PDA

View Full Version : Hacked Accounts RMT - Check your computers! IMPORTANT



eternalshiva
12-26-2007, 08:16 PM
RMT are resorting to hacking random accounts through real-player weakness in code and also through trojans auto-downloading on your computers by visiting Gil-buying sites or even popular reference sites, llike Somepage.com.

I thought I would share this, since it affects mostly PC users:

Order of the Blue Gartr • View topic - FFXI: JavaScript exploit on the loose(Repairs inside) (http://www.bluegartrls.com/forum/viewtopic.php?f=2&t=27256)


This was posted in the other hacked players thread, but a separate thread needs to be made so it can be brought to the attention of the masses.

Do not visit somepage.com, or you risk being infected.

http://euphidime.com/img/iframe.png

A malicious iframe (inline frame) has been placed on the front page of somepage.com. It is not known whether it was placed there by the administrators, or an unknown third party that gained access to the website. The iframe loads a page containing a harmful JavaScript exploit that attempts to install a Trojan on the victim's computer. It is unknown what vulnerability the page exploits, but current speculation points here. It is strongly advised that you do not go to somepage.com until the issues is resolved. If you believe you have been infected, removal instructions are on the front page of the other thread.

They say it's fixed but I went on Somepage earlier yesterday and got flooded with AVG Virus warnings. stuff was trying to download on my computer so don't go there until it's really fixed ;o

How to check for the specific malware / programs:
Order of the Blue Gartr • View topic - Recent Hackings and Steps to Ensure Account Safety. (http://bluegartrls.com/forum/viewtopic.php?f=2&t=27226)


First things first:

Actions that need to be taken immediately:
1) Take this post to your LS Forums. Post it.

2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3)

3) Run Anti-Spyware.

4) As for your PW method? You're on your own.

Programs you should be getting: (A BG rep can check these links, there is no maliciousness hidden within.)

1) Ad-Aware Free Version (http://www.lavasoftusa.com/products/ad_aware_free.php)
2) Spy-Bot Search&amp;Destroy (http://www.safer-networking.org/en/download/index.html)
3) AVG Free Spyware Edition AND AVG Free Virus Edition (http://free.grisoft.com/)
3) AVG Free Spyware Edition AND AVG Free Virus Edition (http://free.grisoft.com/) Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up.
4) Firefox (http://www.mozilla.com/en-US/firefox/)
5) ProcessGuard (http://www.diamondcs.com.au/processguard/download.php)
6) CCleaner (http://www.ccleaner.com/download)
7) Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading. (http://usa.kaspersky.com/downloads/)

Step-by-Step Walkthrough:

1) Get those programs and open them. Update them first, once they are installed.
2) Run them, fix any problems, delete any bad files, etc, etc.
3) Once all that is done, do this:

Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it.

5) Search the Registry by doing this:

Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll :p

Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people.


Ashokan wrote:
Zosi's right.

It is okay if what you found is in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/ACMru/5603, probably looks something like:



[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
(Default) REG_SZ Value not set
000 REG_SZ in3.dll
001 REG_SZ rsbo.exe
002 REG_SZ kb1ss1p.dll
003 REG_SZ kb1ss1p.sys

That's just the stuff you searched for in start button -> search. You can test it. Type in something completely random, refresh that regedit 5603 folder and it will be there.

7) Restart your computer, research to make sure it's all gone. You should be clean.

8) If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it.

Keep your hardwork safe! I don;t want to see 4 years go to a RMT :P

Markus. D
12-29-2007, 03:43 AM
Psssh, They will fall soon, nothing but a past hazzard.

eternalshiva
01-01-2008, 04:20 PM
going on 2500 accounts hacked this past 2 months through these methods since the release of WoTG, SE is staying quiet on the subject and isn't being very helpful. I'm just trying to protect our hard work by posting this ;/

Markus. D
01-01-2008, 06:35 PM
Oh gosh! wow! that bad X_X!

that's almost a whole small server's worth!


I at least hope SE is doing more than keeping quiet... Maliscious hacking can only get worse if nothing revolutionary is done.