Results 1 to 34 of 34

Thread: How the #@!* did this program install without my consent??

  1. #1

    Arrow How the #@!* did this program install without my consent??

    Hi. Today I noticed a program running in the taskbar called df or something like that so I was curious since it was'nt familiar.

    So I did a search and found the directory in "C:\Program Files\df", then I went into dos prompt and removed the hidden attributes on the files.

    Next I checked through the batch files and noted that they were to copy a link to the windows startup folder and also to hide the folder and its contents.

    This is when I checked the files for viruses, nothing.

    So I thought I should go through the text and configuration files before executing the apps.

    Nothing more then varibles.. So I opened up a file called "toph19_eef1.inp" and on the first line was : "TOPOLOGY FILE FOR PROTEINS USING EXPLICIT HYDROGEN ATOMS: VERSION".

    This is where my suspicions of it being a virus stopped and the question was raised on how this program installed itself, especially since it was around 9Mb in total :/.

    So I ran the "foldit.bat" batch file and it started up this program which had a URL.

    Needless to say I fired it up and I thought I'd do a quick check on the forum to see if anything like this has happened before.

    ..A few minutes later and here I am writing this thread and I still don't have a clue on how it downloaded and installed itself

    ps. I wrote it this way so you could see how annoyed I am atm

  2. #2
    Member lemonsqzz's Avatar
    Join Date
    Sep 2002
    Location
    Montain View, CA
    Posts
    97
    look in the file handle.txt
    That should point to the user that
    is trying to run this on you system and
    if they have created a virus from it they
    should be dealt with...

  3. #3
    "2oqoafm2" <--- This is what is in handle.txt


    I only suspected it was a virus at first because of the adding of a link for automatic startup and a batch for hiding the folder

  4. #4
    Is this a computer at work or a computer that alot of people would have access to? I would strongly suspect that someone decided to try to boost their "Stats" by installing the Distributed Folding Client on your computer without getting permission. This is behavoir absolutely not endorsed by The Distributed Folding Project, and I would expect that one of adminstrators for the project will probably take action against the individual responsible by banning their handle so they don't get the benefit of illicitly installing the software on your computer. A brief summary of what the software does can be found here.
    A member of TSF http://teamstirfry.net/

  5. #5
    Member lemonsqzz's Avatar
    Join Date
    Sep 2002
    Location
    Montain View, CA
    Posts
    97
    That would be the handle of the user that
    is getting credit for any data you are
    processing when you run the program.
    I am pretty new to this, but I think if you
    click the contact us link below and email Iron Bits I'm sure he could help track that user down and possibly have them removed. Sign up and get your won handle if you want to continue running the program and join a team!!

    You should try to think about what you have downloaded and installed recently.

  6. #6
    He should not contact Iron Bits, but he should contact Howard at this email address trades@mshri.on.ca so he can take action against the individual with this handle. Explaining the situation and giving Howard the exact handle should do the trick. Sending the info to Ironbits just complicates the situation since Ironbits can't take any action against the perpetrator.
    Last edited by Aegion; 09-22-2002 at 02:58 AM.
    A member of TSF http://teamstirfry.net/

  7. #7
    hahahahahahahahahahaha...

    im sorry... but people like this explain why I hate society as a whole.


  8. #8
    25/25Mbit is nearly enough :p pointwood's Avatar
    Join Date
    Dec 2001
    Location
    Denmark
    Posts
    831
    Aegion is correct, you should mail Howard (his nickname here in the forum is "Brian the Fist") and tell him this. I could imagine he would actually read this thread soon as he checks this forum quite often.

    Of course, there is the problem that if the person that is behind that handle, say he has permission to install it, Howard have no way of knowing whether it is you or he that is telling the truth.

    Just to be clear: This program is not a virus, trojan or anything and it does no harm. It is using the idle cycles from your computer to do some good stuff which you can read about in the link Aegion posted.

    It has *NOT* installed itself on your computer, someone has installed it on your computer, without you knowing it. As Aegion asks - is this your work computer? If so, maybe it is the admin that has installed it (and he could have permission to do so without you knowing it). Of course, if it is your own computer, then the person that have installed the client, should clearly have asked you first.
    Pointwood
    Jabber ID: pointwood@jabber.shd.dk
    irc.arstechnica.com, #distributed

  9. #9
    Thanks, I've emailed Howard.
    Also NO-ONE has access to this pc except me (I live by myself).

