IRC logs of #boinc for Wednesday, 2017-03-01

00:00 *** Atratus__ has quit IRC

00:17 *** nicolas17 has quit IRC

00:23 *** yoyo[RKN] has joined #boinc

00:32 *** yoyo[RKN] has quit IRC

01:24 *** Syconaut has quit IRC

01:25 *** Syconaut has joined #boinc

02:26 *** Atratus___ has joined #boinc

02:28 *** Atratus has quit IRC

02:39 *** AquaL1te has joined #boinc

02:48 *** Atratus____ has joined #boinc

02:48 *** Atratus____ is now known as Atratus

02:51 *** Atratus___ has quit IRC

02:51 *** Caterpillar has joined #boinc

03:03 *** redblade7 has joined #boinc

03:58 *** huppdiwupp has quit IRC

03:58 *** huppdiwupp has joined #boinc

06:08 *** redblade7 has quit IRC

06:17 *** Caterpillar has quit IRC

06:27 *** Caterpillar has joined #boinc

07:44 *** Atratus has quit IRC

07:45 *** Atratus has joined #boinc

08:09 *** Atratus has quit IRC

08:10 *** Atratus has joined #boinc

09:12 *** nicolas17 has joined #boinc

10:56 *** Nycti has joined #boinc

11:18 *** efc has quit IRC

11:32 *** AquaL1te has quit IRC

13:23 *** pppingme has left #boinc

13:27 *** huppdiwupp has quit IRC

13:46 *** huppdiwupp has joined #boinc

14:47 *** yoyo[RKN] has joined #boinc

15:46 *** kier_ has joined #boinc

15:47 *** kier has quit IRC

15:57 *** yoyo[RKN] has quit IRC

15:59 *** whatisthis has joined #boinc

15:59 <whatisthis> Hi. I found BOINC installed on my computer. I am CERTAIN that I have not installed it. What is this?

16:00 <whatisthis> it got installed 28.02.2017.

16:00 <nicolas17> someone installed it to get his fake points using your electricity

16:01 <whatisthis> That's awful. Is there any way I check configs etc for where the research is going?

16:02 <nicolas17> open boinc manager and see what projects it's attached to

16:02 <whatisthis> I've been into BOINC myself, but it's quite a lot of years since I've peeked into it. I'll do that... Shit I got scared..

16:03 <whatisthis> mm.. I cannot find the manager?

16:03 <nicolas17> how do you know boinc is installed then?

16:03 <nicolas17> what OS?

16:03 <Romulus> hmm... what OS is running on that 386, nicolas17

16:03 <nicolas17> shutup Romulus

16:04 <nicolas17> forget what OS

16:04 <Romulus> Got it.

16:04 <whatisthis> Windows 10. Really high CPU usage from BOINC processes.

16:04 <whatisthis> Located in program files / BOINC

16:04 <nicolas17> does C:\Program Files\BOINC exist?

16:04 <nicolas17> is boincmgr.exe in there?

16:05 <whatisthis> Nope

16:05 <whatisthis> https://paste.ubuntu.com/24092497/

16:05 <Romulus> Title: Ubuntu Pastebin (at paste.ubuntu.com)

16:06 <nicolas17> shady...

16:06 <nicolas17> I don't remember where data files are by default

16:06 <nicolas17> C:\ProgramData\BOINC?

16:06 <nicolas17> or something like that

16:07 <whatisthis> The files doesn't seem to be tampered with. I take computer security seriously so I'm sorta freaked out. Lemme check.

16:07 <nicolas17> stdoutdae.txt would show its log

16:07 * nicolas17 has 77 minutes left of Internet...

16:08 <whatisthis> Oh dear!

16:08 <whatisthis> 01-Mar-2017 18:28:31 [---] Contacting account manager at https://bam.boincstats.com/ 01-Mar-2017 18:28:34 [---] Account manager: BAM! User: 204272, kikipope 01-Mar-2017 18:28:34 [---] Account manager: BAM! Host: 695330

16:08 <whatisthis> Is that it?

16:08 <nicolas17> does that 'kikipope' username sound familiar?

16:09 <whatisthis> Not at all for me..

16:10 <whatisthis> Multiple projects..

16:11 <whatisthis> fffff... I'll likely image my HDD and reinstall the whole PC! I'm not done here. This isn't okay :)

16:12 <nicolas17> he has so many computers attached that my browser hanged loading the list

16:12 <whatisthis> Let's get to the bottom of this :)

16:12 <nicolas17> 2600 computers or so

16:12 <whatisthis> wth!

16:12 <nicolas17> on the VGTU@Home project

16:13 <whatisthis> https://boincstats.com/en/stats/-1/user/detail/2731022/projectList

16:14 <whatisthis> --> Gridcoin.

16:14 <whatisthis> ffs

16:15 <whatisthis> BOINC botnets... new thing?

