1
Forum Settings
       
« Previous 1 2
Reply To Thread

Compiled Info for PC Security and Removing TrojansFollow

#1 Dec 12 2007 at 8:38 AM Rating: Decent
****
9,835 posts
This is reposted from BG thread here.

Threads of interest:
Website infected with trojan
Prevent Yourself From Being Hacked Part I
Prevent Yourself From Being Hacked Part II
Protect Your PC - A Guide
Gener Tips To Avoid Account Theft

Thanks very much to Airenn for this information.

Quote:
Aight guys, listen up. I am going to do my best to walk everyone through how to protect your computer and get this spyware/keyloggers off before anymore people get hacked.

If I can think to add anymore, I'll mention the update here.
12/11/07 Posted, and I hope it helps.
-Added some programs, and recommendations on password security/saving. Thanks guys!
-Changed title, cause I want to make sure people know this is specifically for the hackings.

First things first:

Actions that need to be taken immediately:
1) Take this post to your LS Forums. Post it.

2) No forums? LS Message, broadcast on FFXI, send them(LS), friends, people you know, to BG to read it. (Publicizing BG and preventing hacks<3)

3) Run Anti-Spyware.

4) As for your PW method? You're on your own.

Programs you should be getting:
1) Ad-Aware Free Version
2) Spy-Bot Search&Destroy
3) AVG Free Spyware Edition AND AVG Free Virus Edition Get both, they are 2 seperate downloads. I have caught so many problems with this that Norton never picked up. <3
4) Firefox
5) ProcessGuard
6) CCleaner
7) Kapersky Anti-Virus -- Proved to show that it can prevent this Trojan from Auto-Downloading.

Step-by-Step Walkthrough:

1) Get those programs and open them. Update them first, once they are installed.
2) Run them, fix any problems, delete any bad files, etc, etc.
3) Once all that is done, do this:
Start Menu > Search > All Files and Folders > Click Advanced Options > Search System Folders, Hidden Folders, Search Subfolders > Type in the Search Field: rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

4) If you find the files, delete them asap. If you cannot delete them, post here, we'll try to figure out how to do it.

5) Search the Registry by doing this:

Start Menu > Run > type in "regedit" and click OK > Highlight My Computer in the newly opened Regedit box > Click on Edit > Click on Find > type in rsbo.exe

Repeat said steps for ALL these files:

rsbo.exe
kb1ss1p.dll
kb1ss1p.sys
in3.dll

6) If you find anything with those listed delete them immediately. Note: you may find something with a really long name when you look for "in3.dll" it's not it, it's actually a plugin3.dll :p

Secondary note: You will find strings related to your previous Start Menu > Search functions. It is just indicating that you recently did a search on this. Just to clear that up, I know it scared a lot of people.

7) Restart your computer, research to make sure it's all gone. You should be clean.

8) If you are all clean, now is the time to change your password in case RMT have gotten it. Do so. If you want 100% extra security, call SE, have them change it.


Edited, Dec 12th 2007 11:40am by ImperialNinja

Edited, Dec 12th 2007 11:43am by ImperialNinja

Edited, Dec 12th 2007 6:39pm by ImperialNinja

Edited, Dec 12th 2007 6:40pm by ImperialNinja

Edited, Dec 29th 2007 8:46pm by ImperialNinja

Edited, Apr 10th 2008 10:12pm by Exodus
#2 Dec 12 2007 at 8:39 AM Rating: Good
****
9,835 posts
Also until this whole thing passes certain websites will be automatically filtered to enhance security.

Thanks for your understanding.
#3 Dec 12 2007 at 8:43 AM Rating: Good
*Resists urge to make a condom joke*

Thanks for the info, much needed in these keylogger days.
#4 Dec 12 2007 at 8:44 AM Rating: Decent
*
115 posts
thanks for posting here. with all this going on, im too paranoid to click any links away from this forum, especially at work =/


edit: -1 for spelling

Edited, Dec 12th 2007 11:44am by DominatrixOfPandy
#5 Dec 12 2007 at 8:44 AM Rating: Excellent
Mistress of Gardening
Avatar
*****
14,661 posts
ThePwnisher wrote:
*Resists urge to make a condom joke*


Smiley: lolSmiley: lolSmiley: lolSmiley: lol
____________________________
Yum-Yum Bento Box | Pikko Pots | Adventures in Bentomaking

Twitter


[ffxivsig]277809[/ffxivsig]
#6 Dec 12 2007 at 11:14 AM Rating: Decent
I have a "Stupid" question, how do I change password safely in Pol?

