IRC logs of #boinc for Wednesday, 2017-03-01

15:59 <whatisthis> Hi. I found BOINC installed on my computer. I am CERTAIN that I have not installed it. What is this?

16:00 <whatisthis> it got installed 28.02.2017.

16:00 <nicolas17> someone installed it to get his fake points using your electricity

16:01 <whatisthis> That's awful. Is there any way I check configs etc for where the research is going?

16:02 <nicolas17> open boinc manager and see what projects it's attached to

16:02 <whatisthis> I've been into BOINC myself, but it's quite a lot of years since I've peeked into it. I'll do that... Shit I got scared..

16:03 <whatisthis> mm.. I cannot find the manager?

16:03 <nicolas17> how do you know boinc is installed then?

16:03 <nicolas17> what OS?

16:03 <Romulus> hmm... what OS is running on that 386, nicolas17

16:03 <nicolas17> shutup Romulus

16:04 <nicolas17> forget what OS

16:04 <Romulus> Got it.

16:04 <whatisthis> Windows 10. Really high CPU usage from BOINC processes.

16:04 <whatisthis> Located in program files / BOINC

16:04 <nicolas17> does C:\Program Files\BOINC exist?

16:04 <nicolas17> is boincmgr.exe in there?

16:05 <whatisthis> Nope

16:05 <whatisthis>

16:05 <Romulus> Title: Ubuntu Pastebin (at

16:06 <nicolas17> shady...

16:06 <nicolas17> I don't remember where data files are by default

16:06 <nicolas17> C:\ProgramData\BOINC?

16:06 <nicolas17> or something like that

16:07 <whatisthis> The files doesn't seem to be tampered with. I take computer security seriously so I'm sorta freaked out. Lemme check.

16:07 <nicolas17> stdoutdae.txt would show its log

16:07 * nicolas17 has 77 minutes left of Internet...

16:08 <whatisthis> Oh dear!

16:08 <whatisthis> 01-Mar-2017 18:28:31 [---] Contacting account manager at 01-Mar-2017 18:28:34 [---] Account manager: BAM! User: 204272, kikipope 01-Mar-2017 18:28:34 [---] Account manager: BAM! Host: 695330

16:08 <whatisthis> Is that it?

16:08 <nicolas17> does that 'kikipope' username sound familiar?

16:09 <whatisthis> Not at all for me..

16:10 <whatisthis> Multiple projects..

16:11 <whatisthis> fffff... I'll likely image my HDD and reinstall the whole PC! I'm not done here. This isn't okay :)

16:12 <nicolas17> he has so many computers attached that my browser hanged loading the list

16:12 <whatisthis> Let's get to the bottom of this :)

16:12 <nicolas17> 2600 computers or so

16:12 <whatisthis> wth!

16:12 <nicolas17> on the VGTU@Home project

16:13 <whatisthis>

16:14 <whatisthis> --> Gridcoin.

16:14 <whatisthis> ffs

16:15 <whatisthis> BOINC botnets... new thing?

16:15 <nicolas17> old thing

16:15 <whatisthis> (most likely not, yeah?)¨¨

16:15 <nicolas17> but nowadays malware just installs bitcoin miners instead of BOINC :P

16:16 <whatisthis> I'm still struggling figuring out what the... installed BOINC.

16:23 <nicolas17> whatisthis: any chance there was unwanted physical access to your machine?

16:23 <nicolas17> whatisthis:,1

16:25 <whatisthis> Thanks for your assistance nicolas17. I can provide you with more logs if wanted.

16:28 <whatisthis>

16:28 <Romulus> Title: Ubuntu Pastebin (at

16:32 <whatisthis> **** found it.

16:33 <whatisthis> Rouge installer exe file

16:33 <whatisthis> how the hell \..¨

16:33 <whatisthis> nicolas17: Still here?

16:34 <whatisthis> Give me some minutes, I'll pack up all the files. I extracted the InnoSetup executable

16:40 <nicolas17> back

16:51 <whatisthis> I got some... err.. pretty solid evidence.. uploading now

16:53 <whatisthis>!hJBQFAxY!x-Sl2hcLmuXKb-WumSbZlC96VP4AeDJay-Qm8IhL1Vk

16:57 <whatisthis> heh yeah.. it removes the mgr and copies account login + prefs

16:57 <whatisthis> messes up powercfg..

16:57 <whatisthis> adds adware

16:57 <whatisthis> to IE and Firefox

16:57 <nicolas17> ><

16:59 <whatisthis> This is pretty bad... I can't say anything more than that I got said install exe from a trusted source (=> work). I removed the other files from the installer for obv. reasons.

16:59 <nicolas17> ugh it deleted the uninstall entries

17:00 <whatisthis> Its pretty nasty. Can BOINC admins potentially blacklist the user?

17:01 <nicolas17> each project is independent

17:01 <nicolas17> but in theory yeah

17:01 <nicolas17> I don't feel like contacting every project myself... :P

17:02 <whatisthis> I hear you, thank you for your help here. I really appreciates it :)¨

17:05 <nicolas17> you may be able to uninstall BOINC by running the installer .exe again (can't do it from add/remove programs because the malware deleted BOINC from there)

17:05 <nicolas17> I'd download the pristine file just in case :P

17:06 <whatisthis> I managed to manually remove the files, but I think I will reinstall Windows as well.. I got pre-infection cold backups, LUCKILY

17:06 <nicolas17> good :)

17:06 <nicolas17> okay my UPS is about to die

17:06 <whatisthis> Would you care uploading the files to the forums + the log?

17:07 <nicolas17> I saved it, will upload when I'm back

17:07 <whatisthis> Thanks :) Before you vanish, please see Irc pm (1 min)

17:08 <nicolas17> I didn't get it, I think I had "unregistered users can't PM" user mode set

17:08 <nicolas17> send again

17:08 <whatisthis> k :)¨

17:11 <whatisthis> I'll try to follow the tail.. It adds a rouge search site to IE and Firefox..

17:13 <whatisthis> REGISTRANT CONTACT Name:Contact Privacy Inc. D:

17:14 <whatisthis> GridCoin is a new peer-to-peer internet based cryptocurrency that aims to provide real benefits to humanity by compensating the coin miners for participating in BOINC projects that may lead to advances in medicine, biology, mathematics, science, climatology, and astrophysics by concentrating a large percentage of the computational power towards BOINC research - instead of generating unnecessary heat and wasted power for the proof of

17:15 <whatisthis> Interesting.

17:15 *** nicolas17 has quit IRC

17:19 *** whatisthis is now known as bendikz

17:19 *** bendikz has joined #boinc

17:19 *** bendikz has joined #boinc

20:28 <desti_T2>

