Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I remove the Fake SCANDISK virus 2

Status
Not open for further replies.
gezster

gezster

Technical User
Jul 12, 2010
12
GB
Hi,
One of my users "got a message says they needed to upgrade their antivirus, so clicked on the the Popup". DOH,.. and how has the the Fake scandisk Virus.
I maged to get rid of most of it, but after a reboot,the files appear again.
These files ar c:\windows\system32\xloadg66.dll,c:\users\USERNAME\AppData\Roaming\xloadg66.dll, c:\users\USERNAME\Appdata\Roaming\Windows\Startup\Scandiskg66.dll,c:\users\USERNAME\Appdata\Roaming\Windows\Startup\scandisk.lnk.
In MSCONFIG, there are startup reg values that, when I disable them, reactivate themselfs.
When I run regedit and manually delete the keys under RUN, they re-appear straight away.
Run32dll.exe is running (with xloadg66.dll) and I'm unable to stop it (even as admin).
From another PC, I can connect to the the pc's c$ and delete the files, but as soon as the the user logs in again, the files appeer.
SO,... the obvously a rouge service, exe, batch files that I can find running on start up that keeps re-infecting this PC.
AVG is run and "removes files on reboot", but they come back.
Same thing happens using malwarebytes and spybot.

PLEASE....does anyone know what I missing, or a free prog to delete the re-infecting element ?

If more info is needed, LEt me know and I will supply.

Cheers
 
Sort by date Sort by votes
There is a service running whose sole purpose is to reinstall those programs when you delete them.

You might try killing system restore, then reboot to safe mode and run microsoft's anti-malware.

These for starters.



Ed Fair
Give the wrong symptoms, get the wrong solutions.
 
Upvote 0 Downvote
1. MalwareByte's Anti-Malware if the above doesn't work
2. Combofix if nothing else works.

Keep system restore until after removing malware. Then turn off system restore, reboot, turn on again.

Better safe than sorry with S.R. If you whack them before malware removal and there's a big problem, you can't use them. I know there's a philosophical difference about whether to remove them ahead of malware removal or after. I always do it after.
 
Upvote 0 Downvote
goombawaho - BRILLANT. Thank you. Virus eradicated and "tale Tale" signs of it being back (ie Xload etc) are not visable.

Thank you edfair for your advise and quick response, goombawaho's was easier to do remotely.
 
Upvote 0 Downvote
I would definitely say NOT brilliant - that's my standard answer when anyone even whispers the word malware. But, glad you got it fixed and thanks for the star. I be lovin' them stars.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
241
Oorde
Oorde
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
224
2ffat
2ffat
Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
216
Mike Lewis
Mike Lewis
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
197
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
628
Yoko Littner
Yoko Littner

Part and Inventory Search

Sponsor

Back
Top