Gridcoin.
16:14 <whatisthis> ffs
16:15 <whatisthis> BOINC botnets... new thing?
16:15 <nicolas17> old thing
16:15 <whatisthis> (most likely not, yeah?)¨¨
16:15 <nicolas17> but nowadays malware just installs bitcoin miners instead of BOINC :P
16:16 <whatisthis> I'm still struggling figuring out what the... installed BOINC.
16:23 <nicolas17> whatisthis: any chance there was unwanted physical access to your machine?
16:25 <whatisthis> Thanks for your assistance nicolas17. I can provide you with more logs if wanted.
16:28 <Romulus> Title: Ubuntu Pastebin (at paste.ubuntu.com)
16:32 <whatisthis> **** found it.
16:33 <whatisthis> Rouge installer exe file
16:33 <whatisthis> how the hell \..¨
16:33 <whatisthis> nicolas17: Still here?
16:34 <whatisthis> Give me some minutes, I'll pack up all the files. I extracted the InnoSetup executable
16:40 <nicolas17> back
16:51 <whatisthis> I got some... err.. pretty solid evidence.. uploading now
16:57 <whatisthis> heh yeah.. it removes the mgr and copies account login + prefs
16:57 <whatisthis> messes up powercfg..
16:57 <whatisthis> adds adware
16:57 <whatisthis> to IE and Firefox
16:57 <nicolas17> ><
16:59 <whatisthis> This is pretty bad... I can't say anything more than that I got said install exe from a trusted source (=> work). I removed the other files from the installer for obv. reasons.
16:59 <nicolas17> ugh it deleted the uninstall entries
17:00 <whatisthis> Its pretty nasty. Can BOINC admins potentially blacklist the user?
17:01 <nicolas17> each project is independent
17:01 <nicolas17> but in theory yeah
17:01 <nicolas17> I don't feel like contacting every project myself... :P
17:02 <whatisthis> I hear you, thank you for your help here. I really appreciates it :)¨
17:05 <nicolas17> you may be able to uninstall BOINC by running the installer .exe again (can't do it from add/remove programs because the malware deleted BOINC from there)
17:05 <nicolas17> I'd download the pristine file just in case :P http://boinc.berkeley.edu/dl/boinc_7.6.22_windows_x86_64.exe
17:06 <whatisthis> I managed to manually remove the files, but I think I will reinstall Windows as well.. I got pre-infection cold backups, LUCKILY
17:06 <nicolas17> good :)
17:06 <nicolas17> okay my UPS is about to die
17:06 <whatisthis> Would you care uploading the files to the forums + the log?
17:07 <nicolas17> I saved it, will upload when I'm back
17:07 <whatisthis> Thanks :) Before you vanish, please see Irc pm (1 min)
17:08 <nicolas17> I didn't get it, I think I had "unregistered users can't PM" user mode set
17:08 <nicolas17> send again
17:08 <whatisthis> k :)¨
17:11 <whatisthis> I'll try to follow the tail.. It adds a rouge search site to IE and Firefox..
17:13 <whatisthis> REGISTRANT CONTACT Name:Contact Privacy Inc. D:
17:14 <whatisthis> GridCoin is a new peer-to-peer internet based cryptocurrency that aims to provide real benefits to humanity by compensating the coin miners for participating in BOINC projects that may lead to advances in medicine, biology, mathematics, science, climatology, and astrophysics by concentrating a large percentage of the computational power towards BOINC research - instead of generating unnecessary heat and wasted power for the proof of
17:15 <whatisthis> Interesting.
17:15 *** nicolas17 has quit IRC
17:19 *** whatisthis is now known as bendikz
17:19 *** bendikz has joined #boinc
17:19 *** bendikz has joined #boinc
17:42 *** whynot has joined #boinc
18:23 *** Caterpillar has quit IRC
19:51 *** whynot has quit IRC
19:54 *** yoyo[RKN] has joined #boinc
20:18 *** Atratus has quit IRC
20:22 *** Atratus has joined #boinc
20:29 *** wdsmia has quit IRC
20:30 *** wdsmia has joined #boinc
21:45 *** desti has joined #boinc
21:48 *** desti_T2 has quit IRC
22:08 *** efc has joined #boinc
22:25 *** redblade7 has joined #boinc
22:46 *** Atratus_ has joined #boinc
22:49 *** Atratus has quit IRC
23:17 *** redblade7 has quit IRC