Do I log in to first screen where you type in password, then below name change password there?
#7 Dec 12 2007 at 12:02 PM Rating: Decent
Scholar
****
6,631 posts
It was mentioned on the BG thread that this trojan is undetectable by some Spyware/Virus scanner.... I actually wonder does anyone submit the Somepage situation to those software developers for them to take a closer look.

And... who really owns Somepage now?
____________________________
Amanada (Cerberus-Retired) (aka MaiNoKen/Steven)
-- Thank you for the fun times in Vana'diel

Art for the sake of art itself is an idle sentence.
Art for the sake of truth, for the sake of what is
beautiful and good — that is the creed I seek.
- George Sand

A designer knows he has achieved perfection,
not when there is nothing left to add,
but when there is nothing left to take away.
- Antoine de Saint-Exupéry
#8 Dec 12 2007 at 4:38 PM Rating: Decent
***
1,522 posts
Ruddiplayer wrote:
I have a "Stupid" question, how do I change password safely in Pol?

Do I log in to first screen where you type in password, then below name change password there?


The safest way is to use a PC (or PS2 or 360?) that you know for sure isn't infected with anything.

Otherwise, clean out your PC with some of the scanner's suggested in some of those posts, scan with a virus scanner and use the soft keyboard to change it.

OR you can phone POL and say you forgot your password and get them to change it for you.

Hopefully this blow's over soon, all this stuff is making my brain sore. ; ;

Edited, Dec 12th 2007 10:51pm by BJordan
#9 Dec 13 2007 at 3:38 AM Rating: Decent
**
515 posts
OK nvm found the answer to my question.

To change your password, select "Membership" from the Service & Support page. Select "PlayOnline ID," then select "Change Password." Mail passwords can also be changed by selecting "Mail Account" from the Membership page.
#10REDACTED, Posted: Dec 13 2007 at 8:25 AM, Rating: Sub-Default, (Expand Post) OMG!!!! to late....they got me....i can't even get in my game to whats left...what do i do now.....i had so much....is it the end for me...???
#11 Dec 13 2007 at 10:40 AM Rating: Decent
**
418 posts
aquafinaVa wrote:
OMG!!!! to late....they got me....i can't even get in my game to whats left...what do i do now.....i had so much....is it the end for me...???


i think you are the culprit. >:o

side note: i think anyone with worries of a trojan/virus or anything malicious on their PC should run any program in safe mode.
#12 Dec 13 2007 at 11:00 AM Rating: Good
***
1,368 posts
LS member also said to look out for the following file on your registry/hard-drive:

Trojan-PSW.Win32.OnLineGames.a

The following threads are all 2nd page or higher right now, but may get lost in the shuffle, they all had bits of valuable info I used to make sure I am clean:


http://ffxi.allakhazam.com/forum.html?forum=10;mid=1197526047226032992;num=5;page=1

http://ffxi.allakhazam.com/forum.html?forum=10;mid=1197561287321264432;num=7;page=1

http://ffxi.allakhazam.com/forum.html?forum=10;mid=119751186813322503;num=0;page=1

http://ffxi.allakhazam.com/forum.html?forum=10;mid=1197481549319547581;num=15;page=1

http://ffxi.allakhazam.com/forum.html?forum=10;mid=1197494401201167647;num=12;page=1
#13REDACTED, Posted: Dec 13 2007 at 2:35 PM, Rating: Sub-Default, (Expand Post) pfftt....i didn't do this.....i been playing a long time.....y the hell i want this crap.....i lost my acct...to a damm RMT....4 years of playing gone for ever....and the game ppl said >>> O-Well....<<<<so if this happends to u...then what.....u did it....?.....well i didn't..... and 4 all the ppl who not blame me... watch out...its to late 4 me....my acct. is gone....this crap is real, and the game ppl won't help u...goodluck out there....sorry if i seem pissed...>>>> I AM <<<<<
#14 Dec 13 2007 at 3:21 PM Rating: Default
*
210 posts
Do you need directions to a site that teaches proper grammer, sentence structure, etc.?
#15 Dec 13 2007 at 3:45 PM Rating: Default
kb1ss1p.dll
i tryed to deleat this....its won't let me....its says... access denied...i got rid of the rest.....what next...please help.....
#16 Dec 13 2007 at 4:57 PM Rating: Good
*
56 posts
Hello all,

I figure that this is the right place to ask a few basic questions. I have 3 terminals on one router, 2 wired (A and B) and 1 on wi-fi (C).

