e

I-Worm/Ganda Remover Comparison: Free Tools vs. Paid Solutions

Written by

adm

in

Diagnose and Remove I-Worm/Ganda — Fast Cleanup Tutorial

Overview

I‑Worm/Ganda (also called Win32/Ganda or Email‑Worm.Win32.Ganda) is an email‑propagating Windows worm from the early 2000s that spreads via malicious attachments, copies itself into the Windows folder (commonly as SCANDISK.exe, tmpworm.exe or a random 8‑letter .EXE), and adds autorun registry entries so it runs at startup. It can infect other PE executables and may try to disable or evade some antivirus products.

Follow these steps to quickly diagnose infection, clean the machine, and prevent reinfection.

1) Immediate containment (do this first)

  1. Disconnect the PC from the network — unplug Ethernet and disable Wi‑Fi to stop further spreading.
  2. Disconnect external storage (USB drives, external disks) to avoid cross‑infection.
  3. Do work from a clean device when downloading tools or reading instructions.

2) Signs the PC may be infected

  • Unexpected outgoing emails with strange or blank subjects or attachments.
  • Files named SCANDISK.exe, tmpworm.exe, or random eight‑letter .EXE in the Windows folder.
  • New registry autorun entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanDisk.
  • Slow performance, crashes, or unfamiliar executable files.
  • Antivirus alerts or missing/disabled antivirus processes (older Windows 9x behavior more common).

3) Tools you’ll need

  • A modern, up‑to‑date antivirus/anti‑malware scanner (Windows Defender, Malwarebytes, Kaspersky, etc.).
  • A second clean computer or device to download tools if the infected machine cannot access the internet safely.
  • A USB drive (only if you must transfer tools — clean it after use).

4) Step‑by‑step removal

  1. Boot Windows normally (not strictly required to safe mode for Ganda) and keep network disconnected.
  2. Open Task Manager and note suspicious processes (look for names matching items above). End only clearly malicious processes if you are confident; otherwise proceed to scanning.
  3. Run a full system scan with your primary up‑to‑date antivirus (Windows Defender is acceptable). Quarantine or remove detected items.
  4. Run a second scan with a different malware tool (e.g., Malwarebytes) to catch residues and infected PE loaders. Remove/quarantine anything found.
  5. Manually check and remove known traces (only if comfortable editing system files/registry):
    • Delete SCANDISK.exe, tmpworm.exe, and suspicious eight‑letter .EXE files from the Windows folder.
    • Inspect and remove the autorun registry entry if present:
      • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanDisk
        Use regedit or an AV tool to remove the key.
    • Search for additional copies in Program Files, user folders and Temp.
  6. Reboot the system and run another full scan to verify nothing remains.
  7. If infected PE files remain or system instability continues, restore from a known‑clean backup or perform an OS reinstall (see Recovery below).

5) Recovery and verification

  • After cleaning, reconnect to the network and run cloud‑based/online scanners like Microsoft Safety Scanner for additional assurance.
  • Check email sent items and notify contacts if the worm sent messages from your account. Change email passwords from a clean device.
  • Verify system integrity: run SFC and DISM on modern Windows versions: 
    Code
    sfc /scannow DISM /Online /Cleanup-Image /RestoreHealth

6) When to consider full reinstall

  • If scans cannot remove infections, system files or executables remain infected, or you notice persistent instability: back up personal files (scan them on a clean machine), wipe the drive, and reinstall Windows. Reinstall only from trusted installation media.

7) Prevent reinfection

  • Keep Windows and all software up to date (patch known vulnerabilities such as historical MS01‑020 class issues).
  • Use reliable, real‑time antivirus and enable automatic updates.
  • Do not open unexpected attachments — especially .EXE, .SCR, .PIF, .ZIP from unknown senders.
  • Enable a firewall and disable automatic previewing of emails in older Outlook/Outlook Express clients.
  • Regularly back up important files offline or to a versioned cloud service.

8) Quick checklist (summary)

  • Disconnect network & external drives
  • Scan with updated AV and a second anti‑malware tool
  • Remove SCANDISK.exe / tmpworm.exe / suspicious EXEs
  • Delete autorun registry entry (ScanDisk)
  • Reboot and re‑scan; run SFC/DISM if on modern Windows
  • Change passwords from a clean device
  • Restore from backup or reinstall if remediation fails
  • Apply updates and improve email hygiene

If you want, tell me the Windows version and whether you can boot to safe mode — I’ll give precise commands and registry paths tailored to your system.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts