VIRUS IN THE PROJECTS

Author	Message
pabla Send message Joined: 8 Jul 12 Posts: 2 Credit: 0 RAC: 0	Message 1258132 - Posted: 9 Jul 2012, 18:20:59 UTC
BilBG, I must apologize, I forgot to mention: I am using Avira free Antivirus.
ID: 1258132 ·

Ageless Send message Joined: 9 Jun 99 Posts: 11761 Credit: 2,076,495 RAC: 2,433	Message 1258194 - Posted: 9 Jul 2012, 21:06:20 UTC - in response to Message 1258132.
So do I, but mine doesn't find anything in the file. I downloaded it specifically, since I'm using optimized applications. Avira Version information: BUILD.DAT : 12.0.0.1125 AVSCAN.EXE : 12.3.0.15 VBASE031.VDF : 7.11.35.128 64000 Bytes 8-7-2012 21:27:58 Configuration settings for the scan: Jobname.............................: ShlExt Configuration file..................: C:\Users\Ageless\AppData\Local\Temp\3a632566.avp Logging.............................: default Primary action......................: Interactive Secondary action....................: Ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: P:, Process scan........................: off Scan registry.......................: off Search for rootkits.................: off Integrity checking of system files..: off Scan all files......................: Intelligent file selection Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: extended Skipped files.......................: D:\BOINC613\, D:\Crytek\Crysis 2\bin32\Crysis2.exe, D:\Crytek\Crysis 2\bin32\Crysis2Launcher.exe, E:\Crytek\, k:\., P:\ProgramData\, Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR, Start of the scan: maandag 9 juli 2012 22:53 Starting the file scan: Begin scan in 'P:\ProgramData\ap_graphics_6.01_windows_intelx86.exe' End of the scan: maandag 9 juli 2012 22:53 Used time: 00:00 Minute(s) The scan has been done completely. 0 Scanned directories 2 Files were scanned 0 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 Files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 2 Files not concerned 0 Archives were scanned 0 Warnings 0 Notes Our advice is always to exclude the BOINC Data directory from being scanned by your anti-virus and other anti-malware scanners and only to scan these by hand, after you exited BOINC (or suspended it), to avoid loss of work. As you can see, I have my data directory excluded from being scanned. If you want to do so as well, open Avira, click Realtime Protection, Configuration, Scan, Exceptions, with the ... box search on "File objects to be scanned" (Second option) for your BOINC Data directory (default at C:\Programdata\BOINC\ under Windows Vista and Windows 7), select the BOINC main directory and click Add, click Apply, click OK. ____________ Jord - BOINC FAQ Service - BOINC User Wiki Real is just a matter of perception.*
ID: 1258194 ·

BilBg Send message Joined: 27 May 07 Posts: 2093 Credit: 3,272,842 RAC: 8,238	Message 1258474 - Posted: 10 Jul 2012, 8:02:06 UTC - in response to Message 1258132.
Two more Antivirus scan results (nothing found): http://r.virscan.org/report/364572dc4292f30b165afe592eb2a626.html http://virusscan.jotti.org/en/scanresult/f8165a9bc2bcc55cde281bc4089a2af4d6cc348f (Despite using the same Antivirus programs the sites (virustotal.com, virscan.org, virusscan.jotti.org) sometimes give different results probably because they use different settings (e.g. heuristics sensitivity level)) ____________ - ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 1258474 ·

coffee Send message Joined: 18 Feb 12 Posts: 4 Credit: 8,146 RAC: 16	Message 1258516 - Posted: 10 Jul 2012, 11:22:56 UTC - in response to Message 1253988.
Hello there, it seems so. Since several days I got the same message, that there's an update of BOINCE available. Still... when I want to go on reading on my Firefox, the browser says "Sorry, you can't trust this site. It seems to be a faked site!" I didn't download the new version of BOINC. And my e-mail-account, on which I communicate with BOINC, has been attacked the last days! My question now is: is there a new version of BOINC? Here's the link to the site, my Firefox browser says NO to: https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download Can anybody do something with this? I suggested you, NOT to follow this link! Kind greetings, coffee
ID: 1258516 ·

