Not a member yet? Register for your free account!


Go Back   elitepvpers > MMORPGs > Perfect World
You last visited: Today at 16:22

  • Please register to post and access all features, it's quick, easy and FREE!

 

Perfect World elementclient.exe issue

This is a discussion on Perfect World elementclient.exe issue within the Perfect World forum part of the MMORPGs category; Hi, i've started patching PW, and my antivirus detects a trojan in the elementclient.exe file. Here is the log: Malicious ...

Reply
 
Thread Tools
Old 01/25/2008, 19:51   #1
Junior Member
 
Join Date: Jan 2008
Posts: 2
Received Thanks: 0
Perfect World elementclient.exe issue


Hi, i've started patching PW, and my antivirus detects a trojan in the elementclient.exe file. Here is the log:

Malicious code found in file D:\Perfect World\element\elementclient.exe.
Infection: Trojan.Win32.Delf.avb
Action: The file was deleted.

Now I cant even get the file back on the computer... it deletes it right away.
My laptop is imaged where i cant edit any settings with the AntiVirus (F-Secure).

Can anyone help me get PW running?

__________________

xBadBoi is offline  
Old 01/25/2008, 22:29   #2
Junior Member
 
Join Date: Jan 2008
Posts: 19
Received Thanks: 2
Yeah this hapend to me today also...with Kaperspy 7. You could use the hacked .exe posted in the thread that is stickied to launch. But for future updates I do not know if the updater will work normally I myself was about to post a topic regarding this and I was going to ask if anybody could upload the original elementclient.exe for updating purposes when the time comes
Peitha is offline  
Old 01/25/2008, 23:43   #3
Member
 
Join Date: Nov 2006
Posts: 39
Received Thanks: 0
Yeah coz all databases of antivirus have just been updated with this trojan/worm

I found it in the first client (without update)

When the worm executes, it creates the following files:

%System%\kavo.exe
%System%\kavo0.dll


The file kavo0.dll is then injected into all running processes.

It also creates the following file, which is a copy of Hacktool.Rootkit:
%Temp%\[RANDOM FILE NAME].dll

The worm then copies itself to all drives from C through Z as the following file:
[DRIVE LETTER]:\ntdelect.com

It also creates the following file so that it executes whenever the drive is accessed:
[DRIVE LETTER]:\autorun.inf

Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion
\Run\"kava" = "%System%\kavo.exe"

It then modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\Folder\Hidden\SH OWALL
\"CheckedValue" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\"ShowSuperHidden " = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Pocilies\Explorer\"NoDriveTypeAuto Run" = "0x91"


The worm checks if it has been injected into any of the following processes:

zhengtu.dat
elementclient.exe
dekaron.exe
hyo.exe
wsm.exe and ybclient.exe
fairlyclient.exe
so3d.exe
maplestory.exe
r2client.exe
InphaseNXD.EXE


It then attempts to steal information for the following online games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver
Kermi is offline  
Old 01/25/2008, 23:49   #4
Junior Member
 
Join Date: Jan 2008
Posts: 2
Received Thanks: 0
Is this thing harmful in anyway?

Bleh.. i just used program to delete F-Secure, then installed Avast.
xBadBoi is offline  
Old 01/25/2008, 23:55   #5
Member
 
Join Date: Nov 2006
Posts: 39
Received Thanks: 0
No PW probably steal informations to know what game you r playing.
You have the worm since the begining ^^
Kermi is offline  
Old 01/26/2008, 03:21   #6
Junior Member
 
Join Date: Jan 2008
Posts: 19
Received Thanks: 2
That worm scares me lol...but I dont play any of those games so

Does anybody know if my client will update with the hackd .exe stickied in this forum? Since my AntiVirus deleted it >_>
Peitha is offline  
Old 01/26/2008, 08:50   #7
Member
 
Join Date: Mar 2007
Posts: 29
Received Thanks: 8
my anti virus detected dis::



kaptenkapal is offline  
Old 01/26/2008, 11:01   #8
usually on stack
 
Join Date: Jul 2006
Posts: 38
Received Thanks: 84
yes i think it will still update when you run the launcher cuz the version is stored int hat one version file. and the server reads the version number in that file and just overwrites the files...also the elementclient.exe

when does that trojan/worm thing happen? when you run the launcher or when the game itself (the elementclient) exe runs? if it is 2nd then it might be the pwprotector.exe wich gets loaded
arschkeks is offline  
Reply

Thread Tools



All times are GMT +2. The time now is 16:22.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.