  10. #10
    25/25Mbit is nearly enough :p pointwood's Avatar
    Join Date
    Dec 2001
    Location
    Denmark
    Posts
    831
    Someone have clearly had access to your computer, whether locally or remote (hacked?).
    Pointwood
    Jabber ID: pointwood@jabber.shd.dk
    irc.arstechnica.com, #distributed

  11. #11
    While anything is possible, I find it highly unlikely that the virus was distributed and installed as a virus.

    So, either it is a hoax or something else is up.

    What kind of net connection do you have and do you log internet traffic in anyway?

    If you have good logging (say through a firewall or something, I am no network expert) you might be able to track down the time at which the program was downloaded (though the file properties in Windows should give you a rough guess of the install date to help out) since it is a large file, approx. 9 megs as you mentioned earlier.

    What I would really like to see if what happens when Howard takes the provided handle and takes some look at whatever history he has for the account. If it has been downloaded, say via a trojan, then there would probably be some sort of pattern.

    I know that handles are not made public by the project and I think that the username and organization fields are tied to the handle by the DF server database. Thus, I don't think that we can find the username and organization (and thus find the person's stats, assuming they have a unique username and organization) using the handle. I know that it isn't supposed to be allowed in the opposite direction for privacy reasons.

    /me is curious to see what the stats and records regarding the given handle are.

  12. #12
    atm Im on a 56k connection and using WinXP minus SP1, Im using the basic
    firewall that's with XP tho I don't know if XP logs traffic

    anyway u ppl know more bout this program then me, so I took a pic of the folder - HERE

    look familiar?

    I guess it's possible it was installed remotely 'cause I don't know anyone from
    the team Howard says his from
    also, whoever he is he's ranked 3rd on the team

  13. #13
    Dungeon Master alpha's Avatar
    Join Date
    Mar 2002
    Location
    Norfolk, UK
    Posts
    1,700
    I noticed from your screenshot, the rather suspicious-looking, iconless 'runh.exe', which according to thethin.net is "RUNH.EXE (Run Hidden V1.0)This utility written by Steve Seguis (founder of Script Horizon), runs a batch file or executable in the background, hidden from the user."

    It absolutely sounds like someone didn't want you to know it was running. It might be worth going through whatever the procedures are these days to check if you're infected with Sub7 or something.

  14. #14
    Darky: You say you live alone, but you must have friends and they must come over to visit every now and then. It might be possible that a friend of yours while visiting went on your computer and installed something when you were busy with something else, in the bathroom, etc... Most people on teams use aliases so you might not recognize their name.

    Look at when the directory those files are in was created. The files raj.bat and start are not part of the regular distribution and may give you more clues. They seem to have a timestamp of this Saturday around 7pm which is the night before you found it. Did you have anyone over that night at your house?

    As a punishment, the person who is in 3rd place on the team who installed this on your machine without permission should have all their points taken away from them? Who knows how many other machines they "illegally" installed it on.

    Jeff.

  15. #15
    This matter is presently under investigation and we certainly do not condone such behaviour. Once the facts are exposed, the guilty party will be sentenced to a minimum of 50 lashes with a fresh haddock
    Seriously though, we will proceed to resolve this matter in private so please return to your happy, protein folding lives. If anything, I am more likely to simply disable the account rather than remove the stats, which may be viewed as unfair to the team. But hopefully this won't be necessary.
    Howard Feldman

  16. #16
    Get a firewall dude. Zonealarm is quite good, and it's free

    70% of home PC's are so insecure it's scary

  17. #17
    Originally posted by Brian the Fist
    This matter is presently under investigation and we certainly do not condone such behaviour. Once the facts are exposed, the guilty party will be sentenced to a minimum of 50 lashes with a fresh haddock
    Seriously though, we will proceed to resolve this matter in private so please return to your happy, protein folding lives. If anything, I am more likely to simply disable the account rather than remove the stats, which may be viewed as unfair to the team. But hopefully this won't be necessary.
    To be bluntly honest about this :-

    Before doing DF darky's machine probably spent time warming up the globe in the pursuits of :-

    1) Downloading porn
    2) Ripping off mp3s.
    3) Playing mindlessly violent first person shooters.

