ok, so testing the program as I type this... will edit every chance I get...
so the second u run the malicious program that was recently spread through mediafire (the one I got was supposedly a wow hack loader)
it starts to write a registry key to start up here is the registry key
Code:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{1E3CB49E-FFFA-025E-0604-040407030402}
(the last part of that will be different, the random nymbers and letters)
it is injecting into c:\windows\explorer.exe which restarts iexplore.exe (normal internet explorer but infected) and which writes all the registry entries...
it starts iexplore.exe which is what the troja is using to connect to the internet.. which tries to connect to the IP address that is the ip address of the hacker... just FYI
so folllowing the registry entry... it uses
c:\windows\system32\win32.exe << that is the stub.. aka the main part of the trojan...
I have researched it is NOT a system file, and is safe to delete..
so restart your computer, keep pressing f8 when booting and boot into safe mode, go and delete c:\windows\system32\win32.exe and then go delete the above registry key, buy going to "start\run" and then typing "regedit" and hitting enter... then just follow the registry keys down, and delete the key... then close the registry editor and reboot the computer and you should be good...
the registry key it uses is random, and if u delete it when not in safe mode, it re-writes itself to a different key
so what you want to do is look through the registry, go to the
Code:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components
and search for any entry pointing to win32.exe and delete that, in safe mode... and then delete the win32.exe
EDIT-------------
Ok. so it injects into explorer.exe thats why it keeps re-writing the entries... so.. if you are NOT in safe mode, and think u can remove it that way... end explorer.exe then delete the registry entry and the win32.exe... that will end the problem... then you can safely restart explorer.exe and your good to go...
I hope this helped someone!