A linkshell on Caitsith
HomePortalGalleryFAQSearchRegisterLog in

Share | 

 To make sure you don't have the virus

Go down 


Number of posts : 536
Age : 33
Registration date : 2008-01-24

PostSubject: To make sure you don't have the virus   Fri Jan 25, 2008 4:48 pm

Aight guys, listen up. I am going to do my best to walk everyone through how to protect your computer and get this spyware/keyloggers off before anymore people get hacked.

If I can think to add anymore, I'll mention the update here.
12/11/07 Posted, and I hope it helps.
-Added some programs, and recommendations on password security/saving. Thanks guys!
-Changed title, cause I want to make sure people know this is specifically for the hackings.
-Topic title changed cause of the QQ'ers. (<3 lol Thanks. Smile
-Added info on Registry Findings on the Search Strings.

First things first:

Actions that need to be taken immediately:
1) Take this post to your LS Forums. Post it.

2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3)

3) Run Anti-Spyware.

4) As for your PW method? You're on your own.

Programs you should be getting: (A BG rep can check these links, there is no maliciousness hidden within.)
1) Ad-Aware Free Version
2) Spy-Bot Search&Destroy
3) AVG Free Spyware Edition AND AVG Free Virus Edition Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up. <3
4) Firefox
5) ProcessGuard
6) CCleaner
7) Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading.

Step-by-Step Walkthrough:

1) Get those programs and open them. Update them first, once they are installed.
2) Run them, fix any problems, delete any bad files, etc, etc.
3) Once all that is done, do this:
Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe

Repeat said steps for ALL these files:


4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it.

5) Search the Registry by doing this:

Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe

Repeat said steps for ALL these files:


6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll :p

Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people.
Ashokan wrote:
Zosi's right.

It is okay if what you found is in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/ACMru/5603, probably looks something like:

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
(Default) REG_SZ Value not set
000 REG_SZ in3.dll
001 REG_SZ rsbo.exe
002 REG_SZ kb1ss1p.dll
003 REG_SZ kb1ss1p.sys

That's just the stuff you searched for in start button -> search. You can test it. Type in something completely random, refresh that regedit 5603 folder and it will be there.

7) Restart your computer, research to make sure it's all gone. You should be clean.

Cool If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it.


Back story that I posted to my LS website a day or so ago:

As of 12/11/07 (updated this part)

No one really knows how or why the recent hackings (listed on Blue Gartr) have been happening, but everyone is helping out and trying to narrow it down.

We think we've got it narrowed down to a keylogger coming from IE. Doing a search on specific files has lead me to google it and this is what I came up with:

Here's the details from a WoW player who was hacked:

A couple of days ago my account was hacked by a keylogger. Normally I'm a very secure person but I found out the issue and where it occurred. I have a few computer systems and one of my systems was using Trend Micro and it failed to notice the keylogger trojan injection. Here is the following information folks should be concerned about regarding this:

Trojan Type:

Agent.GDA type



Registry Key:

The file rsbo.exe automatically creates the .sys and .dll files each time you login. They are stored in the windows\system32 directory. They inject themselves into the windows processes and remain hidden from "most" antivirus protection. Norton, McAfee, and Trend Micro did not find this trojan. The only software that found it was AVG Pro.

The method of injection occurred through Internet Explorer, even though I had all windows updates on that particular machine.

Again, this was not my main system but a secondary system that was affected. My main character Drabin (level 70 mage) was stripped of all gold, many items, and the incident reported. I'm waiting for (hopefully) reimbursement to come.

I am posting this as a helpful post so that others do not have this occur to them. Originally I had thought I retrieved the keylogger from WAU (Wow Ace Updater) but was sorely mistaken. Even though it is a third party software, the method of injection was not from this app.

Now, I'd like you all to PLEASE PLEASE follow this:

Recommendations for other players so they don't get a keylogger:

# Don't use Internet Explorer (use Mozilla Firefox as it is a much safer and secure browser)
Use a solid Anti-virus package (do not use multiple)
Implement a Firewall
Use Hijackthis to check issues on your system
Use Spywareblaster to block and protect your browsers from known spyware/malware
Use Rootkit Unhooker (to find rootkit injections in your processes)
Use RegistryBooster or similar (to clean your registry of unwanted or susceptible rootkit hacks)[/QUOTE]

Lastly, I'd like ALL PC users, especially those who use IE to do the following:

Do a search on your computer for those three files. Run Virus Checks, Any AntiSpyware you have/can find, and POST the results here IF you have any of the above.

To check your registry do this:

Start > Run > Regedit > go to top of list and click mycomputer > Edit > find > in3.dll/kb1ss1p.dll/rsbo.exe > find

Any and all information can help, also, post which FF/Gaming sites you go to such as Atlas, FFAH, FF LS Community, even Generic ones, AND which browser you are using.

Thanks guys, and I bring this to your attention because I would really hate to see any of your accounts getting hacked.

Also, if you don't take this seriously, that's fine, your choice, but be warned, if your account gets hacked SE is doing NOTHING about it, and are telling the people they have to take it to their local law enforcements and to get a subpoena before they(SE) can do anything at all to help you.

<3 you guys. GL.



Last edited by on Wed Jan 30, 2008 7:28 am; edited 1 time in total
Back to top Go down
View user profile http://sealie.sosblog.com/The-first-blog-b1.htm


Number of posts : 279
Age : 32
Registration date : 2008-01-24

PostSubject: Re: To make sure you don't have the virus   Fri Jan 25, 2008 8:40 pm

I've done about three scans, and have always used firefox. So far, nothing has thankfully come up.

Until the heat goes down, I'm straying away from using any of the informal sites.

Has it hit ffxiah?
Back to top Go down
View user profile


Number of posts : 536
Age : 33
Registration date : 2008-01-24

PostSubject: Re: To make sure you don't have the virus   Mon Jan 28, 2008 12:03 am

In addition to the programs listed above, you should also look into installing the following programs to your firefox.



Also take the following steps in your firefox

2.0 Firefox Internet Options

Tools -> Options -> Security. Check the box for “Warn me when sites try to install add-ons.”

Tools -> Options -> Content. Check the box for “Block pop-up windows.” This should help prevent additional ads in the form of pop ups.

You could also do the following to keep your password secure:

Avaliable with Windows is a soft keyboard, also known as a On-Screen Keyboard. Programs -> Accessories -> Acessibility -> On-Screen Keyboard. Simply open it when you’re logging into POL and click your password in instead of typing. This will prevent your password from being picked up by a key logger in chance that you get one.
Back to top Go down
View user profile http://sealie.sosblog.com/The-first-blog-b1.htm
Sponsored content

PostSubject: Re: To make sure you don't have the virus   

Back to top Go down
To make sure you don't have the virus
Back to top 
Page 1 of 1
 Similar topics
» How to make yourself look like a smurf.
» How do you make a mmv ?
» How do you make your fantage character, your avatar?
» Make money with Swagbucks and Bing and others?
» How to Make a Simple Blend in Photoshop (any version): Lasso Feather Blend Technique

Permissions in this forum:You cannot reply to topics in this forum
FallenTogether :: General :: General Chat-
Jump to: