Aight guys, listen up. I am going to do my best to walk everyone through how to protect your computer and get this spyware/keyloggers off before anymore people get hacked.
If I can think to add anymore, I'll mention the update here.
12/11/07 Posted, and I hope it helps.
-Added some programs, and recommendations on password security/saving. Thanks guys!
-Changed title, cause I want to make sure people know this is specifically for the hackings.
12/12/07
-Topic title changed cause of the QQ'ers. (<3 lol Thanks.
-Added info on Registry Findings on the Search Strings.
First things first:
Actions that need to be taken immediately:
1) Take this post to your LS Forums. Post it.
2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3)
3) Run Anti-Spyware.
4) As for your PW method? You're on your own.
Programs you should be getting: (A BG rep can check these links, there is no maliciousness hidden within.)
1) Ad-Aware Free Version
2) Spy-Bot Search&Destroy
3) AVG Free Spyware Edition AND AVG Free Virus Edition Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up. <3
4) Firefox
5) ProcessGuard
6) CCleaner
7) Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading.
Step-by-Step Walkthrough:
1) Get those programs and open them. Update them first, once they are installed.
2) Run them, fix any problems, delete any bad files, etc, etc.
3) Once all that is done, do this:
Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe
Repeat said steps for ALL these files:
rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll
4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it.
5) Search the Registry by doing this:
Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe
Repeat said steps for ALL these files:
rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll
6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll :p
Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people.
Ashokan wrote:
Zosi's right.
It is okay if what you found is in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/ACMru/5603, probably looks something like:
Code:
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
(Default) REG_SZ Value not set
000 REG_SZ in3.dll
001 REG_SZ rsbo.exe
002 REG_SZ kb1ss1p.dll
003 REG_SZ kb1ss1p.sys
That's just the stuff you searched for in start button -> search. You can test it. Type in something completely random, refresh that regedit 5603 folder and it will be there.
7) Restart your computer, research to make sure it's all gone. You should be clean.
If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it.
____________________________________________
Back story that I posted to my LS website a day or so ago:
As of 12/11/07 (updated this part)
No one really knows how or why the recent hackings (listed on Blue Gartr) have been happening, but everyone is helping out and trying to narrow it down.
We think we've got it narrowed down to a keylogger coming from IE. Doing a search on specific files has lead me to google it and this is what I came up with:
Here's the details from a WoW player who was hacked:
Quote:
A couple of days ago my account was hacked by a keylogger. Normally I'm a very secure person but I found out the issue and where it occurred. I have a few computer systems and one of my systems was using Trend Micro and it failed to notice the keylogger trojan injection. Here is the following information folks should be concerned about regarding this:
Trojan Type:
Agent.GDA type
Files:
C:\Windows\System32\rsbo.exe
C:\Windows\System32\kb1ss1p.dll
C:\Windows\System32\kb1ss1p.sys
Registry Key:
{ED0ACB58-556F-21DA-DDFE-6D20F3F611BB}
The file rsbo.exe automatically creates the .sys and .dll files each time you login. They are stored in the windows\system32 directory. They inject themselves into the windows processes and remain hidden from "most" antivirus protection. Norton, McAfee, and Trend Micro did not find this trojan. The only software that found it was AVG Pro.
The method of injection occurred through Internet Explorer, even though I had all windows updates on that particular machine.
Again, this was not my main system but a secondary system that was affected. My main character Drabin (level 70 mage) was stripped of all gold, many items, and the incident reported. I'm waiting for (hopefully) reimbursement to come.
I am posting this as a helpful post so that others do not have this occur to them. Originally I had thought I retrieved the keylogger from WAU (Wow Ace Updater) but was sorely mistaken. Even though it is a third party software, the method of injection was not from this app.
[/QUOTE]
Now, I'd like you all to PLEASE PLEASE follow this:
Quote:
Recommendations for other players so they don't get a keylogger:
# Don't use Internet Explorer (use Mozilla Firefox as it is a much safer and secure browser)
Use a solid Anti-virus package (do not use multiple)
Implement a Firewall
Use Hijackthis to check issues on your system
Use Spywareblaster to block and protect your browsers from known spyware/malware
Use Rootkit Unhooker (to find rootkit injections in your processes)
Use RegistryBooster or similar (to clean your registry of unwanted or susceptible rootkit hacks)[/QUOTE]
Lastly, I'd like ALL PC users, especially those who use IE to do the following:
Do a search on your computer for those three files. Run Virus Checks, Any AntiSpyware you have/can find, and POST the results here IF you have any of the above.
To check your registry do this:
Start > Run > Regedit > go to top of list and click mycomputer > Edit > find > in3.dll/kb1ss1p.dll/rsbo.exe > find
Any and all information can help, also, post which FF/Gaming sites you go to such as Atlas, FFAH, FF LS Community, even Generic ones, AND which browser you are using.
Thanks guys, and I bring this to your attention because I would really hate to see any of your accounts getting hacked.
Also, if you don't take this seriously, that's fine, your choice, but be warned, if your account gets hacked SE is doing NOTHING about it, and are telling the people they have to take it to their local law enforcements and to get a subpoena before they(SE) can do anything at all to help you.
<3 you guys. GL.
THIS IS A DIRECT COPY PASTE FROM:
http://bluegartrls.com/forum/viewtopic.php?f=2&t=27226
Fri Jan 25, 2008 4:48 pm
