Comments on: I FOUND THE BOT!

By: Yom

Yom — Tue, 14 Jul 2009 13:12:13 +0000

I gave up on trying to detect the so called bot on my PC (no bot found after numerous scans with numerous AV-apps) and uninstalled this nice piece of BETA-rubbish. By TrendMicro, have anice life.

PS: the popups occur on Vista only; on my XP it seems to be ok

By: Facebook User

Facebook User — Tue, 09 Dec 2008 15:07:01 +0000

@Buck, Thanks for adding your comments Buck! The more information we get, the more we are able to hunt this thing down!

By: Buck

Buck — Mon, 08 Dec 2008 19:18:54 +0000

Just thought I’d chime in here since it seems no one else is doing the level of analysis on this that you are. I’m a non-technical user and have been seeing these same ‘your pc is being remote controlled’-type pop-ups from RUBotted. When checking the RUBotted logs, and status – nothing. It happens when I’m on sites that have a lot of ads and/or flash video. I’ve been ignoring them because the logs say nothing is there and nothing has popped up in Avast AV. I have repeatedly clicked the “run housecall now” button but Housecall won’t run on my machine for some reason (in IE or FF3). Don’t know what else to do about this. Hoping you come up with a solution since TrendMicro seems to be ignoring it under the “it’s a beta” banner.

By: Facebook User

Facebook User — Mon, 24 Nov 2008 15:04:48 +0000

@JorgenG, We can’t fix a problem we don’t understand. We need to find out what is creating the pop-up. What action on the websites or ads are creating this? And why is it slowing down now? Someone knows something and isn’t talking. But I’m working on it! Still.

By: The RUBotted Saga Continues | Technical Tidbits

The RUBotted Saga Continues | Technical Tidbits — Mon, 24 Nov 2008 14:57:32 +0000

[...] Most Read PostsWhat Ad Server is Dishing Up Malware and Bots? (144)I FOUND THE BOT! (87)Friday’s Quickies (59)RUBotted Notices are Slowing Down (48)Why is Microsoft REALLY Investing [...]

By: JorgenG

JorgenG — Mon, 24 Nov 2008 14:17:19 +0000

I ran Wireshark as well and it came up with some more sinister news: seems that the bot establishes a KVM connection to the 150.70.89.33 address. The next action is coming from a bnet game port – but that could be a coincidense?

Anyway, I (kind of) panic´d and installed a permanent route (using “route add -p”) so that the communication from the bot just hits dev NULL or rather a non-existing host on my network. Should take care of the imminent threat.

BUT, it doesn´t remove the little bugger. Has anyone any ideas or have seen a fix – however crude?

By: Ddraig

Ddraig — Sun, 23 Nov 2008 17:05:10 +0000

I’m not exactly sure but if you close RUBotted then the IP that you have disappears from your netstat. I believe it is nothing more than RUBotted connection back to the servers, which is why it is SSL Encrypted. I don’t think that is the “virus” website or whatever Trend is claiming it to be.

This only seems to pop up when I load up Firefox though… I don’t really notice it popping up when I open IE.

By: andy penn

andy penn — Sun, 23 Nov 2008 10:26:05 +0000

Thanks for posting these details. There’s no support from TrendMicro for RUbotted, so I’ve not been able to find out why RUbotted gives out these alerts yet when you do a check for bots it says all clear. TrendMicro have got some explaining to do – has anyone tried to contact them about this?

By: Xonnel

Xonnel — Sun, 23 Nov 2008 07:21:38 +0000

So…me too. Same issue, same tail chasing. I have spent the last couple of days trying to figure this out too. Thanks for sharing what you found. I noticed that the database for my RUBotted was updated a couple days ago. Wondering if that has something to do with the timing of all the actvity.

If you park your browswer on a page with no ads…no bots messages. Must be some change they made recently.

Thanks again. You made me feel a little less crazy.

By: Facebook User

Facebook User — Sat, 22 Nov 2008 23:21:05 +0000

@Ray, I should have checked that box before this. I wasted a lot of time researching what I didn’t need to research! Sigh. Oh well, now the answer remains, why? What is going with this??