    Now it is :-

    1) Downloading porn
    2) Ripping off mp3s.
    3) Playing mindlessly violent first person shooters.
    4) DOING SOMETHING USEFUL


    OK, Darky, stop whinging and get your friends on board

    Regards

    Andy

  18. #18
    Release All Zigs!
    Join Date
    Aug 2002
    Location
    So. Cal., U.S.A.
    Posts
    359
    Unless you leave your dial-up unattended for long periods of time, it seems unlikely someone would even bother to remotely install this to your system. It being XP, it seems even more unlikely...although you might want to check your file and printing sharing. If you are sharing any folders, you might make sure you require login with passwords on them.

    A virus might be a possibility... perhaps attached to something you downloaded. Have you noticed any abnormal slowdown in your dial-up use?

    That someone visiting you installed without your permission on your system is a possibility. If they burned it to a CD-ROM, it wouldn't take very long to install, and in fact they could just simply copy it to your hard drive. Throw in batch file to copy and setup it up, and its even easier and faster.

    TTFN,

    RS½
    The SETI TechDesk
    http://egroups.com/group/SETI_techdesk
    ~Your source for astronomy news and resources~

  19. #19
    Senior Member Richard Clyne's Avatar
    Join Date
    Dec 2001
    Location
    Fife, Scotland
    Posts
    621
    /me orders in extra beer and Scooby snacks. Nothing like a good "fresh haddock lashing" to brighten up the day.

    On a more serious side. Are we not jumping to assumptions the person's handle that is be used belongs to the person installing the software illegally on other computers.

    If the guilty person is found then I do not feel freezing the account is a sufficient punishment to fit the crime. If you are willing to risk being caught illegally borging machines, you should be willing to risk loosing all.


    zakelwee:
    Do not jump to assumptions what other people do or not do with their computers. We all do not sit their downloading porn, mp3s etc. Darky has a right to determine what is installed on his computer. Even if the computer is only used for porn, mp3s and playing shoot-em-up games.
    Last edited by Richard Clyne; 09-23-2002 at 02:32 PM.

  20. #20
    Bottom of the Top Ten TheOtherZaphod's Avatar
    Join Date
    May 2002
    Location
    zone 5 west
    Posts
    100
    whoever he is he's ranked 3rd on the team

    ...I'm third on my team, and it wasn't me...




    Oddly enough IronBits is third on his team, maybe it's him.

    Or mayby it's Ody

    Or Spongebob

    Or ...

    Inquiring minds need to know.
    Don't Panic

  21. #21
    Bottom of the Top Ten TheOtherZaphod's Avatar
    Join Date
    May 2002
    Location
    zone 5 west
    Posts
    100
    By the way, I totally believe that the install was done the old fashioned way... By a human, sitting at the keyboard.

    In possible defense (again, not of myself), just last weekend I had a machine that was given to me to "fix"; it was suffering from frequent lockups and abends. As part of the diagnostics I installed DF as a way of testing stability (ok, and generating a few thousand extra units). The box wouldn't even finish a thousand without throwing an error. When I was done fixing it, it ran smoothly for an overnight.

    Of course I didn't leave the client installed and running, but maybe the last tech to touch his machine suffered from temporary insanity and left something that he shouldn't have.

    This really shouldn't be that big a deal. We should help the guy get rid of the client, Howard should put him in touch with the owner of the handle, and we should all agree that ethics should be emphasized more strongly in public education.
    Don't Panic

  22. #22
    This is a matter that Howard and the project obviously want to look into and are already doing so.

    If Howard resolves things to darky's satisfaction, that should be the end of it. If that doesn't result in the account being banned, then that is fine. If it DOES result in the account being banned, that is also acceptable. Why?

    Because Howard is the person whose work and whose program is being used in a fasion that isn't appropriate. He is in no way responsible for this mis-use of the DF program, but it is obviously in his best interest do discourage this sort of behavior and to make it clear that the project doesn't endorse, support or look kindly upon these types of activities.

    Anyways, I have faith that things will be resolved efficiently and I agree that the results should remain private, but I do think that a lot of us have a strong interest in finding out (after the problem is resolved) whether the program was installed by a person physically at the computer....or whether we need to be on the look-out for a new virus, exploit, or other sort of dangerous activities.

    Anyways, give it time and it will all work out.

    If not, we can always bomb Iraq.