A and B will be re-formatted and installed with FFXI, Firefox with add-ons, etc.

C is just a 'surfing' computer.

A and B will not contain any shared folders with the router. C will be exclusively used for surfing. If I do not surf any websites at all on A and B, will they be at high risk for attack?

B will probably be used for some occasional light web surfing. With Mozilla and the proper add-ons, and after re-formatting, will I still be at high risk of attack?

Thanks for the input,

R
#17 Dec 13 2007 at 7:01 PM Rating: Decent
I was wondering if there is risk, and/or what is hackable on your PC if you only use PS2 for POL/FFXI but may use PC to log into Friends List Plus?
#18 Dec 14 2007 at 11:41 AM Rating: Good
*
212 posts
Thanks for the info! I'll try this before I log on again. I hope Squeenix is looking into this.

And give Aqua a break, guys...can't spare any sympathy just 'cause a guy types in lowercase?

Edit: Oh, and those filtered websites you mentioned...there a list I can take a peak at so as to avoid them?

Edit edit: May have helped if I checked the links...

Edited, Dec 14th 2007 2:46pm by TheCabbage

Edited, Dec 14th 2007 3:54pm by TheCabbage
#19 Dec 14 2007 at 2:35 PM Rating: Good
Scholar
Avatar
*****
12,820 posts
Kreacher wrote:
I was wondering if there is risk, and/or what is hackable on your PC if you only use PS2 for POL/FFXI but may use PC to log into Friends List Plus?


Friendlist Plus got hacked before (due to it being tied to POL client) if you only use PS2/3 360 you can still be hacked.
____________________________

#20 Dec 16 2007 at 9:14 PM Rating: Good
***
1,173 posts
Well, I'm going on a business trip this week, and would like to use FriendsListPlus to talk to people when I have down time in the evening, but I need to know that it's not going to blow up in my face. Anybody know if it's secure now?
____________________________
Valion, San d'Oria - Retired
Odin Server
SAM90/PLD90/COR90/BLU90/RDM90/SCH90

Valion Chevalier, Limsa Lominsa
Hyperion Server
50 All Classes

"Please, I have had too much of the stupid today. Please wait until tomorrow to say these things so my tolerance has refreshed."
-New Gold Dreams (another short-lived webcomic)
#21 Dec 19 2007 at 2:31 AM Rating: Good
**
491 posts
Buried in the config tools for NoScript is an option to, quote, "Forbid IFRAME". The s0mepage trojan was delivered using a hijacked IFRAME. So, assuming hackers will be using the same method in other sites they manage to break into, I've set the option on.

Right-click the NoScript icon in the bottom right of Firefox, select Options, go to Plugins, tick Forbid <IFRAME>, and tick Apply these restrictions to Trusted Sites too.

What I would LIKE to do is to block all traffic from a top level domain which have no web content I am interested in : .cn.
#22 Dec 19 2007 at 8:52 AM Rating: Good
I am wondering if anyone has figured out how to run FFXI on a MAc with Virtual Machine? I believe that using a virtual machine build that ONLY supports ffxi might give you a large amount of securtiy since a lot of system functions in Win xp are totally pointless for FFXI. just a thought though.
#23 Dec 19 2007 at 3:35 PM Rating: Decent
26 posts
Thanks for compiling all the info IN. I made sure to post it on my LS's web-site to make sure more people have the info.
#24 Dec 19 2007 at 5:38 PM Rating: Decent
*
240 posts
I deleated the 1st three which were on my computer now veoh tv doesnt work (streaming video system)
#25Codyy, Posted: Dec 24 2007 at 10:01 AM, Rating: Sub-Default, (Expand Post) I has one too.
#26 Dec 29 2007 at 11:05 AM Rating: Default
i went to start menu and went to run and did all that when i typed in kb1ss1p.dll some stuff came up so i deleted it and i could not delete one it was called default type:reg_SZ and for data is said not set i could not delete this and i dont know if i need this on but i so not know what to do
« Previous 1 2
Reply To Thread

Colors Smileys Quote OriginalQuote Checked Help

 

Recent Visitors: 9 All times are in CST
Anonymous Guests (9)