Volunteer tester Send message Joined: 9 Apr 02 Posts: 12012 Credit: 19,605,368 RAC: 43,334	Message 1258538 - Posted: 10 Jul 2012, 13:31:40 UTC - in response to Message 1258516.
Hello there, it seems so. Since several days I got the same message, that there's an update of BOINCE available. Still... when I want to go on reading on my Firefox, the browser says "Sorry, you can't trust this site. It seems to be a faked site!" I didn't download the new version of BOINC. And my e-mail-account, on which I communicate with BOINC, has been attacked the last days! My question now is: is there a new version of BOINC? Here's the link to the site, my Firefox browser says NO to: https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download Can anybody do something with this? I suggested you, NOT to follow this link! Kind greetings, coffee https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download is the correct URL to get BOINC updates. You can tell it is not fake because it belongs directly to the Berkeley.edu domain. Fake sites would try to fool you with something like Berkeley.edu.net or Berkeley.edu.nl or something like that. When I visit https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download on Firefox, it does NOT say that it is a fake, it simply says that the site's security certificate cannot be verified through a third party (such as VeriSign), so Firefox says that the secure connection cannot be trusted. The problem is that Berkeley doesn't use a third-party signed certificate - they use a self-signed certificate. The problem stems from the fact that web browsers have no way to verify the authenticity of a self-signed certificate, and many companies and educational facilities do not trust using third-party certificates, so web browsers tell the user that the sites is "untrusted". In this case, it is OK to select "I understand the Risks" and continue on to the BOINC download page.
ID: 1258538 ·

Ageless Send message Joined: 9 Jun 99 Posts: 11761 Credit: 2,076,495 RAC: 2,433	Message 1258571 - Posted: 10 Jul 2012, 15:56:22 UTC - in response to Message 1258516.
https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download Addendum to what (the invisible name guy) said, if you do not want to use the secure connection, you can also use the unsecure download link, at http://boinc.berkeley.edu/download.php, which does the same, really. ____________ Jord - BOINC FAQ Service - BOINC User Wiki Real is just a matter of perception.
ID: 1258571 ·

coffee Send message Joined: 18 Feb 12 Posts: 4 Credit: 8,146 RAC: 16	Message 1258908 - Posted: 11 Jul 2012, 13:58:26 UTC - in response to Message 1258538.
Hello, many thanks for your replys! I became unsure, because I got the messages, that there's a new version of BOINC six times (normally a message has only been sent once!). And then Firefox told me, that it might be a faked page, all my bells inside were ringing... ;-) I'm glad, that I can trust in your software... at least! ;-) Especially cause my e-mail-account has been hacked, as I said. The hacker sent mails from my account which I didn't know about... Anyway... can I download the new version while it's still working on wu's? Another question... the last time I downloaded a wu of seti, I received a wu from astropulse. Is astropulse working together with seti? Greetings, coffee
ID: 1258908 ·

Volunteer tester Send message Joined: 9 Apr 02 Posts: 12012 Credit: 19,605,368 RAC: 43,334	Message 1258922 - Posted: 11 Jul 2012, 14:47:17 UTC - in response to Message 1258908.
Yes, you can update BOINC while you have work in progress. AstroPulse is another form of SETI@Home. Or put another way, SETI@Home has two types of applications: MultiBeam (narrowband) and AstroPulse (broadband).
ID: 1258922 ·

coffee Send message Joined: 18 Feb 12 Posts: 4 Credit: 8,146 RAC: 16	Message 1259341 - Posted: 12 Jul 2012, 12:50:24 UTC - in response to Message 1258922.
Thanks for your reply! Better, one time asked too much than one time too less... ;-) Kind regards, coffee
ID: 1259341 ·