  23. #23
    The matter has been resolved and I'm happy with the outcome (justice prevails!):

  24. #24
    dismembered Scoofy12's Avatar
    Join Date
    Apr 2002
    Location
    Between keyboard and chair
    Posts
    608
    heh heh heh... guess the search is now on for a #3 of a team that no longer has any new structures or has been removed

    Now.... now that we have your attention, how bout joining the project of your own free will?
    It really is for a great cause, doesn't cost you anything, and has the best staff of any distributed computing project i've ever heard of.

    Also, may I suggest Free-DC (the hosters of this forum) as the best most coolest friendliest team around (<-- biased opinion)

  25. #25
    I will second Scoofy's appraisal of Free-DC as a class act and a great team.

    As long as you don't drop by while IB is getting fitted for his dress, I think you would enjoy your stay.

  26. #26
    Senior Member KWSN_Millennium2001Guy's Avatar
    Join Date
    Mar 2002
    Location
    Worked 2 years in Aliso Viejo, CA
    Posts
    205
    Why do people think that the account belongs to someone in third place on their team? I see nothing in the previous posts by any reliable sources that lead me to suspect that this is true.

    Ni! ?

  27. #27
    25/25Mbit is nearly enough :p pointwood's Avatar
    Join Date
    Dec 2001
    Location
    Denmark
    Posts
    831
    I recommend re-reading darky's posts
    I guess it's possible it was installed remotely 'cause I don't know anyone from the team Howard says his from also, whoever he is he's ranked 3rd on the team
    Pointwood
    Jabber ID: pointwood@jabber.shd.dk
    irc.arstechnica.com, #distributed

  28. #28
    25/25Mbit is nearly enough :p pointwood's Avatar
    Join Date
    Dec 2001
    Location
    Denmark
    Posts
    831
    Originally posted by Scoofy12
    Also, may I suggest Free-DC (the hosters of this forum) as the best most coolest friendliest team around (<-- biased opinion)
    Little error there - it should read "...as the SECOND best most coolest friendliest team around"

    Pointwood
    Jabber ID: pointwood@jabber.shd.dk
    irc.arstechnica.com, #distributed

  29. #29
    Originally posted by Richard Clyne
    [B


    zakelwee:
    Do not jump to assumptions what other people do or not do with their computers. We all do not sit their downloading porn, mp3s etc. Darky has a right to determine what is installed on his computer. Even if the computer is only used for porn, mp3s and playing shoot-em-up games.
    [/B]
    I almost thought you were being serious there for a moment ..

    heh heh

    dude.



    Regards

    Andy

  30. #30
    Bottom of the Top Ten TheOtherZaphod's Avatar
    Join Date
    May 2002
    Location
    zone 5 west
    Posts
    100
    You guys can fight over which team is friendliest (unless, of course, you feel that there is something somewhat ironic and self-defeating about doing so); I am unilaterally (a word whose importance in the American vernacular is on the upswing) declaring the OCN Hellspawn to be the coolest team in DF.

    Don't Panic

  31. #31

    Talking bullshit!

    KWSN ...without a doubt...!
    After all..where are all u yanks originally from!

  32. #32
    Senior Member
    Join Date
    Apr 2002
    Location
    Oosterhout, Netherlands
    Posts
    223

    Question

    So the perpetraitor (?) has been caught. But how did the client got installed in the first place? Was it done by somebody who actually sat behind this computer or by another way?

    I'd like to know that....
    Proud member of the Dutch Power Cows

  33. #33
    Bottom of the Top Ten TheOtherZaphod's Avatar
    Join Date
    May 2002
    Location
    zone 5 west
    Posts
    100
    Hmmmm....

    So oddly enough the third place member of the kniggits has merged scores with another member.....

    Spongebob, were you the culprit?
    Don't Panic

  34. #34
    Junior Member
    Join Date
    Apr 2002
    Location
    The Knights Who Say Ni!
    Posts
    27
    Coinincidence.

    Nah, me thinks SBSP's hijacking of my fine name is something much more nefarious. SBSP is acting weird(er) than usual. We are being investigated by the British Dental Association. The Picard team has borged our dead rat-dog. We are still fearing reprisals from the Gnome Liberation Front. And the amount of Dutch Power Cows kicking around our board is on the increase. Just a typical week with the Knights...



    Sincerely,



    KWSN_robegeor (maybe)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •