Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
Hey man!
I would just like to say thanks for advertising my EE bot. In return I would like to give you the newest version of my bot. Nobody has it yet, and I would like you to test it! You can download it at -snip-
Thanks again!
-Krock
First, I am not advertising his bot, I don't even have the site.
This is the third program made for me to aim at stealing my account.
Last edited by Persona (Jun 28 2012 1:00:50 pm)
Alright, taking a look. Okay, I suggest you take down the post so he doesn't see what I'm up to.
Last edited by ?tilla (Jun 28 2012 12:58:51 pm)
*u stinky*
Offline
Some more tips:
-Krock does not host his bots on a mediafire.
-He hosts them on his site.
-He would tell me directly, not just in a PM.
-Krock's EE username is Krock
-Krock's F EE username is Krock.
-Why would the bot not be given to other people..? Is there like some new feature?
I did not hear about one, which I would expect.
The file in that link is not made in C#, it is made in C++ 7.0.
The entrypoint: 00042B4F, file offset 00041F4F, linker info: 7.10
EP section: .text
first bytes: 6A,60,68,88
subsystem: Win32 GUI
EDIT: scanned it for cryptology, found 1 crypto signature.
CRC32B [poly] :: 00050379 :: 0040F79
Whoever did this isn't as stupid as the rest.
Fake user made in this forum: http://eeforumify.com/profile.php?id=7331
I suggest mods to take a look at the IP address for this, maybe I could have it and do an EE search of logged ips? :-3
Last edited by ?tilla (Jun 28 2012 1:09:08 pm)
*u stinky*
Offline
So do we know that this is not safe? Not that I have any intent to use it?
The file in that link is not made in C#, it is made in C++ 7.0.
The entrypoint: 00042B4F, file offset 00041F4F, linker info: 7.10
EP section: .text
first bytes: 6A,60,68,88
subsystem: Win32 GUIEDIT: scanned it for cryptology, found 1 crypto signature.
CRC32B [poly] :: 00050379 :: 0040F79Whoever did this isn't as stupid as the rest.
Fake user made in this forum: http://eeforumify.com/profile.php?id=7331
I suggest mods to take a look at the IP address for this, maybe I could have it and do an EE search of logged ips? :-3
Give me the file in pm.
Offline
Someone really wants you dead.
*waiting to hear from a player that got scammed..*
It is unsafe, obviously. It was made in C++ and within the DLL references there is no use of the playerioclient.dll included.
@Persona: Have you opened the file?
Last edited by ?tilla (Jun 28 2012 1:21:15 pm)
*u stinky*
Offline
The IP is a proxy and nobody else has used this proxy on these forums before.
"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto
Offline
The IP is a proxy and nobody else has used this proxy on these forums before.
Cyclone should definitely add a page that redirects idiots to a flash file, having the flash file collect their real IP address.
Not too sure about the legality of that.. however..
I'm sure it could be subsided as a testing subject.
alright. It seems like the file is a download tool from what capasha has told me.
We'll see how it goes from there.
Last edited by ?tilla (Jun 28 2012 1:30:02 pm)
*u stinky*
Offline
I suggest mods to take a look at the IP address for this, maybe I could have it and do an EE search of logged ips? :-3
The IP is a proxy and nobody else has used this proxy on these forums before.
Accually is TOR exit node. I doubt anyone using TOR for the usual purposes would want anything to do with the EE forums (especially with the slow speeds), so it's not unusual that it's not been used here.
I hate tall signatures.
Offline
Alright, success. The link the downloader tool was found, so now we have the ability to deompile.
Here's some more facts about the downloader tool:
Write to foreign memory areas: This executable tampers with the execution of another process.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Execution did not terminate correctly: The executable crashed.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.
The tool is getting update version from: http://nimg.x90x.net/ee_bbk_d/ee_vers.txt
Last edited by ?tilla (Jun 28 2012 1:39:00 pm)
*u stinky*
Offline
You may find more information about said security issues here: http://anubis.iseclab.org/?action=resul … ormat=html
Offline
It is a legitimate and non-harmful bot that it downloads, but however that may be the downloader tool messes with your registry and seems to be a keylogger as well.
The DNS queries point to a dropbox, already got that file and to
showpath.com.nu 78.46.103.47
So, showpath is either being framed or is apart of this.
*u stinky*
Offline
No, I didn't even download the the file.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.
The tool is getting update version from: http://nimg.x90x.net/ee_bbk_d/ee_vers.txt
That Url..!
I can confirm who is doing this now.
(Maker of Helpbot.)
Last edited by Persona (Jun 28 2012 2:02:51 pm)
Alright, success. The link the downloader tool was found, so now we have the ability to deompile.
