Guild Wars Forums - GW Guru
 
 

Go Back   Guild Wars Forums - GW Guru > Forest of True Sight > Technician's Corner

Notices

Reply
 
Thread Tools Display Modes
Old Jun 24, 2010, 03:00 AM // 03:00   #1
Desert Nomad
 
Braxton619's Avatar
 
Join Date: Jul 2008
Profession: A/W
Advertisement

Disable Ads
Default Bad copy of TexMod installed - GW problem

Hey guys I was downloaded TexMod from some foreign website on Google. Then I installed it. Well it told me to reboot and I did. Now I cannot run GW anymore. When I click Guild Wars on my desktop, this appears:

http://img441.imageshack.us/img441/9...eenshot150.png

If I click Enter Access Key this appears:

http://img19.imageshack.us/img19/681...enshot151n.png

If I click Enter Account Information this appears:

http://img208.imageshack.us/img208/3...eenshot152.png

If I click Authorize this appears:

http://img149.imageshack.us/img149/9...enshot153i.png

Now I looked at the target and its in its default location.
C:\Program Files\Guild Wars\Gw.exe
This is what shows up if I try to change it somewhere else:

http://img80.imageshack.us/img80/823/screenshot155.png

If I try to delete or replace Gw.exe, this shows up:

http://img692.imageshack.us/img692/8...enshot156y.png

Now I thought of uninstalling. I know this would remove it for sure. However if I try to start the uninstaller, this shows up:

http://img88.imageshack.us/img88/3364/screenshot154.png

Theres gotta be something in the processes that is causing this. However I checked the process list and its not in there. I googled every file and made sure I was sure what it was.

Two hours searching in the Windows folder, I found this one file Gw.dll in C:\WINDOWS\System32\

http://img707.imageshack.us/img707/4...enshot149n.png

It won't let me delete it either.

UPDATE #1: Tried going in Safe Mode and deleting the Gw.exe file then. It will let me but when rebooting, I receive a BSOD of Gw.dll. So I entered it again and deleted Gw.dll. Got a BSOD again of Gw.dll. I re-added Gw.exe and Gw.dll again and rebooted. Worked now.

Still getting this crap. I should of never even installed a bad copy of TM on a foreign website. I don't know what I was thinking.

UPDATE #2: Scanned my computer with NOD32 Antivirus and MalwareBytes. No malware showed up. Any suggestions to do now?
Braxton619 is offline   Reply With Quote
Old Jun 24, 2010, 03:59 AM // 03:59   #2
Ascalonian Squire
 
Frenzy.CL's Avatar
 
Join Date: Jun 2010
Location: The Internet
Profession: E/
Default

99.99% sure you downloaded a virus, that is now trying very hard to get every last drop of your account info.

Last edited by Frenzy.CL; Jun 24, 2010 at 04:02 AM // 04:02..
Frenzy.CL is offline   Reply With Quote
Old Jun 24, 2010, 04:12 AM // 04:12   #3
End
Forge Runner
 
End's Avatar
 
Join Date: Jan 2008
Location: Rubbing Potassium on water fountains.
Guild: LF guild that teaches MTSC (did it long ago before gw2 came out and I quit...but I barely remember)
Profession: N/A
Default

I lol at your misfortune..and say....yeah if you gave them all of that...your eternally RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOed...you just gave them everything they need to not only hack your account...but prove that it's theirs...

The second screen shot alone should have told you that it was fake...as they can tell what campaign and where it's from simply by you typing in the access key...always...email support if something like that comes up...they will be able to tell you if your account is in danger or if you've just downloaded somethin nasty...

Although...I kinda like their way of doing it...I never thought about asking for access keys and then emailing support saying your account was stolen...anet would basically be letting you change all the info and probs be suspicious of the second person who filed a complaint...

Anyways..I would get to emailing support ASAP... maybe just maybe you can save yourself...

As for what to do...

have fun reformatting...

Last edited by End; Jun 24, 2010 at 04:29 AM // 04:29.. Reason: bolded the if...to show I give braxton more credit then that...
End is offline   Reply With Quote
Old Jun 24, 2010, 04:45 AM // 04:45   #4
Academy Page
 
Join Date: Aug 2006
Location: *Insert where I live here*
Guild: None.
Profession: Me/
Default

[R e m o v e d]

Last edited by I Pwn Brownies; Dec 07, 2011 at 07:31 AM // 07:31..
I Pwn Brownies is offline   Reply With Quote
Old Jun 24, 2010, 05:04 AM // 05:04   #5
End
Forge Runner
 
End's Avatar
 
Join Date: Jan 2008
Location: Rubbing Potassium on water fountains.
Guild: LF guild that teaches MTSC (did it long ago before gw2 came out and I quit...but I barely remember)
Profession: N/A
Default

Quote:
Originally Posted by I Pwn Brownies View Post
Oh, and "End": you seriously use the double&triple-dot way too much. Wtb new punctuation? lol.
It's comes from being insecure about what type of punctuation actually belongs there :P

btw...you may complain about nod32...but I complain about cnet giving a norton product 5 stars...

