Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Perfect World
You last visited: Today at 14:42

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



Perfect World elementclient.exe issue

Discussion on Perfect World elementclient.exe issue within the Perfect World forum part of the MMORPGs category.

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Jan 2008
Posts: 2
Received Thanks: 0
Perfect World elementclient.exe issue

Hi, i've started patching PW, and my antivirus detects a trojan in the elementclient.exe file. Here is the log:

Malicious code found in file D:\Perfect World\element\elementclient.exe.
Infection: Trojan.Win32.Delf.avb
Action: The file was deleted.

Now I cant even get the file back on the computer... it deletes it right away.
My laptop is imaged where i cant edit any settings with the AntiVirus (F-Secure).

Can anyone help me get PW running?
xBadBoi is offline  
Old 01/25/2008, 22:29   #2
 
elite*gold: 0
Join Date: Jan 2008
Posts: 19
Received Thanks: 2
Yeah this hapend to me today also...with Kaperspy 7. You could use the hacked .exe posted in the thread that is stickied to launch. But for future updates I do not know if the updater will work normally I myself was about to post a topic regarding this and I was going to ask if anybody could upload the original elementclient.exe for updating purposes when the time comes
Peitha is offline  
Old 01/25/2008, 23:43   #3
 
Kermi's Avatar
 
elite*gold: 0
Join Date: Nov 2006
Posts: 39
Received Thanks: 0
Yeah coz all databases of antivirus have just been updated with this trojan/worm

I found it in the first client (without update)

When the worm executes, it creates the following files:

%System%\kavo.exe
%System%\kavo0.dll


The file kavo0.dll is then injected into all running processes.

It also creates the following file, which is a copy of Hacktool.Rootkit:
%Temp%\[RANDOM FILE NAME].dll

The worm then copies itself to all drives from C through Z as the following file:
[DRIVE LETTER]:\ntdelect.com

It also creates the following file so that it executes whenever the drive is accessed:
[DRIVE LETTER]:\autorun.inf

Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion
\Run\"kava" = "%System%\kavo.exe"

It then modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\Folder\Hidden\SH OWALL
\"CheckedValue" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\"ShowSuperHidden " = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Pocilies\Explorer\"NoDriveTypeAuto Run" = "0x91"


The worm checks if it has been injected into any of the following processes:

zhengtu.dat
elementclient.exe
dekaron.exe
hyo.exe
wsm.exe and ybclient.exe
fairlyclient.exe
so3d.exe
maplestory.exe
r2client.exe
InphaseNXD.EXE


It then attempts to steal information for the following online games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver
Kermi is offline  
Old 01/25/2008, 23:49   #4
 
elite*gold: 0
Join Date: Jan 2008
Posts: 2
Received Thanks: 0
Is this thing harmful in anyway?

Bleh.. i just used program to delete F-Secure, then installed Avast.
xBadBoi is offline  
Old 01/25/2008, 23:55   #5
 
Kermi's Avatar
 
elite*gold: 0
Join Date: Nov 2006
Posts: 39
Received Thanks: 0
No PW probably steal informations to know what game you r playing.
You have the worm since the begining ^^
Kermi is offline  
Old 01/26/2008, 03:21   #6
 
elite*gold: 0
Join Date: Jan 2008
Posts: 19
Received Thanks: 2
That worm scares me lol...but I dont play any of those games so

Does anybody know if my client will update with the hackd .exe stickied in this forum? Since my AntiVirus deleted it >_>
Peitha is offline  
Old 01/26/2008, 08:50   #7
 
kaptenkapal's Avatar
 
elite*gold: 0
Join Date: Mar 2007
Posts: 29
Received Thanks: 8
my anti virus detected dis::



kaptenkapal is offline  
Old 01/26/2008, 11:01   #8
 
arschkeks's Avatar
 
elite*gold: 0
Join Date: Jul 2006
Posts: 38
Received Thanks: 84
yes i think it will still update when you run the launcher cuz the version is stored int hat one version file. and the server reads the version number in that file and just overwrites the files...also the elementclient.exe

when does that trojan/worm thing happen? when you run the launcher or when the game itself (the elementclient) exe runs? if it is 2nd then it might be the pwprotector.exe wich gets loaded
arschkeks is offline  
Reply




All times are GMT +1. The time now is 14:42.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2024 elitepvpers All Rights Reserved.