dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11279
ReDSpideR
join:2002-08-16
Woodbridge, ON

1 edit

ReDSpideR

Member

SETI Virus/Trojan - wupdmgr1.exe

how do i get rid of "setiathome_4.18_windows_intelx86.exe" ?

everytime it runs it sucks up my ram basicly.

how do i remove this or find out how to control its workings, let alone find out what the heck it does!

Thanks for your time.

Lanik
Lab-nik

join:2001-06-25
San Francisco, CA

1 edit

Lanik

Re: setiathome_4.18_windows_intelx86.exe

Seti@Home is a Distributed Computing club.
They have a forum on this site: »Team Starfire I'll ask someone to move this thread there they can tell you how to remove it.

uniquecp
Where'D It Go
Premium Member
join:2001-08-07
Scottsdale, AZ

1 edit

uniquecp to ReDSpideR

Premium Member

to ReDSpideR
It is supposed to suck up your CPU, but it gives way to anything else running when you use the computer. As you can see I have a HT running 2 processes at 50% each but wuth WMP runnning I do not quite get that

That is the Seti client, I believe in Boinc you can limit its run time and the amount of Disk space it uses and the amouont of memory I believe. The process however uses 100% of CPU when it runs.

If you are running Boinc that is what you will see. When you are heavily using other programs it should reduce demand automatically.

I have no knowledge of it actually tying up Ram does nt mean iit cannot happen, someone with more Boinc expreience will come along.
Why not tell what makes you think this causing your problem.
uniquecp

uniquecp to ReDSpideR

Premium Member

to ReDSpideR
In considering your post it probably is not doing it for you either, do you have something on the machine called BOINC it will be a blue circle with a yellow B in the systray.

If so open click on the projects tab and see whi the user is.

Did you just buy the machine, kids on it, dad, mom, someone who is running it.
ReDSpideR
join:2002-08-16
Woodbridge, ON

ReDSpideR

Member

well

as far as i know, or see, i dont have anything with that discripted icon.

also..

what is the PERPOSE of this program, and can it be removed, because i dont know what it does, and if i dont know it means i dont need it.

thanks for all your posts
John Keck
Official Boinc-Er
join:2003-01-20
Vicksburg, MS

John Keck to ReDSpideR

Member

to ReDSpideR
The purpose is to search for radio signals that may indicate extraterrestial life.

To remove it go to the add/remove section of windows and remove BOINC.

Camelot One
MVM
join:2001-11-21
Bloomington, IN

Camelot One

MVM

Actually, if Boinc was installed without your permission, I would suggest you first find out who's account it is crunching for.

Browse to c:\program files\Boinc and run boincmgr.exe

Once the program is open, click the "Projects" tab and look at the name under "Account".

Please post back.

uniquecp
Where'D It Go
Premium Member
join:2001-08-07
Scottsdale, AZ

uniquecp to ReDSpideR

Premium Member

to ReDSpideR
If you do not see BOINC anywhere on your machine that may mean someone is running the client hidden. That might be a little harder to find. Post back if you do not find BOINC.
ReDSpideR
join:2002-08-16
Woodbridge, ON

ReDSpideR

Member

hey all thanks again for the quick responses !

i see nothing in "c:\program files\Boinc"
doesnt exsist.

No uninstall located in 'add/remove programs'
im the only user on this PC.

any ideas?

Xaak
You'll find me at T S W B.org
Premium Member
join:2002-06-19

Xaak

Premium Member

Two places to look.

First, see if there's a Boinc entry in Services. Control Panel > Administrative Tools > Services If it's there, you can disable it.

Second, search all your hard drives for the file client_state.xml. That would be in the boinc main directory.

Sounds like someone did a stealth install on your machine.
ReDSpideR
join:2002-08-16
Woodbridge, ON

1 edit

ReDSpideR

Member

weird...

dont see it in services'
nore could i find "client_state.xml" in any dir.

oh might i also add.

does the adware programs Spyware doctor or a-squared contain or are in workings with the bionc stuff?

just thought id add that since that was the most recent installs ive done.

Sat_Man
Monotonous Isn't It
Premium Member
join:2001-09-14
Gray Court, SC

Sat_Man to ReDSpideR

Premium Member

to ReDSpideR
said by ReDSpideR:

hey all thanks again for the quick responses !

i see nothing in "c:\program files\Boinc"
doesnt exsist.

No uninstall located in 'add/remove programs'
im the only user on this PC.

any ideas?
Do you have a D: partition or any other partitions? It may be located there. Go into Windows Explorer and do a search for "Boinc" in "Local Hard Drives". Once you find the folder right click and delete it. You will have to stop "setiathome_4.18_windows_intelx86.exe" in the task manager before it can be deleted. Then run something like RegSeeker to clean out anything left over in the registry.

>Fred
ReDSpideR
join:2002-08-16
Woodbridge, ON

ReDSpideR

Member

thanks for the reply but i did a search on all my drives.
which is just my C: drive, and a D: recovery drive which i cant accsess.

still no find of anything boinc.

owell, next time i see it run, ill post back till then, thanks alot all for your suggestions/information.

~ SpideR.

Camelot One
MVM
join:2001-11-21
Bloomington, IN

Camelot One to ReDSpideR

MVM

to ReDSpideR
you could always search C: for "setiathome_4.18_windows_intelx86.exe" to find the working directory.

Sysadmin
Premium Member
join:2000-07-07
Elk Grove, CA

Sysadmin to ReDSpideR

Premium Member

to ReDSpideR
Download and extract Process Explorer »www.sysinternals.com/Uti ··· rer.html (link to download is at the bottom of the page). It will help you find the path and what the name of the program is that is running it.

