Home‎ > ‎

EliteXI Bot Virus Warning!

posted Mar 10, 2011, 7:44 AM by RZN FFEvo   [ updated Mar 10, 2011, 8:40 AM ]
Posted at: http://ffevo.com/topic/2480-elitexi-bot-virus-warning/
The site may not load, it is still under heavy attack.

EliteXI Bot aka wizbot is installing a full trojan suit capable of installing other infections on command. One of these infections is responsible for some of the attacks on www.ffevo.com and www.elitemmonetwork.com. It has also been reported by a number of sources that wiz aka c0d3r has the ability to control your ffxi account including but not limited to sending text to the game. A number of his own users have reported wiz using this feature to shout things trying to get the user banned after they asked questions about the infections. Update: It seems wiz(C0d3r) is selectively infecting users, this means even if you are not currently infected you could be at anytime.

If you are using or have ever used EliteXI, wizbot or anything he has released, scan your computer now, using more then one AVS. You can get Avast and AVG for free along with a few others. I also have discounts on the full versions that i will post as soon as I remember where i put them. I would also suggest running Spy Bot and Malwarebytes, again these are both free. Malwarebytes has a paid version but you only need the free scan. Remember to update your programs before scanning. These two tools will find most all infections but because this is a custom virus you must still run a full virus scan using avast, avg or the like. Spy bot and Malwarebytes can only find known infections where as a full AVS like Avast and AVG can find new infections not yet defined by their database's.

The details
Three files have been reported to be downloaded and run after logging in.
"conhost.exe" MD5: 234d145eca32e47ec6c36e0ced3a29c1 Version: "3.03.0007" Original File Name: "lbenyzv.exe"
"Shell.exe" MD5: 43e1ea0ba913ee2f6f4f5b0addce2e1c Version: "3.26.0025" Original File Name: "mcexrqi.exe"
"svhost.exe" MD5: 77ec84da798431d08315f38c23d94a38 Version: "1.00" Original File Name: "Paper.exe"

Under windows vista / 7 the files have been reported to be saved and run under the /user name/roaming/ folder. The virus also hid this folder from the user.
Under XP the svhost.exe was reported to be saved and run from c:\.

There is recourse if you have been infected.
Start by making sure you have removed the infection. In more then one case safemode was required to remove the "conhost.exe" virus. You can enter safemode by pressing F8 before the windows screen during boot up.
Second report the infection. The FBI has an easy to use reporting tool, www.ic3.gov please report it even if you do not live in the US, you will be helping to prevent others from getting infected. Report the infection to your anti virus's web site, Most have this feature built in.
Third get your money back. Paypal is very good about issuing refunds in cases like this. However, you are going to have to escalate it to a claim.
If it has been more then 45 days after the purchase simply contact PayPal and they will be more then helpful in getting your money back.
Forth and most important tell your friends not all users check these forums and may not be aware of the infection on their computer.

For those that want the functions in the program without the infection or your personal account information being accessed by a third party. There are a large number of FREE tools that do the same things, that actually work and most do far more with far greater support, FOR FREE. Just spend a little time with your favorite search engine.

If you are infected and need help removing the infection please feel free to contact me support(at)ffevo(dot)com.

Useful links
Avast free anti virus
AVG free anti virus
Spy Bot search & destroy
Malwarebytes anti malware
www.ic3.gov Internet crime report