16:15 <nicolas17> old thing

16:15 <whatisthis> (most likely not, yeah?)¨¨

16:15 <nicolas17> but nowadays malware just installs bitcoin miners instead of BOINC :P

16:16 <whatisthis> I'm still struggling figuring out what the... installed BOINC.

16:23 <nicolas17> whatisthis: any chance there was unwanted physical access to your machine?

16:23 <nicolas17> whatisthis: https://boincstats.com/en/forum/18/11438,1

16:25 <whatisthis> Thanks for your assistance nicolas17. I can provide you with more logs if wanted.

16:28 <whatisthis> https://paste.ubuntu.com/24092596/

16:28 <Romulus> Title: Ubuntu Pastebin (at paste.ubuntu.com)

16:32 <whatisthis> **** found it.

16:33 <whatisthis> Rouge installer exe file

16:33 <whatisthis> how the hell \..¨

16:33 <whatisthis> nicolas17: Still here?

16:34 <whatisthis> Give me some minutes, I'll pack up all the files. I extracted the InnoSetup executable

16:40 <nicolas17> back

16:51 <whatisthis> I got some... err.. pretty solid evidence.. uploading now

16:53 <whatisthis> https://mega.nz/#!hJBQFAxY!x-Sl2hcLmuXKb-WumSbZlC96VP4AeDJay-Qm8IhL1Vk

16:57 <whatisthis> heh yeah.. it removes the mgr and copies account login + prefs

16:57 <whatisthis> messes up powercfg..

16:57 <whatisthis> adds adware

16:57 <whatisthis> to IE and Firefox

16:57 <nicolas17> ><

16:59 <whatisthis> This is pretty bad... I can't say anything more than that I got said install exe from a trusted source (=> work). I removed the other files from the installer for obv. reasons.

16:59 <nicolas17> ugh it deleted the uninstall entries

17:00 <whatisthis> Its pretty nasty. Can BOINC admins potentially blacklist the user?

17:01 <nicolas17> each project is independent

17:01 <nicolas17> but in theory yeah

17:01 <nicolas17> I don't feel like contacting every project myself... :P

17:02 <whatisthis> I hear you, thank you for your help here. I really appreciates it :)¨

17:05 <nicolas17> you may be able to uninstall BOINC by running the installer .exe again (can't do it from add/remove programs because the malware deleted BOINC from there)

17:05 <nicolas17> I'd download the pristine file just in case :P http://boinc.berkeley.edu/dl/boinc_7.6.22_windows_x86_64.exe

17:06 <whatisthis> I managed to manually remove the files, but I think I will reinstall Windows as well.. I got pre-infection cold backups, LUCKILY

17:06 <nicolas17> good :)

17:06 <nicolas17> okay my UPS is about to die

17:06 <whatisthis> Would you care uploading the files to the forums + the log?

17:07 <nicolas17> I saved it, will upload when I'm back

17:07 <whatisthis> Thanks :) Before you vanish, please see Irc pm (1 min)

17:08 <nicolas17> I didn't get it, I think I had "unregistered users can't PM" user mode set

17:08 <nicolas17> send again

17:08 <whatisthis> k :)¨

17:11 <whatisthis> I'll try to follow the tail.. It adds a rouge search site to IE and Firefox..

17:13 <whatisthis> REGISTRANT CONTACT Name:Contact Privacy Inc. D:

17:14 <whatisthis> GridCoin is a new peer-to-peer internet based cryptocurrency that aims to provide real benefits to humanity by compensating the coin miners for participating in BOINC projects that may lead to advances in medicine, biology, mathematics, science, climatology, and astrophysics by concentrating a large percentage of the computational power towards BOINC research - instead of generating unnecessary heat and wasted power for the proof of

17:15 <whatisthis> Interesting.

17:15 *** nicolas17 has quit IRC

17:19 *** whatisthis is now known as bendikz

17:19 *** bendikz has joined #boinc

17:19 *** bendikz has joined #boinc

17:42 *** whynot has joined #boinc

18:23 *** Caterpillar has quit IRC

19:51 *** whynot has quit IRC

19:54 *** yoyo[RKN] has joined #boinc

20:18 *** Atratus has quit IRC

20:22 *** Atratus has joined #boinc

20:28 <desti_T2> https://www.youtube.com/watch?v=lOZbK3tP7EU

20:29 *** wdsmia has quit IRC

20:30 *** wdsmia has joined #boinc

21:45 *** desti has joined #boinc

21:48 *** desti_T2 has quit IRC

22:08 *** efc has joined #boinc

22:25 *** redblade7 has joined #boinc

22:46 *** Atratus_ has joined #boinc

22:49 *** Atratus has quit IRC

23:17 *** redblade7 has quit IRC

Generated by irclog2html.py 2.4 by Marius Gedminas - find it at mg.pov.lt!