It sounds to me someone was able to go to great lengths to hide this on your computer. Did someone work on it for you recently?
ReDSpideR
join:2002-08-16
Woodbridge, ON

ReDSpideR

Member

my computer is only used by me, the only other way i can possibley think as too way it i sometimes runned, but not found is.. possibley through my brothers computer on the router network.. maybe its coming from his cpu.

i dunno. anyways; i searched for the exe, i couldnt find it. i think its gone.. for now .. i hope.. lol.
ReDSpideR

ReDSpideR

Member

sorry for the double post, but i have it runing again, and apparently it looks like my windows update program or something..

Check it out:


its path:
C:\WINDOWS\system32\projects\setiathome.berkeley.edu\setiathome_4.18_windows_intelx86.exe

current directory:
C:\WINDOWS\system32\slots\0\

Camelot One
MVM
join:2001-11-21
Bloomington, IN

Camelot One

MVM

Sounds like someone has renamed Boinc to wupdmgr1.exe and installed it to your Windows/System32 directory in an attempt to hide it from you. Run that file and see if Boinc opens. If so, then click the projects tab and look for the account name.

Sat_Man
Monotonous Isn't It
Premium Member
join:2001-09-14
Gray Court, SC

Sat_Man to ReDSpideR

Premium Member

to ReDSpideR
Looks like It's been installed in that folder, Projects. Take a screen shot of that folder so we can see what is in it. It looks as if someone installed it, backed it up, uninstalled it and then copied it back in that folder. That way it wouldn't show up in add and remove programs. Sneaky!;)
ReDSpideR
join:2002-08-16
Woodbridge, ON

ReDSpideR

Member

ok heres the screenies of where these files are located:



Sat_Man
Monotonous Isn't It
Premium Member
join:2001-09-14
Gray Court, SC

1 edit

Sat_Man to ReDSpideR

Premium Member

to ReDSpideR
Ok that's part of the program. Do a search for "client_state.xml" and see if you get a location. Man someone did a good job at hiding it. Looking at it more it seems they installed it in the system32 folder so all the files are mixed in the folder. We'll know if you find the "client_state.xml" listed in the system32 folder. Then we need to find the name they used for boincmgr.exe. Probably you will have to look in msconfig for some startup names.

uniquecp
Where'D It Go
Premium Member
join:2001-08-07
Scottsdale, AZ

uniquecp to ReDSpideR

Premium Member

to ReDSpideR
Look for this file

account_setiathome.berkeley.edu
might be in the system32 folder

it will open in explorer as XML

it contains the user id for that account, could you post it please

So you know Seti and oujr Team do not support, condone or appove of people putting the software on others machines without their knowledge. Not the way we do things at all.

Sat_Man
Monotonous Isn't It
Premium Member
join:2001-09-14
Gray Court, SC

Sat_Man to ReDSpideR

Premium Member

to ReDSpideR
wupdmgr1.exe is definitely a bogus file name. After we find out who the account belongs to we will be able to get it out of your system. It may be listed in Add and Remove programs. Anyway we're getting there.;)
ReDSpideR
join:2002-08-16
Woodbridge, ON

1 edit

ReDSpideR

Member

hey, i found the account_setiathome.berkeley.edu file.

i opened it up, what line am i looking for?

is the id a set of numbers?

[edit]
check this out?

any of this usefull?

»setiathome.berkeley.edu/ ··· id=95866

Your team
View information about your team: ESC-Consult
»setiathome.berkeley.edu/ ··· d=122736

wapu
Broadband Ranger
Premium Member
join:2001-09-05
Albion, NY

wapu to ReDSpideR

Premium Member

to ReDSpideR
»setiathome.berkeley.edu/ ··· id=95866

This is the guy that put it on there. Have you used this consulting company?
wapu

wapu to ReDSpideR

Premium Member

to ReDSpideR
»setiathome.berkeley.edu/ ··· eams.php

Is currently ranked 10th in the world all by himself as a team. I think someone here might want to contact Berk about it. looks fishy to me.

Sat_Man
Monotonous Isn't It
Premium Member
join:2001-09-14
Gray Court, SC

Sat_Man to ReDSpideR

Premium Member

to ReDSpideR
Interesting. Recent average credit 127,096.41 and he has his computers hidden. I think I'll make a post on the Boinc forum.

uniquecp
Where'D It Go
Premium Member
join:2001-08-07
Scottsdale, AZ

1 edit

uniquecp to ReDSpideR

Premium Member

to ReDSpideR
Thats him where did you get the computer from?

I believe a couple of experts here can help you remove this, I am wondering of thta is replacing your windows updtae program which means you also are not getting the windows security updates. Has it asked you to update lately?
72245156 (banned)
TSWB.org
join:2000-07-11
Winnipeg, MB

72245156 (banned) to wapu

Member

to wapu
said by wapu:

»setiathome.berkeley.edu/ ··· eams.php

Is currently ranked 10th in the world all by himself as a team. I think someone here might want to contact Berk about it. looks fishy to me.
Wow! Looks like someone figured out how to do a BOINC virus. Let's find out the SETI forums response before we go direct to Berkeley.

Sat_Man
Monotonous Isn't It
Premium Member
join:2001-09-14
Gray Court, SC

Sat_Man to ReDSpideR

Premium Member

to ReDSpideR
If you don't mind holding off on removing it we may need to get some more info to determine how he has it installed and hidden. This way we will have the info and help others if it comes up again. I have a feeling that it will with that kind of RAC he is returning. Any info on where you got your computer or anyone that may have worked on it would be helpful in trying to put a stop to this.

>Fred