First things first:
Actions that need to be taken immediately:
1) Take this post to your LS Forums. Post it.
2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3)
3) Run Anti-Spyware.
4) As for your PW method? You're on your own.
Programs you should be getting: (A BG rep can check these links, there is no maliciousness hidden within.)
1)
Ad-Aware Free Version
2)
Spy-Bot Search&Destroy
3)
AVG Free Spyware Edition AND AVG Free Virus Edition
3)
AVG Free Spyware Edition AND AVG Free Virus Edition Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up.
4)
Firefox
5)
ProcessGuard
6)
CCleaner
7)
Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading.
Step-by-Step Walkthrough:
1) Get those programs and open them. Update them first, once they are installed.
2) Run them, fix any problems, delete any bad files, etc, etc.
3) Once all that is done, do this:
Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe
Repeat said steps for ALL these files:
rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll
4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it.
5) Search the Registry by doing this:
Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe
Repeat said steps for ALL these files:
rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll
6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll
Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people.
Ashokan wrote:
Zosi's right.
It is okay if what you found is in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/ACMru/5603, probably looks something like:
Code:
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
(Default) REG_SZ Value not set
000 REG_SZ in3.dll
001 REG_SZ rsbo.exe
002 REG_SZ kb1ss1p.dll
003 REG_SZ kb1ss1p.sys
That's just the stuff you searched for in start button -> search. You can test it. Type in something completely random, refresh that regedit 5603 folder and it will be there.
7) Restart your computer, research to make sure it's all gone. You should be clean.
8) If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it.