wmtknox5 Send message Joined: 2 Aug 12 Posts: 1 Credit: 0 RAC: 0	Message 1266705 - Posted: 2 Aug 2012, 13:22:47 UTC
Uh, I got a virus warning off the SETI@home project. My Vipre Anti-virus said libfftw3f-3-1-1a_upx.dll contained a known trojan and didn't allow the file to open. To be safe, I uninstalled BOINC & deleted all the files. Any guidance would be much appreciated. Here's the warning. Apologize for this being in XML, but I figure some of you are good enough to read it without too much trouble. <?xml version="1.0" encoding="UTF-16"?> <APEvent SchemaVersion="4.0.0" DefaultConfig="false" EventTypeEnum="2" TimeoutInSeconds="0" MonitorID="2003" MsgID="{055C2E9A-1159-4EE7-8EB6-CA66D7723633}" MonitorTypeEnum="2" RecommendScan="true" SDKVersion="5.2.5162" ThreatDefVersion="12462" APEventID="{D2C90A69-782E-422D-A212-C372A1BC9319}" IsAllowOk="true" IsAllowAlwaysOk="true" IsBlockOk="true" IsBlockAlwaysOk="true" IsQuarantineOk="true" EventActorEnum="2" EventDateTime="2012-08-02T08:59:35" TransactionID=""> <ParentProcess FilePath="C:\Program Files\BOINC\boinc.exe" PID="5128" FileSize="930992" MD5="" CRC8="0B1B05BFA8040000" CobraPackHash="0000000000000000" KnownAsEnum="1" ThreatID="0" AddedToUserKnown="false" Company="Space Sciences Laboratory" FileVersion="7.0.28" ProductName="BOINC client" ProductVersion="7.0.28" Description="BOINC client" Copyright="© 2003-2012 University of California"/> <FileMonitor FilePath="C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\libfftw3f-3-1-1a_upx.dll" MD5="e3d0548010ae1efa62545ac739da4c1d" CRC8="3E3FB975D92A0000" CobraPackHash="0000000000000000" KnownAsEnum="2" ThreatID="4752972" Company="" FileVersion="" ProductName="" ProductVersion="" Description="" Copyright=""/> <FinalDispositionInfo DispositionEnum="2" AuthorityEnum="2" QuarantineStatusCode="1" QID="" UserName="\\FRUGAL\Marketing" ErrorEnum="0"/> </APEvent>
ID: 1266705 ·

Volunteer tester Send message Joined: 9 Apr 02 Posts: 12012 Credit: 19,605,368 RAC: 43,334	Message 1266706 - Posted: 2 Aug 2012, 13:32:38 UTC - in response to Message 1266705.
Have you tried scanning that file with any of the other online scanners mentioned in this thread? If you had, I'm confident that you'd find the warning to be a false positive. "libfftw3f-3-1-1a_upx.dll" is an open source file and is required to process Fast Fourier Transform functions for SETI@Home.
ID: 1266706 ·

Author

Message

pabla
Send message
Joined: 8 Jul 12
Posts: 2
Credit: 0
RAC: 0

BilBG, I must apologize, I forgot to mention: I am using Avira free Antivirus.

ID: 1258132 ·

Ageless

Send message
Joined: 9 Jun 99
Posts: 11761
Credit: 2,076,495
RAC: 2,433

So do I, but mine doesn't find anything in the file. I downloaded it specifically, since I'm using optimized applications.

Avira Version information:
BUILD.DAT : 12.0.0.1125
AVSCAN.EXE : 12.3.0.15
VBASE031.VDF : 7.11.35.128 64000 Bytes 8-7-2012 21:27:58

Configuration settings for the scan:
Jobname.............................: ShlExt
Configuration file..................: C:\Users\Ageless\AppData\Local\Temp\3a632566.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: P:,
Process scan........................: off
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended
Skipped files.......................: D:\BOINC613\*, D:\Crytek\Crysis 2\bin32\Crysis2.exe, D:\Crytek\Crysis 2\bin32\Crysis2Launcher.exe, E:\Crytek\*, k:\*.*, P:\ProgramData\*,
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: maandag 9 juli 2012 22:53

Starting the file scan:

Begin scan in 'P:\ProgramData\ap_graphics_6.01_windows_intelx86.exe'

End of the scan: maandag 9 juli 2012 22:53
Used time: 00:00 Minute(s)

The scan has been done completely.

0 Scanned directories
2 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
2 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes

Our advice is always to exclude the BOINC Data directory from being scanned by your anti-virus and other anti-malware scanners and only to scan these by hand, after you exited BOINC (or suspended it), to avoid loss of work.

As you can see, I have my data directory excluded from being scanned.
If you want to do so as well, open Avira, click Realtime Protection, Configuration, Scan, Exceptions, with the ... box search on "File objects to be scanned" (Second option) for your BOINC Data directory (default at C:\Programdata\BOINC\ under Windows Vista and Windows 7), select the BOINC main directory and click Add, click Apply, click OK.
____________
Jord

- BOINC FAQ Service
- BOINC User Wiki

Real is just a matter of perception.

ID: 1258194 ·

BilBg

Send message
Joined: 27 May 07
Posts: 2093
Credit: 3,272,842
RAC: 8,238

Two more Antivirus scan results (nothing found):

http://r.virscan.org/report/364572dc4292f30b165afe592eb2a626.html

http://virusscan.jotti.org/en/scanresult/f8165a9bc2bcc55cde281bc4089a2af4d6cc348f

(Despite using the same Antivirus programs the sites (virustotal.com, virscan.org, virusscan.jotti.org) sometimes give different results probably because they use different settings (e.g. heuristics sensitivity level))

____________

- ALF - "Find out what you don't do well ..... then don't do it!" :)

ID: 1258474 ·

coffee
Send message
Joined: 18 Feb 12
Posts: 4
Credit: 8,146
RAC: 16

Hello there,
it seems so. Since several days I got the same message, that there's an update of BOINCE available.
Still... when I want to go on reading on my Firefox, the browser says "Sorry, you can't trust this site. It seems to be a faked site!"
I didn't download the new version of BOINC.
And my e-mail-account, on which I communicate with BOINC, has been attacked the last days!
My question now is: is there a new version of BOINC?
Here's the link to the site, my Firefox browser says NO to:

https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download

Can anybody do something with this?
I suggested you, NOT to follow this link!
Kind greetings,
coffee

ID: 1258516 ·

Volunteer tester
Send message
Joined: 9 Apr 02
Posts: 12012
Credit: 19,605,368
RAC: 43,334

Hello there,
it seems so. Since several days I got the same message, that there's an update of BOINCE available.
Still... when I want to go on reading on my Firefox, the browser says "Sorry, you can't trust this site. It seems to be a faked site!"
I didn't download the new version of BOINC.
And my e-mail-account, on which I communicate with BOINC, has been attacked the last days!
My question now is: is there a new version of BOINC?
Here's the link to the site, my Firefox browser says NO to:

https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download

Can anybody do something with this?
I suggested you, NOT to follow this link!
Kind greetings,
coffee

https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download is the correct URL to get BOINC updates. You can tell it is not fake because it belongs directly to the Berkeley.edu domain. Fake sites would try to fool you with something like Berkeley.edu.net or Berkeley.edu.nl or something like that.

When I visit https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download on Firefox, it does NOT say that it is a fake, it simply says that the site's security certificate cannot be verified through a third party (such as VeriSign), so Firefox says that the secure connection cannot be trusted.

The problem is that Berkeley doesn't use a third-party signed certificate - they use a self-signed certificate. The problem stems from the fact that web browsers have no way to verify the authenticity of a self-signed certificate, and many companies and educational facilities do not trust using third-party certificates, so web browsers tell the user that the sites is "untrusted".

In this case, it is OK to select "I understand the Risks" and continue on to the BOINC download page.

ID: 1258538 ·

Ageless

Send message
Joined: 9 Jun 99
Posts: 11761
Credit: 2,076,495
RAC: 2,433

https://boinc.berkeley.edu/manager_links.php?target=notice&controlid=download

Addendum to what (the invisible name guy) said, if you do not want to use the secure connection, you can also use the unsecure download link, at http://boinc.berkeley.edu/download.php, which does the same, really.
____________
Jord

- BOINC FAQ Service
- BOINC User Wiki

Real is just a matter of perception.