Although I will admit...from what I hear...norton has been doing better...still though...its norton...

oo...and...cnet disagrees with you about Malwarebytes

Last edited by End; Jun 24, 2010 at 05:12 AM // 05:12..
End is offline   Reply With Quote
Old Jun 24, 2010, 05:21 AM // 05:21   #6
Desert Nomad
 
Braxton619's Avatar
 
Join Date: Jul 2008
Profession: A/W
Default

Tested on another computer. Account works fine. Do I HAVE to re-format?
Braxton619 is offline   Reply With Quote
Old Jun 24, 2010, 05:25 AM // 05:25   #7
End
Forge Runner
 
End's Avatar
 
Join Date: Jan 2008
Location: Rubbing Potassium on water fountains.
Guild: LF guild that teaches MTSC (did it long ago before gw2 came out and I quit...but I barely remember)
Profession: N/A
Default

Quote:
Originally Posted by Braxton619 View Post
Tested on another computer. Account works fine. Do I HAVE to re-format?
Umm...you could wait until the smrter people get here...(quaker, elder snog...the list goes on...)but...my guess is...that you will have to...but again wait for someone else sooo that I don't feel like shit when you do and someone else comes up with a better option xD

btw...did you actually put in the access keys?

also btw...was reading about this ages ago on another site...seems other people have picked up on it too now...xD not totally applicable to whats going on with you...well...it could I suppose :\

http://www.theregister.co.uk/2010/05...tch_av_bypass/

Last edited by End; Jun 24, 2010 at 05:32 AM // 05:32..
End is offline   Reply With Quote
Old Jun 24, 2010, 05:26 AM // 05:26   #8
Desert Nomad
 
Braxton619's Avatar
 
Join Date: Jul 2008
Profession: A/W
Default

Quote:
Originally Posted by End View Post
Umm...you could wait until the smrter people get here...(quaker, elder snog...the list goes on...)but...my guess is...that you will have to...but again wait for someone else sooo that I don't feel like shit when you do and someone else comes up with a better option xD

btw...did you actually put in the access keys?
I'll wait for them then. Thanks!
Braxton619 is offline   Reply With Quote
Old Jun 24, 2010, 07:06 AM // 07:06   #9
Desert Nomad
 
Bristlebane's Avatar
 
Join Date: Jan 2008
Profession: Mo/
Default

If your account still works then email support ASAP and tell them about this situation, maybe the hacker haven't attempted to steal your account yet, but they certainly will.
Bristlebane is offline   Reply With Quote
Old Jun 24, 2010, 07:15 AM // 07:15   #10
Krytan Explorer
 
Terrible Surgeon's Avatar
 
Join Date: Oct 2009
Guild: hopper
Profession: A/
Default

change pword right away if you have access to your account via different machine.
Terrible Surgeon is offline   Reply With Quote
Old Jun 24, 2010, 07:22 AM // 07:22   #11
Frost Gate Guardian
 
Join Date: Sep 2009
Guild: LOVE
Profession: N/Me
Default

Change your password quickly !!!
And I hope you still got your plastic card with the accesskey on so you can prove that the key is really yours ( or if its printed on the box )
Must likely they will get access to your account anyway since they got your access key. So be prepared to loose anything of value.
Maybe you should take contact with support now and tell them what has happened before they give your account away !

Last edited by godis; Jun 24, 2010 at 07:35 AM // 07:35..
godis is offline   Reply With Quote
Old Jun 24, 2010, 07:33 AM // 07:33   #12
Forge Runner
 
Join Date: Apr 2007
Guild: DMFC
Default

If i were you - on the other computer make sure you change your login details for gw via anet site.Just because the account when you checked was still accessable the virus may have already sent your details and the "owners" may not have gone thru its data yet.
There is a program called hijack this and that can be used to remove from startup any reference to the bad files but you do need a bit of know how to use it - and open reboot u can usually delete the dll file as its not being called for use.
Another guru member who is more savvy with hijack this! may be able to talk you thru the procedure better than i can.

