Results 1 to 11 of 11

Thread: Curiosity Intrigues Me...

  1. #1
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,164
    Mentioned
    26 Post(s)
    Quoted
    433 Post(s)

    Default Curiosity Intrigues Me...

    Hello,

    I was getting a few popups today from AVG on my CPU today claiming that I have a Backdoor on my computer in my temp files.

    I took a look through it and was tempted to see if i could dig into the .exe, but i uninstalled that program a while ago. So, I sat there and attempted to figure out where I got it from. I noticed the name, which was "rsbot". I do use powerbot, but I have never noticed this before. Maybe someone here has gotten it before??

    Then, I started thinking about my RS related downloads that I have downloaded. This led me to here only. But i know that there is a 99% chance that it didnt come from here.

    I thought about powerbot and if it could have come from adding a script from the SDN to your account and then running it. So, now I am seeing if I can figure out where it came from.

    Wish me luck!

    If anyone is interested in helping, please feel free to let me know! I am not worried, mainly because I got no money on my accounts... :P

    But, seriously. If interested, let me know!

    Thanks!


    StickToTheScript

  2. #2
    Join Date
    Apr 2012
    Location
    Canada, Bc
    Posts
    1,593
    Mentioned
    6 Post(s)
    Quoted
    356 Post(s)

    Default

    Hmm. I too am interested in what you come up with. Especially after thinking of buying iDung.

  3. #3
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Download a hex editor.. find the virus, see if there is an email in it using something like HexWorkshop and looking for "gmail", "hotmail", "live", "powerbot", "villavu", etc.. If that doesn't work, might as well delete it because it'd be pretty hard to trace without tracing outgoing connections.. And to allow outgoing connections from a virus is bad news unless you know what you're doing..

    Goodluck.

  4. #4
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,164
    Mentioned
    26 Post(s)
    Quoted
    433 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    Download a hex editor.. find the virus, see if there is an email in it using something like HexWorkshop and looking for "gmail", "hotmail", "live", "powerbot", "villavu", etc.. If that doesn't work, might as well delete it because it'd be pretty hard to trace without tracing outgoing connections.. And to allow outgoing connections from a virus is bad news unless you know what you're doing..

    Goodluck.
    Thanks! I used hex editor before, but that was the one I uninstalled. But, so far it has not shown up again. I will be waiting tho...


    EDIT: Came across an issue. I was not able to view the .exe because it was locked. I have never encountered that. Any ideas?

  5. #5
    Join Date
    Mar 2012
    Posts
    126
    Mentioned
    4 Post(s)
    Quoted
    20 Post(s)

    Default

    I would like to know exactly what folders you went into to check this out. Maybe this could be a bigger problem?

  6. #6
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,164
    Mentioned
    26 Post(s)
    Quoted
    433 Post(s)

    Default

    Quote Originally Posted by Raiden702 View Post
    I would like to know exactly what folders you went into to check this out. Maybe this could be a bigger problem?
    Temp Folder in my Local Appdata.

    I am able to get rid of it for a while, but sometimes it just comes back after a few days. Luckily, AVG is able to stop it from doing anything retarted. But I try to view the .exe and I cannot get into it because it is locked. Never experienced that....

  7. #7
    Join Date
    Mar 2012
    Posts
    126
    Mentioned
    4 Post(s)
    Quoted
    20 Post(s)

    Default

    Quote Originally Posted by StickToTheScript View Post
    Temp Folder in my Local Appdata.

    I am able to get rid of it for a while, but sometimes it just comes back after a few days. Luckily, AVG is able to stop it from doing anything retarted. But I try to view the .exe and I cannot get into it because it is locked. Never experienced that....
    Have you defragged?

  8. #8
    Join Date
    Jun 2012
    Location
    Howell, Michigan
    Posts
    1,585
    Mentioned
    34 Post(s)
    Quoted
    553 Post(s)

    Default

    Locked how? Like obfuscated?

  9. #9
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,164
    Mentioned
    26 Post(s)
    Quoted
    433 Post(s)

    Default

    Quote Originally Posted by King View Post
    Locked how? Like obfuscated?
    IDK. I do not plan on opening it, but when i use PE Explorer to open the file, I cant... A pop up says it is locked....

  10. #10
    Join Date
    Dec 2011
    Location
    U.S.A.
    Posts
    635
    Mentioned
    5 Post(s)
    Quoted
    249 Post(s)

    Default

    Quote Originally Posted by StickToTheScript View Post
    IDK. I do not plan on opening it, but when i use PE Explorer to open the file, I cant... A pop up says it is locked....
    This may be a little late ( about a week) but not gravedigging. I do know that scripts off the SDN are stored in your AppData... so search your computer in the windows explorer thing for it. If that doesn't work, you could always restore the computer try putting it in safe mode.

  11. #11
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,164
    Mentioned
    26 Post(s)
    Quoted
    433 Post(s)

    Default

    Quote Originally Posted by Sawyer View Post
    This may be a little late ( about a week) but not gravedigging. I do know that scripts off the SDN are stored in your AppData... so search your computer in the windows explorer thing for it. If that doesn't work, you could always restore the computer try putting it in safe mode.
    I have a ton of stuff on it, but I am going to search for it.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •