Cymbol has been very patient, and let me remote into her system to have a look around to attempt to find what installed this. Its looking like a FAKE Curse Client - ie if you searched for Curse Client via major search sites, you might have clicked an ad instead of the actual curse client page.
I got a copy of it, which Blizzard & their Warden team have. Submitted to Malwarebytes, Avast, MSE, Kaspersky, Mcafee, Avast, SuperAntiSpyware, TrendMicro.
Lots of antiviruses are now scanning for it: https://www.virustotal.com/en/file/850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344/analysis/1388714816/
And Cymbol's system has been cleaned!
- Download AutoRuns:
Find Disker & Disker64 in the list. Uncheck the boxes on the left for each line, then right click each, and select "Delete".
- Download ProcessExplorer:
Under explorer.exe, you should see a rundll32.exe under it. There may be several, so find the one that when you hover over it, the popup text says "Disker" and/or "Disker64". Right-click the rundll32.exe, and select "Kill Process", and click OK.
- Download SuperAntiSpyware: Reboot normally and it should be gone.
Uncheck both options in the bottom left, and click Express.
After it installs, close it.
Navigate to the
folder, where "name" is your username.
Right click w_win.dll, and select "SUPERDelete File Removal". It'll bring you to a screen askign if you REALLY want to delete the file, and to type YES. Type YES.
Do the same for w_64.dll.
Uninstall SuperAntiSpyware, and delete processexplorer & autoruns.
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech