PDA

View Full Version : Curiosity Intrigues Me...



StickToTheScript
05-03-2013, 04:22 AM
Hello,

I was getting a few popups today from AVG on my CPU today claiming that I have a Backdoor on my computer in my temp files.

I took a look through it and was tempted to see if i could dig into the .exe, but i uninstalled that program a while ago. So, I sat there and attempted to figure out where I got it from. I noticed the name, which was "rsbot". I do use powerbot, but I have never noticed this before. Maybe someone here has gotten it before??

Then, I started thinking about my RS related downloads that I have downloaded. This led me to here only. But i know that there is a 99% chance that it didnt come from here.

I thought about powerbot and if it could have come from adding a script from the SDN to your account and then running it. So, now I am seeing if I can figure out where it came from.

Wish me luck!

If anyone is interested in helping, please feel free to let me know! I am not worried, mainly because I got no money on my accounts... :P

But, seriously. If interested, let me know!

Thanks!


StickToTheScript

Neznam
05-03-2013, 05:05 AM
Hmm. I too am interested in what you come up with. Especially after thinking of buying iDung.

Brandon
05-03-2013, 06:34 AM
Download a hex editor.. find the virus, see if there is an email in it using something like HexWorkshop and looking for "gmail", "hotmail", "live", "powerbot", "villavu", etc.. If that doesn't work, might as well delete it because it'd be pretty hard to trace without tracing outgoing connections.. And to allow outgoing connections from a virus is bad news unless you know what you're doing..

Goodluck.

StickToTheScript
05-03-2013, 11:18 AM
Download a hex editor.. find the virus, see if there is an email in it using something like HexWorkshop and looking for "gmail", "hotmail", "live", "powerbot", "villavu", etc.. If that doesn't work, might as well delete it because it'd be pretty hard to trace without tracing outgoing connections.. And to allow outgoing connections from a virus is bad news unless you know what you're doing..

Goodluck.

Thanks! I used hex editor before, but that was the one I uninstalled. But, so far it has not shown up again. I will be waiting tho...


EDIT: Came across an issue. I was not able to view the .exe because it was locked. I have never encountered that. Any ideas?

Raiden702
05-10-2013, 08:39 PM
I would like to know exactly what folders you went into to check this out. Maybe this could be a bigger problem?

StickToTheScript
05-10-2013, 09:16 PM
I would like to know exactly what folders you went into to check this out. Maybe this could be a bigger problem?

Temp Folder in my Local Appdata.

I am able to get rid of it for a while, but sometimes it just comes back after a few days. Luckily, AVG is able to stop it from doing anything retarted. But I try to view the .exe and I cannot get into it because it is locked. Never experienced that....

Raiden702
05-12-2013, 07:00 AM
Temp Folder in my Local Appdata.

I am able to get rid of it for a while, but sometimes it just comes back after a few days. Luckily, AVG is able to stop it from doing anything retarted. But I try to view the .exe and I cannot get into it because it is locked. Never experienced that....

Have you defragged?

King
05-12-2013, 04:16 PM
Locked how? Like obfuscated?

StickToTheScript
05-12-2013, 05:39 PM
Locked how? Like obfuscated?

IDK. I do not plan on opening it, but when i use PE Explorer to open the file, I cant... A pop up says it is locked....

Sawyer
05-21-2013, 03:02 AM
IDK. I do not plan on opening it, but when i use PE Explorer to open the file, I cant... A pop up says it is locked....

This may be a little late ( about a week) but not gravedigging. I do know that scripts off the SDN are stored in your AppData... so search your computer in the windows explorer thing for it. If that doesn't work, you could always restore the computer :p try putting it in safe mode.

StickToTheScript
05-21-2013, 01:04 PM
This may be a little late ( about a week) but not gravedigging. I do know that scripts off the SDN are stored in your AppData... so search your computer in the windows explorer thing for it. If that doesn't work, you could always restore the computer :p try putting it in safe mode.

I have a ton of stuff on it, but I am going to search for it.