Onrpg Free MMORPG Forums - View Single Post - Recent Account Hackings and How To Keep Your Account Safe (PLEASE READ!)

Lord Mog · 01-01-2008, 07:55 AM

Due to the extremely recent account hackings of Final Fantasy XI members, I've decided to spread the word and help keep OnRPG (and potentially anyone else) from experiencing this tedium.

According to The Order of the BlueGartr, popular Final Fantasy XI information database sites such as Somepage, FFXIAH, Allakhazam, and many more have been infected with virus dropping packets that download secretly onto your computer and keylog your Final Fantasy XI account.

DO NOT GET CURIOUS AND LOOK AT THESE WEBSITES!

Instead, please read these step-by-step instructions posted by Airenn on the BluGartrLS forums:

First things first:

Actions that need to be taken immediately:
1) Take this post to your LS Forums. Post it.

2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3)

3) Run Anti-Spyware.

4) As for your PW method? You're on your own.

Programs you should be getting: (A BG rep can check these links, there is no maliciousness hidden within.)
1) Ad-Aware Free Version
2) Spy-Bot Search&Destroy
3) AVG Free Spyware Edition AND AVG Free Virus Edition Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up. <3
4) Firefox
5) ProcessGuard
6) CCleaner
7) Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading.

Step-by-Step Walkthrough:

1) Get those programs and open them. Update them first, once they are installed.
2) Run them, fix any problems, delete any bad files, etc, etc.
3) Once all that is done, do this:
Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it.

5) Search the Registry by doing this:

Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll

Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people.
Ashokan wrote:
Zosi's right.

It is okay if what you found is in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/ACMru/5603, probably looks something like:

Code:
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
(Default) REG_SZ Value not set
000 REG_SZ in3.dll
001 REG_SZ rsbo.exe
002 REG_SZ kb1ss1p.dll
003 REG_SZ kb1ss1p.sys

That's just the stuff you searched for in start button -> search. You can test it. Type in something completely random, refresh that regedit 5603 folder and it will be there.

7) Restart your computer, research to make sure it's all gone. You should be clean.

8) If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it.

For more information please look at the official thread.

And remember: SPREAD THE WORD! The more people who know about this, the safer we all are.

Happy Gaming.

- Lord Mog

01-01-2008, 07:55 AM	#1 (permalink)
Lord Mog Loric's Lunatic Join Date: Aug 2006 Location: In the Mana Tree. Posts: 2,046 Reputation: 10 MMOFaces Profile: None Yet	Recent Account Hackings and How To Keep Your Account Safe (PLEASE READ!) Due to the extremely recent account hackings of Final Fantasy XI members, I've decided to spread the word and help keep OnRPG (and potentially anyone else) from experiencing this tedium. According to The Order of the BlueGartr, popular Final Fantasy XI information database sites such as Somepage, FFXIAH, Allakhazam, and many more have been infected with virus dropping packets that download secretly onto your computer and keylog your Final Fantasy XI account. DO NOT GET CURIOUS AND LOOK AT THESE WEBSITES! Instead, please read these step-by-step instructions posted by Airenn on the BluGartrLS forums: First things first: Actions that need to be taken immediately: 1) Take this post to your LS Forums. Post it. 2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3) 3) Run Anti-Spyware. 4) As for your PW method? You're on your own. Programs you should be getting: (A BG rep can check these links, there is no maliciousness hidden within.) 1) Ad-Aware Free Version 2) Spy-Bot Search&Destroy 3) AVG Free Spyware Edition AND AVG Free Virus Edition Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up. <3 4) Firefox 5) ProcessGuard 6) CCleaner 7) Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading. Step-by-Step Walkthrough: 1) Get those programs and open them. Update them first, once they are installed. 2) Run them, fix any problems, delete any bad files, etc, etc. 3) Once all that is done, do this: Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe Repeat said steps for ALL these files: rsbo.exe kb1ss1p.dll kb1ss1p.sys in3.dll 4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it. 5) Search the Registry by doing this: Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe Repeat said steps for ALL these files: rsbo.exe kb1ss1p.dll kb1ss1p.sys in3.dll 6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people. Ashokan wrote: Zosi's right. It is okay if what you found is in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/ACMru/5603, probably looks something like: Code: [HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603] (Default) REG_SZ Value not set 000 REG_SZ in3.dll 001 REG_SZ rsbo.exe 002 REG_SZ kb1ss1p.dll 003 REG_SZ kb1ss1p.sys That's just the stuff you searched for in start button -> search. You can test it. Type in something completely random, refresh that regedit 5603 folder and it will be there. 7) Restart your computer, research to make sure it's all gone. You should be clean. 8) If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it. For more information please look at the official thread. And remember: *SPREAD THE WORD!* The more people who know about this, the safer we all are. Happy Gaming. - Lord Mog __________________ Lord Mogsworth Kupopo ~ The overly polite Moogle from the depths of Great Brittania. (Or whatever you want to call it. ♥) No longer a slave to General. Last edited by Lord Mog; 01-01-2008 at 05:47 PM.