Somehow my work laptop got infected with this Palladium virus. I searched the interwebs and attempted to clear it up myself, and I believe I got the virus dealt with. However, my virus scanner is constantly alerting me/quarantining 4 files, which I am assuming were part of the virus. Unfortunately, I can't find the files in the folders that they are claimed to be in.

I've adjusted the hidden files/folders options to "see all", and no luck.

Tips? Suggestions?


I used Malwarebyte's Anti-virus tool, btw.

Boot into Safe Mode and scan/fix issues. Then search the registry for items that websites may list as being associated.

When you think you've done all you can, boot normally and run HijackThis!, save a log, paste log at http://www.hijackthis.de.


Recommended apps:
Microsoft Security Essentials
Spywareblaster
Sandboxie (for running questionable apps if needed)

Google search a local computer shop with good reputation.
Most places should be able to clean this and other malware off your machine for a single flat price.
Take it to them and be done.

Google search a local computer shop with good reputation.
Most places should be able to clean this and other malware off your machine for a single flat price.
Take it to them and be done.

Such age 33-37 advice.

You should try to delete the files from the actual programs quarantine. Trying to manually delete things an anti-virus program has intentionally locked and hidden can cause these types of baffling inconsistencies. If you cant find the files listed in quarantine from the actual program check the log to see if malware bytes deleted the files on start up. You can also check your registery by searching reg-edit for the file name to see if there is an auto-launch that references the file names although most virus programs today dynamically name the infected files with a random character generator its worth a shot.

Btw I just looked up "Palladium" which looks like your general extortionware. This likely isnt the only virus on your computer. Generally extortionware starts showing up once a backdoor program or trojan has successfully installed itself and downloaded the extortionware. You probably have bloodhound or whatever fotm exploit downloading this shit to your computer.

http://www.symantec.com/business/products/trialware.jsp?pcid=pcat_security&pvid=endpt_prot_1
Might be worth a shot. Symantec is very good at finding trojans and backdoors.

Such age 33-37 advice.

lol

So here is where I stand. I've run a few virus programs (Symantec, Trojan Killer, Malwarebytes), located infected files, and removed them, and removed troubled registry files. Now Symantec pops up an alert every 5 minutes saying that a trojan named:

ctba[1].exe and another .exe with random set of 6 characters are located in my temporary internet files folder and a roaming folder, respectively. The latter one is easily removed, but the first one is not existent.

Unfortunately, the temp internet files folder is empty, and Symantec is not able to clean this file.


Rage.

Google search...

The Department of Redundancy Department called and would like to have a word with you.

So here is where I stand. I've run a few virus programs (Symantec, Trojan Killer, Malwarebytes), located infected files, and removed them, and removed troubled registry files. Now Symantec pops up an alert every 5 minutes saying that a trojan named:

ctba[1].exe and another .exe with random set of 6 characters are located in my temporary internet files folder and a roaming folder, respectively. The latter one is easily removed, but the first one is not existent.

Unfortunately, the temp internet files folder is empty, and Symantec is not able to clean this file.

Rage.

That could be a false positive. Open Symantec click "quarantine" select each file individually and delete it. If you cant access the files from quarantine check your log for no-action taken items and attempt to delete them from there. Obviously look at what your deleting first and make sure your not deleting anything important. If you could post a copy/paste of what you have in your symantec log files it would be helpful to figuring out what virus you have.

Backup critical files, Format, reinstall apps, scan backup files individually and cut your losses

Backup critical files, Format, reinstall apps, scan backup files individually and cut your losses


That works too. To be quite honest if I find a system at work that has had an ongoing problem like this if I cant fix it in 2-3 hours I just blow it away. Its just not worth the time trying to jump through all the hoops to get a heavily infected system back online unless the required software is extremely expensive and hard to re-install. If you could re-install windows without spending much money its a very valid course of action.

Backup critical files, Format, reinstall apps, scan backup files individually and cut your losses


I came here to say this.

Backup critical files, Format, reinstall apps, scan backup files individually and cut your losses

This is the only real solution

If you are willing to read logs and look into what is infecting your system the majority of the time its faster to fix the problem than to reformat but in rare cases it can actually save time. Of the hundreds of these I have removed I have only seen 2 or 3 cases of extortionware that actually did serious damage to the underlying system, usually by shredding the registry. Most of them just burrow into system restore files and basically consist of a few dll's and a png file that provides the picture for the annoying shit on your screen. If your willing to read up on it its very possible to remove these things without reformatting 90% of the time. Its just a decision between which will take longer imo.

If you are willing to read logs and look into what is infecting your system the majority of the time its faster to fix the problem than to reformat but in rare cases it can actually save time. Of the hundreds of these I have removed I have only seen 2 or 3 cases of extortionware that actually did serious damage to the underlying system, usually by shredding the registry. Most of them just burrow into system restore files and basically consist of a few dll's and a png file that provides the picture for the annoying shit on your screen. If your willing to read up on it its very possible to remove these things without reformatting 90% of the time. Its just a decision between which will take longer imo.

How can you ever be sure you got it all though?

Its a computer virus not cancer.

1. Run RKill
Read the log and look at what was stopped
2. Turn off System Restore
3. Make sure you are not on a proxy server
4. Update and then Run Your antivirus suite
Look through all logs. Delete/clean files cross reference these logs with RKill and look for the trojan or back door that introduced the virus.
5. Update and Run malware bytes.
6. Look for the file names from Rkill logs/Antivirus logs/Malware byte logs in regedit
7. Read up on all the viruses on semantecs website and follow the instructions they provide for removal.
8. Reboot.
9. Turn System restore back on sometime later.

This works for me pretty much every time. I know a few tricks on the side but really i very rarely need to do anything off these steps to get rid of a computer virus and I do desktop support for over 50 people, I get one or two of these per week. I generally can get rid of extortionware in under an hour.

Guys, watch what I'm about to do here:

1. buy a mac

Because Macs never get viruses!

Run Linux HUR HUR

Well, I think I got it under control, without having to reformat. Thanks for the help gang.