1

Remove Palladium Pro Malware

By Steve Espino – PC Tools Malware Research Team
palladium

Palladium Pro is a fake antivirus program that displays fake malware alerts on PCs in order to make unsuspecting users think that their computer has been infected by malware. Palladium Pro is part of a massive number of fake antivirus clones with names like CoreGuardAntivirus2009, Security Essentials 2010, and XP Smart Security 2010, to name a few.

Like most other fake antivirus programs, Palladium Pro could be distributed via numerous fake My Computer online scans and could also be downloaded and installed by other malware on the affected computer.

Installation

Upon execution, Palladium Pro masquerades as Microsoft Security Essentials in an attempt to legitimize its scare tactics.

The malicious program then asks the user to reboot the affected machine in order to evade anti-malware scanners.

Upon reboot, Palladium Pro displays a list of fake detections and fake warnings, offering cleanup only if the user buys the fake antivirus software.

Those seeking to fix the problems detected on their computer are lured into entering their credit card details onto a malicious website.

PC Tools advises against entering any credit card information on these forms.  Victims who have fallen for the ruse are strongly advised to immediately contact their credit card companies to dispute the anomalous transactions and ensure that there will be no future unauthorized charges.

Unless the unsuspecting user falls for Palladium Pro’s scare tactics and shells out his hard-earned money, Palladium Pro attempts to render the affected machine virtually unusable.

Manual Removal Guide

Palladium Pro drops the following files:

%appdata%completescan_pal

%appdata%install_pal

%appdata%palladium.exe

%appdata%startup.js

%appdata%temp.js

%appdata%yaho.exe

% desktop%Palladium for Windows.lnk

%startmenu%ProgramsPalladium for Windows.lnk

%startmenu%ProgramsStartupStartup.js

%windows%TasksAt[random number].job

Notes:

Typical paths for equivalent system variables are as follows:

%appdata% – C:Documents and Settings[UserName]Application Data

%desktop% – C:Documents and Settings[UserName]Desktop

%startmenu% – C:Documents and Settings[UserName]Start Menu

%windows% – C:Windows

Palladium Pro creates these registry keys and entries:

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

value: Startup; data: “%appdata%temp.js”

HKCU SoftwareMicrosoftWindowsCurrentVersionRun

Value: Startup; data: “%appdata%Startup.js”

HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon

Value: Shell; data: “%appdata%palladium.exe”

How To Remove Palladium Pro

Important Notice:  Before attempting to manually remove Palladium Pro, be aware that you might need to modify browser settings, modify/remove registry settings, and delete files and folders, which can result in your system becoming unstable. PC Tools recommends that the following procedures be performed by experienced users.

For additional information on using the Windows Registry, please read the following Microsoft article:

http://support.microsoft.com/kb/256986/EN-US/

1.  Restarting in Safe Mode

In order to properly remove Palladium Pro, the infected machine must be restarted in Safe Mode.

For information on how to restart you computer in Safe Mode, please refer to one of the following instructions from Microsoft depending on which version of Windows you are using:

Windows XP:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true

Windows Vista:

http://windows.microsoft.com/en-US/windows-vista/Start-your-computer-in-safe-mode

Windows 7:

http://windows.microsoft.com/en-US/windows7/Start-your-computer-in-safe-mode

2.  Cleaning Dropped Files/Folders

Once the affected machine has been restarted in Safe Mode, please run the Windows Explorer.  To delete Palladium Pro files / folders, click on the Start button and then select Find or Search depending on the version of Windows you are running.

Search for the each of the following entries and delete them:

Important Notice: Please take extreme caution as most rogue antivirus software use random characters.

%appdata%completescan_pal

%appdata%install_pal

%appdata%palladium.exe

%appdata%startup.js

%appdata%temp.js

%appdata%yaho.exe

% desktop%Palladium for Windows.lnk

%startmenu%ProgramsPalladium for Windows.lnk

%startmenu%ProgramsStartupStartup.js

%windows%TasksAt[random number].job

Notes:

Typical paths for equivalent system variables are as follows:

%appdata% – C:Documents and Settings[UserName]Application Data

%desktop% – C:Documents and Settings[UserName]Desktop

%startmenu% – C:Documents and Settings[UserName]Start Menu

%windows% – C:Windows

3.  Cleaning the Windows Registry

Run regedit. Start > Run, then type regedit, then click ok.

Run the Windows Registry Editor. Click on the Start button, and select Run. Then, type regedit and click ok.

Navigate through the Windows Registry and delete the relevant registry values under each specified registry subkey:

Important Notice: Please take extreme caution as most rogue antivirus software use random characters.

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

value: Startup, data: “%appdata%temp.js”

HKCU SoftwareMicrosoftWindowsCurrentVersionRun

Value: Startup, data: “%appdata%Startup.js”

HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon

Value: Shell, data: “%appdata%palladium.exe”

Another option for cleaning registry entries created by Palladium Pro is using the PC Tools Startup Explorer.

Download and install PC Tools Startup Explorer here. Run PC Tools Startup Explorer and locate the Palladium Pro startup entries above. For each entry, select Disable and then Delete.

4.  Scan the Computer using PC Tools Spyware Doctor

Scan the affected computer using your PC Tools Spyware Doctor to automatically remove all traces of infection including malicious running processes, dropped files and created folders, registry keys and registry entries.  Spyware Doctor will also clean the Windows Hosts file.

This entry was posted in Malware Alerts and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>