ID: 1258571 ·

coffee
Send message
Joined: 18 Feb 12
Posts: 4
Credit: 8,146
RAC: 16

Hello,
many thanks for your replys!
I became unsure, because I got the messages, that there's a new version of BOINC six times (normally a message has only been sent once!).
And then Firefox told me, that it might be a faked page, all my bells inside were ringing... ;-)
I'm glad, that I can trust in your software... at least! ;-)
Especially cause my e-mail-account has been hacked, as I said. The hacker sent mails from my account which I didn't know about...
Anyway... can I download the new version while it's still working on wu's?
Another question... the last time I downloaded a wu of seti, I received a wu from astropulse. Is astropulse working together with seti?
Greetings,
coffee

ID: 1258908 ·

Volunteer tester
Send message
Joined: 9 Apr 02
Posts: 12012
Credit: 19,605,368
RAC: 43,334

Yes, you can update BOINC while you have work in progress.

AstroPulse is another form of SETI@Home. Or put another way, SETI@Home has two types of applications: MultiBeam (narrowband) and AstroPulse (broadband).

ID: 1258922 ·

coffee
Send message
Joined: 18 Feb 12
Posts: 4
Credit: 8,146
RAC: 16

Thanks for your reply!
Better, one time asked too much than one time too less... ;-)
Kind regards,
coffee

ID: 1259341 ·

wmtknox5
Send message
Joined: 2 Aug 12
Posts: 1
Credit: 0
RAC: 0

Uh, I got a virus warning off the SETI@home project. My Vipre Anti-virus said libfftw3f-3-1-1a_upx.dll contained a known trojan and didn't allow the file to open. To be safe, I uninstalled BOINC & deleted all the files.

Any guidance would be much appreciated.

Here's the warning. Apologize for this being in XML, but I figure some of you are good enough to read it without too much trouble.

<?xml version="1.0" encoding="UTF-16"?>
<APEvent SchemaVersion="4.0.0" DefaultConfig="false" EventTypeEnum="2" TimeoutInSeconds="0" MonitorID="2003" MsgID="{055C2E9A-1159-4EE7-8EB6-CA66D7723633}" MonitorTypeEnum="2" RecommendScan="true" SDKVersion="5.2.5162" ThreatDefVersion="12462" APEventID="{D2C90A69-782E-422D-A212-C372A1BC9319}" IsAllowOk="true" IsAllowAlwaysOk="true" IsBlockOk="true" IsBlockAlwaysOk="true" IsQuarantineOk="true" EventActorEnum="2" EventDateTime="2012-08-02T08:59:35" TransactionID="">
<ParentProcess FilePath="C:\Program Files\BOINC\boinc.exe" PID="5128" FileSize="930992" MD5="" CRC8="0B1B05BFA8040000" CobraPackHash="0000000000000000" KnownAsEnum="1" ThreatID="0" AddedToUserKnown="false" Company="Space Sciences Laboratory" FileVersion="7.0.28" ProductName="BOINC client" ProductVersion="7.0.28" Description="BOINC client" Copyright="© 2003-2012 University of California"/>
<FileMonitor FilePath="C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\libfftw3f-3-1-1a_upx.dll" MD5="e3d0548010ae1efa62545ac739da4c1d" CRC8="3E3FB975D92A0000" CobraPackHash="0000000000000000" KnownAsEnum="2" ThreatID="4752972" Company="" FileVersion="" ProductName="" ProductVersion="" Description="" Copyright=""/>
<FinalDispositionInfo DispositionEnum="2" AuthorityEnum="2" QuarantineStatusCode="1" QID="" UserName="\\FRUGAL\Marketing" ErrorEnum="0"/>
</APEvent>

ID: 1266705 ·

Volunteer tester
Send message
Joined: 9 Apr 02
Posts: 12012
Credit: 19,605,368
RAC: 43,334

Have you tried scanning that file with any of the other online scanners mentioned in this thread?

If you had, I'm confident that you'd find the warning to be a false positive. "libfftw3f-3-1-1a_upx.dll" is an open source file and is required to process Fast Fourier Transform functions for SETI@Home.

ID: 1266706 ·