Hello there is a problem my cousin is having trouble with. He recently got some type of trojan that is preventing Guild Wars to be played. It pops up a lot of weird windows and my cousin screen shot them.
First of all here is the shortcut:
http://i32.tinypic.com/2vj98ue.jpg
When you click it, this pops up:
http://i30.tinypic.com/24e9o45.jpg
When you click "Unlock my Account", this pops up:
http://i28.tinypic.com/2d8nuz9.jpg
When you click shopping cart, it goes to this link:
https://secure.ncsoft.com/cgi-bin/St...ory= 4#group4
Since my cousin is a tech guy, he knew the shortcut must be leading to some other file. Well this is where it leads to:
C:\Program Files\Guild Wars\ArenaNet Manager.exe
He tried to replace it with Gw.exe, and it comes up this error:
http://i27.tinypic.com/f1krw3.jpg
He told me he is trying a lot of antivirus programs to remove the trojan but will not detect it.
Will he have to format or is there a way to save this?
UPDATE
-------------------
It will also not let him delete Gw.exe or Gw.dat. It comes up a wacky error like cannot be deleted or something.
UPDATE #2
-------------------
It will not even let WinPatrol to delete on startup. I am working on my cousin's PC at the moment and it comes up:
CANNOT EXECUTE %DELETE% IN PSOS KERNEL
Windows cannot execute the command Del on %BOOT%
Basically it's like the file is locked into the kernel or something.
BTW this is my cousin's computer so it's not my account or my computer. Atm, I'm trying everything to remove it.
UPDATE #3
------------------
We decided to format. If his account is hacked, we will contact ANET about this.
UPDATE #4
------------------
We just formatted his computer and reinstalled XP. He installed GW on the clean computer and it works fine! To save the trouble, I transfered my Dat file to his. Also we checked his account. He did not get hacked. He changed his password as well.
Trojan preventing GW from being played
Braxton619
The Air Revenger
Delete all the gw folder you have now and just download the client from guildwars.com
It wont have any effect on your account since that info is not stored on your computer
It wont have any effect on your account since that info is not stored on your computer
Braxton619
Quote:
|
Originally Posted by The Air Revenger
Delete all the gw folder you have now and just download the client from guildwars.com.
|
Also if you try to del the shortcut, it comes up the same error.
FireFox
contact support
The Air Revenger
have you run an anti-virus/spyware scan yet? and has it picked up anything?
Inde
Wow, that's an interesting one Leet Tankur. Haven't seen this one before. Good luck with it and if it does get resolved please let us know how you did it.
Sierraa
Winpatrol = amazing. Install it, pull it up and under active tasks find the ArenaNet Manager.exe and right click "Delete on Reboot". Winpatrol is good about asking you about programs that want to run after you install them too.
Xapti
scan the system with an up to date virus checker (which i guess has been done?). If it doesn't work, one can try other free online scanner.
Otherwise It's probably not really a virus, but a malicious program, which you probably just need to delete.
Check this for deleting the file(s):
http://technet.microsoft.com/en-us/s.../bb897556.aspx
use this to check out your processes/sytem in general:
http://technet.microsoft.com/en-us/s.../bb896653.aspx
I recommend it over the standard Task Manager.
While you are/he's at it, might as well use autoruns, to make sure there's nothing running at startup that will re-create the file/problem.
http://technet.microsoft.com/en-us/s.../bb963902.aspx
Lastly, I assume you/he knows that one should never type any valid numbers into that input. If you did, you'll need to contact arenanet immediately to ensure your account isn't hijacked.
It's possibly a keylogger, but I'd say it's unlikely because it can't get your game password if you can't run the game :P (and even if you could (or if it was for some other logging), the person would be suspicious). Regardless, you want to check process explorer to ensure nothing out of the ordinary is loaded into the system.
Otherwise It's probably not really a virus, but a malicious program, which you probably just need to delete.
Check this for deleting the file(s):
http://technet.microsoft.com/en-us/s.../bb897556.aspx
use this to check out your processes/sytem in general:
http://technet.microsoft.com/en-us/s.../bb896653.aspx
I recommend it over the standard Task Manager.
While you are/he's at it, might as well use autoruns, to make sure there's nothing running at startup that will re-create the file/problem.
http://technet.microsoft.com/en-us/s.../bb963902.aspx
Lastly, I assume you/he knows that one should never type any valid numbers into that input. If you did, you'll need to contact arenanet immediately to ensure your account isn't hijacked.
It's possibly a keylogger, but I'd say it's unlikely because it can't get your game password if you can't run the game :P (and even if you could (or if it was for some other logging), the person would be suspicious). Regardless, you want to check process explorer to ensure nothing out of the ordinary is loaded into the system.
Kumu Honua
Be prepared to have to fight to get your account back. Looks like a keylogger got ya. I would expect that once you clear it, you will find out your account is no longer in your posession.
Since Antivirus cannot take care of the problem, I would actually suggest you reformat. Trying to self diagnose all the files you need to delete can leave it behind to reinstall itself.
However if you don't want to go that far and you just want to delete the files in question you can try:
1. Boot in safe mode and try to delete the files.
2. If safe mode did not work you can try Pocket Killbox or Unlocker (Both links from MajorGeek)
That's all I can suggest. Maybe someone else has more ideas.
Since Antivirus cannot take care of the problem, I would actually suggest you reformat. Trying to self diagnose all the files you need to delete can leave it behind to reinstall itself.
However if you don't want to go that far and you just want to delete the files in question you can try:
1. Boot in safe mode and try to delete the files.
2. If safe mode did not work you can try Pocket Killbox or Unlocker (Both links from MajorGeek)
That's all I can suggest. Maybe someone else has more ideas.
Braxton619
Quote:
|
Originally Posted by Alexander Burn Victim
Winpatrol = amazing. Install it, pull it up and under active tasks find the ArenaNet Manager.exe and right click "Delete on Reboot". Winpatrol is good about asking you about programs that want to run after you install them too.
|
CANNOT EXECUTE %DELETE% IN PSOS KERNEL
Windows cannot execute the command Del on %BOOT%
Only problem he does not have back up and he does not want to format.
Kumu Honua
If it has disabled deletion at kernel level then you may have more problems than just a keylogger.
You may just have to bite the bullet.
Try giving us a hijackthis log.
You may just have to bite the bullet.
Try giving us a hijackthis log.
The Air Revenger
its not a key looger since its not asking for your password, it wants you to buy another copy of guild wars and enter the key, the key will be sent to the person who started this trojan and they can use it for themselfs and you sill wont be able to access your account probably.
Kumu Honua
Yes, entering the key, and sending that to someone else is the very definition of a keylogger...
Braxton619
Ok I tried to uninstall Guild Wars, and it's not letting me. It's coming up like "System files are missing. You cannot uninstall this product."
Wow, I know it's fake but I wonder how these error messages keep popping up when executing an action. I asked my cousin if he downloaded anything recently and he said no. I don't know if he did or what.
Basically it seems it has taken control of the kernel and not letting any files thats related to GW be deleted.
Wow, I know it's fake but I wonder how these error messages keep popping up when executing an action. I asked my cousin if he downloaded anything recently and he said no. I don't know if he did or what.
Basically it seems it has taken control of the kernel and not letting any files thats related to GW be deleted.
The Air Revenger
Quote:
|
Originally Posted by Kumu Honua
Yes, entering the key, and sending that to someone else is the very definition of a keylogger...
|
This is different becuase its not trying to steal your password its trying to get you to buy gw for them.
When did this happen? Can you just restore to a previous date to when Gw wasnt like this?
Tarun
Please download my Anti-Malware Toolkit and get the package that matches your Operating System. Then follow the directions in the PC Cleanup guide. After that, please post a HijackThis log.
From the sounds of it he just had a rootkit.
From the sounds of it he just had a rootkit.
Braxton619
UPDATE:
We just formated his computer and reinstalled XP. He installed GW on the clean computer and it works fine! To save the trouble, I transfered my Dat file to his. Also we checked his account. He did not get hacked. He changed his password as well.
We just formated his computer and reinstalled XP. He installed GW on the clean computer and it works fine! To save the trouble, I transfered my Dat file to his. Also we checked his account. He did not get hacked. He changed his password as well.