Curse

Braxton619 · Jul 11, 2009, 09:56 PM // 21:56

Hello there is a problem my cousin is having trouble with. He recently got some type of trojan that is preventing Guild Wars to be played. It pops up a lot of weird windows and my cousin screen shot them.

First of all here is the shortcut:
http://i32.tinypic.com/2vj98ue.jpg

When you click it, this pops up:
http://i30.tinypic.com/24e9o45.jpg

When you click "Unlock my Account", this pops up:
http://i28.tinypic.com/2d8nuz9.jpg

When you click shopping cart, it goes to this link:
https://secure.ncsoft.com/cgi-bin/St...ory= 4#group4

Since my cousin is a tech guy, he knew the shortcut must be leading to some other file. Well this is where it leads to:
C:\Program Files\Guild Wars\ArenaNet Manager.exe

He tried to replace it with Gw.exe, and it comes up this error:
http://i27.tinypic.com/f1krw3.jpg

He told me he is trying a lot of antivirus programs to remove the trojan but will not detect it.

Will he have to format or is there a way to save this?

UPDATE
-------------------
It will also not let him delete Gw.exe or Gw.dat. It comes up a wacky error like cannot be deleted or something.

UPDATE #2
-------------------
It will not even let WinPatrol to delete on startup. I am working on my cousin's PC at the moment and it comes up:

CANNOT EXECUTE %DELETE% IN PSOS KERNEL

Windows cannot execute the command Del on %BOOT%

Basically it's like the file is locked into the kernel or something.

BTW this is my cousin's computer so it's not my account or my computer. Atm, I'm trying everything to remove it.

UPDATE #3
------------------
We decided to format. If his account is hacked, we will contact ANET about this.

UPDATE #4
------------------
We just formatted his computer and reinstalled XP. He installed GW on the clean computer and it works fine! To save the trouble, I transfered my Dat file to his. Also we checked his account. He did not get hacked. He changed his password as well.

The Air Revenger · Jul 11, 2009, 10:04 PM // 22:04

Delete all the gw folder you have now and just download the client from guildwars.com
It wont have any effect on your account since that info is not stored on your computer

Braxton619 · Jul 11, 2009, 10:06 PM // 22:06

Quote:

Originally Posted by The Air Revenger

Delete all the gw folder you have now and just download the client from guildwars.com.

Yes he tried to do that. Whenever you try to delete ArenaNet Manager.exe it comes up something like "This file cannot be deleted."

Also if you try to del the shortcut, it comes up the same error.

FireFox · Jul 11, 2009, 10:35 PM // 22:35

contact support

The Air Revenger · Jul 11, 2009, 10:43 PM // 22:43

have you run an anti-virus/spyware scan yet? and has it picked up anything?

Inde · Jul 11, 2009, 10:43 PM // 22:43

Wow, that's an interesting one Leet Tankur. Haven't seen this one before. Good luck with it and if it does get resolved please let us know how you did it.

Sierraa · Jul 11, 2009, 10:45 PM // 22:45

Winpatrol = amazing. Install it, pull it up and under active tasks find the ArenaNet Manager.exe and right click "Delete on Reboot". Winpatrol is good about asking you about programs that want to run after you install them too.

Xapti · Jul 11, 2009, 10:48 PM // 22:48

scan the system with an up to date virus checker (which i guess has been done?). If it doesn't work, one can try other free online scanner.
Otherwise It's probably not really a virus, but a malicious program, which you probably just need to delete.

Check this for deleting the file(s):
http://technet.microsoft.com/en-us/s.../bb897556.aspx

use this to check out your processes/sytem in general:
http://technet.microsoft.com/en-us/s.../bb896653.aspx
I recommend it over the standard Task Manager.

While you are/he's at it, might as well use autoruns, to make sure there's nothing running at startup that will re-create the file/problem.
http://technet.microsoft.com/en-us/s.../bb963902.aspx

Lastly, I assume you/he knows that one should never type any valid numbers into that input. If you did, you'll need to contact arenanet immediately to ensure your account isn't hijacked.

It's possibly a keylogger, but I'd say it's unlikely because it can't get your game password if you can't run the game :P (and even if you could (or if it was for some other logging), the person would be suspicious). Regardless, you want to check process explorer to ensure nothing out of the ordinary is loaded into the system.

Kumu Honua · Jul 11, 2009, 10:51 PM // 22:51

Be prepared to have to fight to get your account back. Looks like a keylogger got ya. I would expect that once you clear it, you will find out your account is no longer in your posession.

Since Antivirus cannot take care of the problem, I would actually suggest you reformat. Trying to self diagnose all the files you need to delete can leave it behind to reinstall itself.

However if you don't want to go that far and you just want to delete the files in question you can try:

1. Boot in safe mode and try to delete the files.
2. If safe mode did not work you can try Pocket Killbox or Unlocker (Both links from MajorGeek)

That's all I can suggest. Maybe someone else has more ideas.

Braxton619 · Jul 11, 2009, 11:05 PM // 23:05

Quote:

Originally Posted by Alexander Burn Victim

Winpatrol = amazing. Install it, pull it up and under active tasks find the ArenaNet Manager.exe and right click "Delete on Reboot". Winpatrol is good about asking you about programs that want to run after you install them too.

At the moment, I am working on my cousin's PC to resolve this problem. I tried to delete on reboot and it came up a fatal error. Something like this:

CANNOT EXECUTE %DELETE% IN PSOS KERNEL

Windows cannot execute the command Del on %BOOT%

Only problem he does not have back up and he does not want to format.

Kumu Honua · Jul 11, 2009, 11:10 PM // 23:10

If it has disabled deletion at kernel level then you may have more problems than just a keylogger.

You may just have to bite the bullet.

Try giving us a hijackthis log.

The Air Revenger · Jul 11, 2009, 11:13 PM // 23:13

its not a key looger since its not asking for your password, it wants you to buy another copy of guild wars and enter the key, the key will be sent to the person who started this trojan and they can use it for themselfs and you sill wont be able to access your account probably.

Kumu Honua · Jul 11, 2009, 11:15 PM // 23:15

Yes, entering the key, and sending that to someone else is the very definition of a keylogger...

Braxton619 · Jul 11, 2009, 11:17 PM // 23:17

Ok I tried to uninstall Guild Wars, and it's not letting me. It's coming up like "System files are missing. You cannot uninstall this product."

Wow, I know it's fake but I wonder how these error messages keep popping up when executing an action. I asked my cousin if he downloaded anything recently and he said no. I don't know if he did or what.

Basically it seems it has taken control of the kernel and not letting any files thats related to GW be deleted.

The Air Revenger · Jul 11, 2009, 11:35 PM // 23:35

Quote:

Originally Posted by Kumu Honua

Yes, entering the key, and sending that to someone else is the very definition of a keylogger...

a keylogger is hidden and records key strokes so when you type your log-in info its secretly records them.

This is different becuase its not trying to steal your password its trying to get you to buy gw for them.

When did this happen? Can you just restore to a previous date to when Gw wasnt like this?

Tarun · Jul 11, 2009, 11:38 PM // 23:38

Please download my Anti-Malware Toolkit and get the package that matches your Operating System. Then follow the directions in the PC Cleanup guide. After that, please post a HijackThis log.

From the sounds of it he just had a rootkit.

Braxton619 · Jul 12, 2009, 01:09 AM // 01:09

UPDATE:

We just formated his computer and reinstalled XP. He installed GW on the clean computer and it works fine! To save the trouble, I transfered my Dat file to his. Also we checked his account. He did not get hacked. He changed his password as well.