1 edit |
SETI Virus/Trojan - wupdmgr1.exehow do i get rid of "setiathome_4.18_windows_intelx86.exe" ?
everytime it runs it sucks up my ram basicly.
how do i remove this or find out how to control its workings, let alone find out what the heck it does!
Thanks for your time. |
|
LanikLab-nik
join:2001-06-25 San Francisco, CA 1 edit |
Lanik
2006-Jan-30 3:26 am
Re: setiathome_4.18_windows_intelx86.exeSeti@Home is a Distributed Computing club. They have a forum on this site: » Team Starfire I'll ask someone to move this thread there they can tell you how to remove it. |
|
uniquecpWhere'D It Go Premium Member join:2001-08-07 Scottsdale, AZ 1 edit |
to ReDSpideR
It is supposed to suck up your CPU, but it gives way to anything else running when you use the computer. As you can see I have a HT running 2 processes at 50% each but wuth WMP runnning I do not quite get that That is the Seti client, I believe in Boinc you can limit its run time and the amount of Disk space it uses and the amouont of memory I believe. The process however uses 100% of CPU when it runs. If you are running Boinc that is what you will see. When you are heavily using other programs it should reduce demand automatically. I have no knowledge of it actually tying up Ram does nt mean iit cannot happen, someone with more Boinc expreience will come along. Why not tell what makes you think this causing your problem. |
|
uniquecp |
to ReDSpideR
In considering your post it probably is not doing it for you either, do you have something on the machine called BOINC it will be a blue circle with a yellow B in the systray.
If so open click on the projects tab and see whi the user is.
Did you just buy the machine, kids on it, dad, mom, someone who is running it. |
|
|
well as far as i know, or see, i dont have anything with that discripted icon. also.. what is the PERPOSE of this program, and can it be removed, because i dont know what it does, and if i dont know it means i dont need it. thanks for all your posts |
|
John KeckOfficial Boinc-Er join:2003-01-20 Vicksburg, MS |
to ReDSpideR
The purpose is to search for radio signals that may indicate extraterrestial life.
To remove it go to the add/remove section of windows and remove BOINC. |
|
|
Actually, if Boinc was installed without your permission, I would suggest you first find out who's account it is crunching for.
Browse to c:\program files\Boinc and run boincmgr.exe
Once the program is open, click the "Projects" tab and look at the name under "Account".
Please post back. |
|
uniquecpWhere'D It Go Premium Member join:2001-08-07 Scottsdale, AZ |
to ReDSpideR
If you do not see BOINC anywhere on your machine that may mean someone is running the client hidden. That might be a little harder to find. Post back if you do not find BOINC. |
|
|
hey all thanks again for the quick responses ! i see nothing in "c:\program files\Boinc" doesnt exsist. No uninstall located in 'add/remove programs' im the only user on this PC. any ideas? |
|
XaakYou'll find me at T S W B.org Premium Member join:2002-06-19 |
Xaak
Premium Member
2006-Jan-30 5:21 pm
Two places to look.
First, see if there's a Boinc entry in Services. Control Panel > Administrative Tools > Services If it's there, you can disable it.
Second, search all your hard drives for the file client_state.xml. That would be in the boinc main directory.
Sounds like someone did a stealth install on your machine. |
|
1 edit |
weird...
dont see it in services' nore could i find "client_state.xml" in any dir.
oh might i also add.
does the adware programs Spyware doctor or a-squared contain or are in workings with the bionc stuff?
just thought id add that since that was the most recent installs ive done. |
|
Sat_ManMonotonous Isn't It Premium Member join:2001-09-14 Gray Court, SC |
to ReDSpideR
said by ReDSpideR:hey all thanks again for the quick responses ! i see nothing in "c:\program files\Boinc" doesnt exsist. No uninstall located in 'add/remove programs' im the only user on this PC. any ideas? Do you have a D: partition or any other partitions? It may be located there. Go into Windows Explorer and do a search for "Boinc" in "Local Hard Drives". Once you find the folder right click and delete it. You will have to stop "setiathome_4.18_windows_intelx86.exe" in the task manager before it can be deleted. Then run something like RegSeeker to clean out anything left over in the registry. >Fred |
|
|
thanks for the reply but i did a search on all my drives. which is just my C: drive, and a D: recovery drive which i cant accsess.
still no find of anything boinc.
owell, next time i see it run, ill post back till then, thanks alot all for your suggestions/information.
