Wednesday, March 16, 2011

Cleaning up after the Palladium Virus & Cohorts

A computer recently was infected by the Palladium virus twice.  The first time Malware bytes anti-malware and Windows Defender claimed to have it fixed.  However after checking the log files I looked in C:\documents and settings\networkservice\application data I discovered that there were a lot of left over files that had the infection.  It creates random files of its infection so it can reinfect the computer.  You need to manually remove these files.

First look for the batch files, they are a 3 or 4 digit number followed by '.bat'.  I renamed one as '.txt' so I could safely look at it and sure enough it re installs the virus.  Next get the JavaScript files they are random letters followed by '.js'.  Again they reinstall the virus.  Then there was a '.dat' file also bearing the same creation date.  I do not know if it needs to be deleted or not.  Also delete any random letters followed by '.exe' files.  The anti-virus program should have removed them but there may be some left behind.  The big giveaway is the random letters and the creation date all being the date of the computers infection.

In the picture I put a box around the files left over after the infection.

No comments: