Wednesday, February 9, 2011

Palladium Fake anti-virus

I just had the 'palladium fake anti-virus' attack a computer.  To fix it I first restarted in safe mode and then installed Malware Bytes AntiMalware (MBAM) ran a full system scan and it removed all but 7 files.  They were all located at "C:\Documents and Settings\NetworkService\Application Data" and all of them had today's date as their creation date.  I manually deleted them, emptied the recycle bin and restarted the computer.  I also ran CCleaner and it deleted all of the temporary files.

I also had to reinstall MS Office as MS Outlook was trashed and would not run even in safe mode.

MBAM Log file:
Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org
Database version: 5721
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
2/9/2011 12:59:34 PM
mbam-log-2011-02-09 (12-59-34).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 221304
Time elapsed: 28 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Rogue.Palladium) ->

Value: Shell -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\networkservice\application data\guwr76D.exe (Trojan.Downloader) ->
Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\r9zgp6ak4.exe (Trojan.Downloader) ->
Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\683C8M6Q\cbta[1].exe (Trojan.Downloader) ->
Quarantined and deleted successfully.
c:\documents and settings\Sue\application data\palladium.exe (Rogue.Palladium) ->
Quarantined and deleted successfully.
c:\documents and settings\Sue\local settings\Temp\_check32.bat (Malware.Trace) ->
Quarantined and deleted successfully.
c:\WINDOWS\ws386.ini (Malware.Trace) ->
Quarantined and deleted successfully.
Post a Comment