~ SpideR. |
|
|
to ReDSpideR
you could always search C: for "setiathome_4.18_windows_intelx86.exe" to find the working directory. |
|
Sysadmin Premium Member join:2000-07-07 Elk Grove, CA |
to ReDSpideR
Download and extract Process Explorer » www.sysinternals.com/Uti ··· rer.html (link to download is at the bottom of the page). It will help you find the path and what the name of the program is that is running it. It sounds to me someone was able to go to great lengths to hide this on your computer. Did someone work on it for you recently? |
|
|
my computer is only used by me, the only other way i can possibley think as too way it i sometimes runned, but not found is.. possibley through my brothers computer on the router network.. maybe its coming from his cpu.
i dunno. anyways; i searched for the exe, i couldnt find it. i think its gone.. for now .. i hope.. lol. |
|
ReDSpideR |
sorry for the double post, but i have it runing again, and apparently it looks like my windows update program or something.. Check it out: its path: C:\WINDOWS\system32\projects\setiathome.berkeley.edu\setiathome_4.18_windows_intelx86.exe current directory: C:\WINDOWS\system32\slots\0\ |
|
|
Sounds like someone has renamed Boinc to wupdmgr1.exe and installed it to your Windows/System32 directory in an attempt to hide it from you. Run that file and see if Boinc opens. If so, then click the projects tab and look for the account name. |
|
|
Sat_ManMonotonous Isn't It Premium Member join:2001-09-14 Gray Court, SC |
to ReDSpideR
Looks like It's been installed in that folder, Projects. Take a screen shot of that folder so we can see what is in it. It looks as if someone installed it, backed it up, uninstalled it and then copied it back in that folder. That way it wouldn't show up in add and remove programs. Sneaky!;) |
|
|
ok heres the screenies of where these files are located: |
|
Sat_ManMonotonous Isn't It Premium Member join:2001-09-14 Gray Court, SC 1 edit |
to ReDSpideR
Ok that's part of the program. Do a search for "client_state.xml" and see if you get a location. Man someone did a good job at hiding it. Looking at it more it seems they installed it in the system32 folder so all the files are mixed in the folder. We'll know if you find the "client_state.xml" listed in the system32 folder. Then we need to find the name they used for boincmgr.exe. Probably you will have to look in msconfig for some startup names. |
|
uniquecpWhere'D It Go Premium Member join:2001-08-07 Scottsdale, AZ |
to ReDSpideR
Look for this file
account_setiathome.berkeley.edu might be in the system32 folder
it will open in explorer as XML
it contains the user id for that account, could you post it please
So you know Seti and oujr Team do not support, condone or appove of people putting the software on others machines without their knowledge. Not the way we do things at all. |
|
Sat_ManMonotonous Isn't It Premium Member join:2001-09-14 Gray Court, SC |
to ReDSpideR
wupdmgr1.exe is definitely a bogus file name. After we find out who the account belongs to we will be able to get it out of your system. It may be listed in Add and Remove programs. Anyway we're getting there.;) |
|
1 edit |
hey, i found the account_setiathome.berkeley.edu file. i opened it up, what line am i looking for? is the id a set of numbers? [edit] check this out? any of this usefull? » setiathome.berkeley.edu/ ··· id=95866 Your team View information about your team: ESC-Consult » setiathome.berkeley.edu/ ··· d=122736 |
|
wapuBroadband Ranger Premium Member join:2001-09-05 Albion, NY |
to ReDSpideR
» setiathome.berkeley.edu/ ··· id=95866This is the guy that put it on there. Have you used this consulting company? |
|
wapu |
to ReDSpideR
» setiathome.berkeley.edu/ ··· eams.phpIs currently ranked 10th in the world all by himself as a team. I think someone here might want to contact Berk about it. looks fishy to me. |
|
Sat_ManMonotonous Isn't It Premium Member join:2001-09-14 Gray Court, SC |
to ReDSpideR
Interesting. Recent average credit 127,096.41 and he has his computers hidden. I think I'll make a post on the Boinc forum. |
|
uniquecpWhere'D It Go Premium Member join:2001-08-07 Scottsdale, AZ 1 edit |
to ReDSpideR
Thats him where did you get the computer from?
I believe a couple of experts here can help you remove this, I am wondering of thta is replacing your windows updtae program which means you also are not getting the windows security updates. Has it asked you to update lately? |
|
72245156 (banned)TSWB.org join:2000-07-11 Winnipeg, MB |
to wapu
Wow! Looks like someone figured out how to do a BOINC virus. Let's find out the SETI forums response before we go direct to Berkeley. |
|
Sat_ManMonotonous Isn't It Premium Member join:2001-09-14 Gray Court, SC |
to ReDSpideR
If you don't mind holding off on removing it we may need to get some more info to determine how he has it installed and hidden. This way we will have the info and help others if it comes up again. I have a feeling that it will with that kind of RAC he is returning. Any info on where you got your computer or anyone that may have worked on it would be helpful in trying to put a stop to this.
>Fred |
|