Lord Mog

Due to the extremely recent account hackings of Final Fantasy XI members, I've decided to spread the word and help keep OnRPG (and potentially anyone else) from experiencing this tedium.

According to The Order of the BlueGartr, popular Final Fantasy XI information database sites such as Somepage, FFXIAH, Allakhazam, and many more have been infected with virus dropping packets that download secretly onto your computer and keylog your Final Fantasy XI account.

DO NOT GET CURIOUS AND LOOK AT THESE WEBSITES!

Instead, please read these step-by-step instructions posted by Airenn on the BluGartrLS forums:

First things first:

Actions that need to be taken immediately:
1) Take this post to your LS Forums. Post it.

2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3)

3) Run Anti-Spyware.

4) As for your PW method? You're on your own.

Programs you should be getting: (A BG rep can check these links, there is no maliciousness hidden within.)
1) Ad-Aware Free Version
2) Spy-Bot Search&Destroy
3) AVG Free Spyware Edition AND AVG Free Virus Edition Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up. <3
4) Firefox
5) ProcessGuard
6) CCleaner
7) Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading.

Step-by-Step Walkthrough:

1) Get those programs and open them. Update them first, once they are installed.
2) Run them, fix any problems, delete any bad files, etc, etc.
3) Once all that is done, do this:
Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it.

5) Search the Registry by doing this:

Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll

Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people.
Ashokan wrote:
Zosi's right.

It is okay if what you found is in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/ACMru/5603, probably looks something like:

Code:
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
(Default) REG_SZ Value not set
000 REG_SZ in3.dll
001 REG_SZ rsbo.exe
002 REG_SZ kb1ss1p.dll
003 REG_SZ kb1ss1p.sys

That's just the stuff you searched for in start button -> search. You can test it. Type in something completely random, refresh that regedit 5603 folder and it will be there.

7) Restart your computer, research to make sure it's all gone. You should be clean.

8) If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it.

For more information please look at the official thread.

And remember: SPREAD THE WORD! The more people who know about this, the safer we all are.

Happy Gaming.

- Lord Mog

__________________

Seiyuuki

Cheers for that, I was on Alakazam (or wehatever its called), since reading some of the topics I've been very careful about what I click on an making sure I let my antivirus finish its scans now >.<

Looked and I'm clean so far as I know, though I did have susspicions when I tried to log on and it said I had no content ID when it was in the middle of my free month :S

Besides, theres nothing of value on my character at this lvl, so I'd imagine it would just be a waste of their time.

__________________

Liberty Spikes

Thanks Lord Mog, can be really useful for some of us, and I think it helps for World of Warcraft players also (Allakhazam).

Lord Mog

Oh, indeed. I was searching on Somepage and FFXIAH for two hours before I knew they were both infected, and I freaked out because of it.

Indeed. If you look closely at the BlueGartr post, you'll find also that some WoW players have been hacked like this as well.

__________________

lothia

NOOO I USE THOSE WEBSITES EVERYDAY. I will do a virus scan right now, im scared, I really am. (not joking)

__________________

Cingal

So, it's a key logger?

My sign in is automatic, I don't type anything been that way for a year, so, is it worth checking or "Better to be safe than sorry"?

__________________

Lord Mog

I also have an automatic sign in, but it's defiantly better safe than sorry. Two years of playing FFXI + losing an account = absolute fail.

I've also read that this "keylogger" also decrypts your saved account info, as well.

__________________

Darksin

I never go to these sites xD So i'm probably safe

__________________