Perfect World elementclient.exe issue

Hi, i've started patching PW, and my antivirus detects a trojan in the elementclient.exe file. Here is the log:

Malicious code found in file D:\Perfect World\element\elementclient.exe.
Infection: Trojan.Win32.Delf.avb
Action: The file was deleted.

Now I cant even get the file back on the computer... it deletes it right away.
My laptop is imaged where i cant edit any settings with the AntiVirus (F-Secure).

Can anyone help me get PW running? :(

Yeah this hapend to me today also...with Kaperspy 7. You could use the hacked .exe posted in the thread that is stickied to launch. But for future updates I do not know if the updater will work normally :( I myself was about to post a topic regarding this and I was going to ask if anybody could upload the original elementclient.exe for updating purposes when the time comes :D

Yeah coz all databases of antivirus have just been updated with this trojan/worm

I found it in the first client (without update)

When the worm executes, it creates the following files:

%System%\kavo.exe
%System%\kavo0.dll


The file kavo0.dll is then injected into all running processes.

It also creates the following file, which is a copy of Hacktool.Rootkit:
%Temp%\[RANDOM FILE NAME].dll

The worm then copies itself to all drives from C through Z as the following file:
[DRIVE LETTER]:\ntdelect.com

It also creates the following file so that it executes whenever the drive is accessed:
[DRIVE LETTER]:\autorun.inf

Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion
\Run\"kava" = "%System%\kavo.exe"

It then modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\Folder\Hidden\SH OWALL
\"CheckedValue" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\"ShowSuperHidden " = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Pocilies\Explorer\"NoDriveTypeAuto Run" = "0x91"


The worm checks if it has been injected into any of the following processes:

zhengtu.dat
elementclient.exe
dekaron.exe
hyo.exe
wsm.exe and ybclient.exe
fairlyclient.exe
so3d.exe
maplestory.exe
r2client.exe
InphaseNXD.EXE


It then attempts to steal information for the following online games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

Is this thing harmful in anyway?

Bleh.. i just used program to delete F-Secure, then installed Avast.

No PW probably steal informations to know what game you r playing.
You have the worm since the begining ^^

That worm scares me lol...but I dont play any of those games so :D

Does anybody know if my client will update with the hackd .exe stickied in this forum? Since my AntiVirus deleted it >_>

my anti virus detected dis::



[Only registered and activated users can see links. Click Here To Register...]

yes i think it will still update when you run the launcher cuz the version is stored int hat one version file. and the server reads the version number in that file and just overwrites the files...also the elementclient.exe

when does that trojan/worm thing happen? when you run the launcher or when the game itself (the elementclient) exe runs? if it is 2nd then it might be the pwprotector.exe wich gets loaded