In fact later today when i have time i`ll contact you on pm with hijack this! link and i`ll try and talk you thru using it - it wont harm your system but is usefull for finding out which things often load without you knowing.

Last edited by Spiritz; Jun 24, 2010 at 07:37 AM // 07:37..
Spiritz is offline   Reply With Quote
Old Jun 24, 2010, 08:15 AM // 08:15   #13
Wilds Pathfinder
 
Archress Shayleigh's Avatar
 
Join Date: Feb 2009
Location: Guild Hall
Profession: R/
Default

Change your password asap...
You should probably reformat.. And also, did you put in your info?
Archress Shayleigh is offline   Reply With Quote
Old Jun 24, 2010, 10:42 AM // 10:42   #14
über těk-nĭsh'ən
 
moriz's Avatar
 
Join Date: Jan 2006
Location: Canada
Profession: R/
Default

let's hope he didn't. otherwise, none of this matters and the OP should just kiss his account goodbye.

what he downloaded isn't a virus; but a program hijacker. such things are very difficult to pick up, because they always appear to be legitimate. in this case, this one doesn't cause any harm to your system or compromise it in any way; it just coerces the user into handing over account info voluntarily.

i'm not a security expert, but here's something you can try: go into the registry editor (regedit.exe) and search it for any traces of guild wars, arenanet, gw, verisign, and delete them. then, delete whatever you've installed and reboot. see if that gets rid of it.
moriz is offline   Reply With Quote
Old Jun 24, 2010, 12:54 PM // 12:54   #15
Desert Nomad
 
Bristlebane's Avatar
 
Join Date: Jan 2008
Profession: Mo/
Default

Geez, so what's next? Soon theese hijackers replace gw.exe with a genuine looking GW login so you provide your login/pass/char name without even knowing it :O

I really REALLY hope GW2 will have some anti-phishing techniques lacking in GW1, theese hijackers are just getting more sophisticated.
Bristlebane is offline   Reply With Quote
Old Jun 24, 2010, 12:57 PM // 12:57   #16
Forge Runner
 
majoho's Avatar
 
Join Date: Jul 2006
Location: Denmark
Default

^ Well you could also just NOT download and install stuff from some weird site.
majoho is offline   Reply With Quote
Old Jun 24, 2010, 04:27 PM // 16:27   #17
Desert Nomad
 
Braxton619's Avatar
 
Join Date: Jul 2008
Profession: A/W
Default

I didn't put my info on there. I changed my email and pass as well. I guess I'll have to format...
Braxton619 is offline   Reply With Quote
Old Jun 24, 2010, 05:35 PM // 17:35   #18
Academy Page
 
Join Date: Jan 2006
Location: Underworld
Guild: The Order of Kume
Profession: R/Mo
Default

It may be worth including the URL you downloaded TexMod from to ANet; who i'd expect to pass it onto the applicable AV companies if they feel it's a bona fide hijack tool.

Enjoy your formatting
Camel Sausage is offline   Reply With Quote
Old Jun 24, 2010, 07:21 PM // 19:21   #19
Krytan Explorer
 
Benderama's Avatar
 
Join Date: Jul 2008
Location: UK
Guild: [Rage]
Profession: Rt/
Default

Quote:
If I try to delete or replace Gw.exe, this shows up:

http://img692.imageshack.us/img692/8...enshot156y.png
sorry if this sounds dumb, but have you tried ending all processes that aren't essential for windows (including system processes) then deleteing the files? also delete from the recycle bin too.

Quote:
I really REALLY hope GW2 will have some anti-phishing techniques lacking in GW1, theese hijackers are just getting more sophisticated.
XD sorry if i sound mean, but most people would know that by having Anet's logo rather than GW's one, asking for all this info and even after filling it in getting an error that something's wrong. but yeah hope stuff works have you tried doing an uninstall rather than deleting stuff?
i'm pretty sure that somewhere in the control panel or scheduled tasks you can stop certains processes from running at startup. you tried that?
Benderama is offline   Reply With Quote
Old Jun 25, 2010, 08:51 PM // 20:51   #20
Desert Nomad
 
Braxton619's Avatar
 
Join Date: Jul 2008
Profession: A/W
Default

I disabled all the processes that Windows doesn't use. Now I can delete Gw.exe and replace it!

The process was i386.exe. Now I think my system is clean. However Gw.dll keeps coming back. I also located i386.exe in system32 but keeps coming back. What should I do?
Braxton619 is offline   Reply With Quote
Reply

Share This Forum!  
 
 
           

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:19 AM // 04:19.


Powered by: vBulletin
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("