Curse

Braxton619 · Jun 24, 2010, 03:00 AM // 03:00

Hey guys I was downloaded TexMod from some foreign website on Google. Then I installed it. Well it told me to reboot and I did. Now I cannot run GW anymore. When I click Guild Wars on my desktop, this appears:

http://img441.imageshack.us/img441/9...eenshot150.png

If I click Enter Access Key this appears:

http://img19.imageshack.us/img19/681...enshot151n.png

If I click Enter Account Information this appears:

http://img208.imageshack.us/img208/3...eenshot152.png

If I click Authorize this appears:

http://img149.imageshack.us/img149/9...enshot153i.png

Now I looked at the target and its in its default location.
C:\Program Files\Guild Wars\Gw.exe
This is what shows up if I try to change it somewhere else:

http://img80.imageshack.us/img80/823/screenshot155.png

If I try to delete or replace Gw.exe, this shows up:

http://img692.imageshack.us/img692/8...enshot156y.png

Now I thought of uninstalling. I know this would remove it for sure. However if I try to start the uninstaller, this shows up:

http://img88.imageshack.us/img88/3364/screenshot154.png

Theres gotta be something in the processes that is causing this. However I checked the process list and its not in there. I googled every file and made sure I was sure what it was.

Two hours searching in the Windows folder, I found this one file Gw.dll in C:\WINDOWS\System32\

http://img707.imageshack.us/img707/4...enshot149n.png

It won't let me delete it either.

UPDATE #1: Tried going in Safe Mode and deleting the Gw.exe file then. It will let me but when rebooting, I receive a BSOD of Gw.dll. So I entered it again and deleted Gw.dll. Got a BSOD again of Gw.dll. I re-added Gw.exe and Gw.dll again and rebooted. Worked now.

Still getting this crap. I should of never even installed a bad copy of TM on a foreign website. I don't know what I was thinking.

UPDATE #2: Scanned my computer with NOD32 Antivirus and MalwareBytes. No malware showed up. Any suggestions to do now?

Frenzy.CL · Jun 24, 2010, 03:59 AM // 03:59

99.99% sure you downloaded a virus, that is now trying very hard to get every last drop of your account info.

End · Jun 24, 2010, 04:12 AM // 04:12

I lol at your misfortune..and say....yeah if you gave them all of that...your eternally RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOed...you just gave them everything they need to not only hack your account...but prove that it's theirs...

The second screen shot alone should have told you that it was fake...as they can tell what campaign and where it's from simply by you typing in the access key...always...email support if something like that comes up...they will be able to tell you if your account is in danger or if you've just downloaded somethin nasty...

Although...I kinda like their way of doing it...I never thought about asking for access keys and then emailing support saying your account was stolen...anet would basically be letting you change all the info

and probs be suspicious of the second person who filed a complaint...

Anyways..I would get to emailing support ASAP... maybe just maybe you can save yourself...

As for what to do...

have fun reformatting...

I Pwn Brownies · Jun 24, 2010, 04:45 AM // 04:45

[R e m o v e d]

End · Jun 24, 2010, 05:04 AM // 05:04

Quote:

Originally Posted by I Pwn Brownies

Oh, and "End": you seriously use the double&triple-dot way too much. Wtb new punctuation? lol.

It's comes from being insecure about what type of punctuation actually belongs there :P

btw...you may complain about nod32...but I complain about cnet giving a norton product 5 stars...

Although I will admit...from what I hear...norton has been doing better...still though...its norton...

oo...and...cnet disagrees with you about Malwarebytes

Braxton619 · Jun 24, 2010, 05:21 AM // 05:21

Tested on another computer. Account works fine. Do I HAVE to re-format?

End · Jun 24, 2010, 05:25 AM // 05:25

Quote:

Originally Posted by Braxton619

Tested on another computer. Account works fine. Do I HAVE to re-format?

Umm...you could wait until the smrter people get here...(quaker, elder snog...the list goes on...)but...my guess is...that you will have to...but again wait for someone else sooo that I don't feel like shit when you do and someone else comes up with a better option xD

btw...did you actually put in the access keys?

also btw...was reading about this ages ago on another site...seems other people have picked up on it too now...xD not totally applicable to whats going on with you...well...it could I suppose :\

http://www.theregister.co.uk/2010/05...tch_av_bypass/

Braxton619 · Jun 24, 2010, 05:26 AM // 05:26

Quote:

Originally Posted by End

Umm...you could wait until the smrter people get here...(quaker, elder snog...the list goes on...)but...my guess is...that you will have to...but again wait for someone else sooo that I don't feel like shit when you do and someone else comes up with a better option xD

btw...did you actually put in the access keys?

I'll wait for them then. Thanks!

Bristlebane · Jun 24, 2010, 07:06 AM // 07:06

If your account still works then email support ASAP and tell them about this situation, maybe the hacker haven't attempted to steal your account yet, but they certainly will.

Terrible Surgeon · Jun 24, 2010, 07:15 AM // 07:15

change pword right away if you have access to your account via different machine.

godis · Jun 24, 2010, 07:22 AM // 07:22

Change your password quickly !!!
And I hope you still got your plastic card with the accesskey on so you can prove that the key is really yours ( or if its printed on the box )
Must likely they will get access to your account anyway since they got your access key. So be prepared to loose anything of value.
Maybe you should take contact with support now and tell them what has happened before they give your account away !

Spiritz · Jun 24, 2010, 07:33 AM // 07:33

If i were you - on the other computer make sure you change your login details for gw via anet site.Just because the account when you checked was still accessable the virus may have already sent your details and the "owners" may not have gone thru its data yet.
There is a program called hijack this and that can be used to remove from startup any reference to the bad files but you do need a bit of know how to use it - and open reboot u can usually delete the dll file as its not being called for use.
Another guru member who is more savvy with hijack this! may be able to talk you thru the procedure better than i can.

In fact later today when i have time i`ll contact you on pm with hijack this! link and i`ll try and talk you thru using it - it wont harm your system but is usefull for finding out which things often load without you knowing.

Archress Shayleigh · Jun 24, 2010, 08:15 AM // 08:15

Change your password asap...
You should probably reformat.. And also, did you put in your info?

moriz · Jun 24, 2010, 10:42 AM // 10:42

let's hope he didn't. otherwise, none of this matters and the OP should just kiss his account goodbye.

what he downloaded isn't a virus; but a program hijacker. such things are very difficult to pick up, because they always appear to be legitimate. in this case, this one doesn't cause any harm to your system or compromise it in any way; it just coerces the user into handing over account info voluntarily.

i'm not a security expert, but here's something you can try: go into the registry editor (regedit.exe) and search it for any traces of guild wars, arenanet, gw, verisign, and delete them. then, delete whatever you've installed and reboot. see if that gets rid of it.

Bristlebane · Jun 24, 2010, 12:54 PM // 12:54

Geez, so what's next? Soon theese hijackers replace gw.exe with a genuine looking GW login so you provide your login/pass/char name without even knowing it :O

I really REALLY hope GW2 will have some anti-phishing techniques lacking in GW1, theese hijackers are just getting more sophisticated.

majoho · Jun 24, 2010, 12:57 PM // 12:57

^ Well you could also just NOT download and install stuff from some weird site.

Braxton619 · Jun 24, 2010, 04:27 PM // 16:27

I didn't put my info on there. I changed my email and pass as well. I guess I'll have to format...

Camel Sausage · Jun 24, 2010, 05:35 PM // 17:35

It may be worth including the URL you downloaded TexMod from to ANet; who i'd expect to pass it onto the applicable AV companies if they feel it's a bona fide hijack tool.

Enjoy your formatting

Benderama · Jun 24, 2010, 07:21 PM // 19:21

Quote:

If I try to delete or replace Gw.exe, this shows up:

http://img692.imageshack.us/img692/8...enshot156y.png

sorry if this sounds dumb, but have you tried ending all processes that aren't essential for windows (including system processes) then deleteing the files? also delete from the recycle bin too.

Quote:

I really REALLY hope GW2 will have some anti-phishing techniques lacking in GW1, theese hijackers are just getting more sophisticated.

XD sorry if i sound mean, but most people would know that by having Anet's logo rather than GW's one, asking for all this info and even after filling it in getting an error that something's wrong. but yeah hope stuff works

have you tried doing an uninstall rather than deleting stuff?
i'm pretty sure that somewhere in the control panel or scheduled tasks you can stop certains processes from running at startup. you tried that?

Braxton619 · Jun 25, 2010, 08:51 PM // 20:51

I disabled all the processes that Windows doesn't use. Now I can delete Gw.exe and replace it!

The process was i386.exe. Now I think my system is clean. However Gw.dll keeps coming back. I also located i386.exe in system32 but keeps coming back. What should I do?