Here's some more facts about the downloader tool:
Write to foreign memory areas: This executable tampers with the execution of another process.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Execution did not terminate correctly: The executable crashed.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.The tool is getting update version from: http://nimg.x90x.net/ee_bbk_d/ee_vers.txt
That is the version for EE. That krock is downloading. I have the same for one of my bots.
Offline
I know, I realize that. Just digging up information.
*u stinky*
Offline
Wow, ive been goasting the fourms, watching al this bot viruse stuf play out. And yah somone hates persona's "non violent bot support movement" i'm hopeing it gets figured out. Good luck digging up infromation...
Edit: starting to belive that bots are bad mabye persona should stop playing with all these bots...
Last edited by planecool (Jun 28 2012 2:23:23 pm)
Offline
Back when the project started, a user by the name of dav(numbers) gave a bot to SmileyGod. When I saw his level, the bot was named EX Shift Bot. SmileyGod, did not have the faintest idea what it did. So when I asked for him to send it to me, what-the-hell, I could probably fix the crashing, it was dubbed "HelpBot". With out any precautions, I tried it, and it crashed, numerious times. About a week had passed, and I was watching a couple of videos. When I was done watching one, I switched to an new one, and a firefox 64x popup said it liked the old one better. Curious, I opened up taskmanager, and another popup saying "You won't find me in task manager -.-". After I tried rebooting my computer, and when it started, another popup came up "We can talk about this in your tinychat". I "faked" as my dad telling him an investigation would begin (okay, I was desperate) His username in the tc was "Undefined". It did scare the hacker. Few days passed, and I noticed I could not log into EE. Tried email, 2 of my emails were hacked.
So, after a long day of stress, using google's investigation tool, I was able to get my account back. In one of them, I kept getting logged out, so I just deleted the email. The only thing on it was a few sites, and I had them switched before I deleted the email anyways. I noticed a few of my other accounts were hacked, after a long day in the Cold Storm, I did learn (or he was trolling) that ThuggishPrune did do all of it. He even admitted it himself. (Call me gullible if you want) A user named dav(numbers) said the real hacker is in your tinychat.
I noticed my tinychat was indeed hacked, and after a few seconds with the hacker, ThuggishPrune (An OP of my tinychat??) banned me.
After me rebooting my computer, and backing up my D drive onto a seperate drive, all while my ethernet was unplugged, I reentered the tinychat, and there undefined was.
After telling me helpbot was what he used, and assuming that is how he spied on me, and got what I was doing, I knew who he was. He was distrubuting it, and smileygod even confirmed it.
It was dav(numbers).
I told him I knew who he was, and he told me that was not him, he used a shared account (Cherry) to disrubte it. First, I have to ask how did he know the hacker was in the tinychat. Big coiencidence.
After a day, I get an noreply email from the everybody edits team stating about an account verifyer. I did open the program, but I did not use it.
You, the community helped me out immesnly. I learned alot about saftey just in that one topic. I thank you for that. Anyways, It pointed to the same url.
Then today, Krok bot.
If anyone knows someone with dav(and about 4 numbers), he did this.
Someone really wants you dead.
sadly thats true once whe figure out who did this can we ban him. also can chris ip ban people...
Last edited by planecool (Jun 28 2012 2:30:54 pm)
Offline
Alright. Well, I do know that Dav112 (you are referencing to him, Persona) is a friend of Showpath.
And I'm assuming that thuggishprune has gotten into the scene, so thus all-in-all the people who are included in this
scenario are:
Showpath
Dav112
ThuggishPrune
If activity like that was happening on your computer then the downloader tool was packed with a virus.
The downloader tool does have weird activity following it, so that explains it all.
However, you said that the downloader tool was after all of that had happened, and the files that I looked at the source (helperbot etc) doesn't include RAT components,
so there must be a different tool that you have run that has done this.
Last edited by ?tilla (Jun 28 2012 2:34:15 pm)
*u stinky*
Offline
Lol, that's a scary virus!
But what can really be done about this? Is your computer de-virused? Who is still attacking you?'
BF2012 sure caused a bit of.... this.
I'm glad I don't do bots.
Last edited by Fdoou (Jun 28 2012 2:36:54 pm)
I on't get it??? maybe it's cause I hate reading
well its simple someone sent person a bot with a viris if she/he had downloaded it bam she download a differnt virsus too the mods and big guns are try to figure out who did it and last but not least i want a avatar like personas... does taht explain i think i said it all rieght...
Offline
[ Started around 1732629300.2552 - Generated in 0.179 seconds, 11 queries executed - Memory usage: 1.76 MiB (Peak: 2.02 MiB) ]