Spybot Search & Destroy does not find this.
HiJackThis does not find this.
You will find C:\WINDOWS\System32\drivers has a file called core.cache.dsk. ComboFix finds it and knows it is bad but has trouble getting rid of it. It always comes back.
Turns out there is a file with .sys extension that is causing all the popups. It will have a recent date/time (date and time of the infection), and will have a name of a valid .sys file except the last character of the name duplicated. In my case the offending file was scisportt.sys (note the extra 't').
To cure this one, reboot into single-user mode, and delete both files (core.cache.dsk and filexx.sys) with Explorer. One of the easier ones to get rid of.
No comments:
Post a Comment