Home > Threats > Paladin Antivirus

Paladin Antivirus

Posted on 13 February 2010 under Rogue Programs

1. What is Paladin Antivirus?

Paladin Antivirus belongs to a group of rogue software and is related to Malware Defense, comparing the similarity between the programs. The program operates through scareware methods, attempting to scare the victim that his computer is infected, thus persuading to purchase rogue program, which is supposed to remove computer infections. This is done by the corrupt Paladin Antivirus scanner, which detects legal Windows files as threats or files that have been dropped by the program itself (e.g. cookie files). Also various false messages are used, which warn user about possible dangers (Network attack detected, Keylogger detected, etc.).

Paladin Antivirus is accompanied by fake Windows Security Center, which will display alerts about detected threats and ask user whether he wants to block them. These messages recall the original Windows messages, so it may look like legitimate warnings for a less experienced computer user, what encourages towards the purchase of rogue license. Some examples of Security Center Alerts:
  • Backdoor.Win32.Agent.ich | This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 48640 bytes in size. It is packed using UPX. The unpacked file is approximately 360KB in size.
  • Rootkit.Win32.Agent.pp | This Trojan masks its presence in the system from users and from other programs. It is a Windows PE SYS file. It is 40960 bytes in size. It is not packed in any way. It is written in C.
  • Backdoor.Win32.Kbot.al | This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 12787 bytes in size.
  • Net-Worm.Win32.DipNet.d | DipNet.d infects computers running under Windows. The worm itself is a Windows PE EXE file approximately 91KB in size, packed using UPX. The unpacked file is approximately 264KB in size. The worm propagates by exploiting a vulnerability in Microsoft Windows LSASS (MS04-011).
  • Net-Worm.Win32.Mytob.t | This network worm infects computers running Windows. The worm itself is a Windows PE EXE file, written in Visual C++. The file may be packed with one of a range of packers, and the size of the infected file may therefore vary. The packed file is approximately 47KB or greater in size, and the unpacked file is approximately 150KB to 260KB in size.
Paladin Antivirus will display warning, which will falsely alert user that some process is trying to seal facebook.com, paypal.com, gmail.com, ***bank***.com passwords. Another fake warning will state that PDM.Keylogger is trying to redirect keyboard input. All of these warnings will suggest user to click the button below in order to block and remove threats. By pressing the button, a notice window will pop asking user to upgrade to full-functional Paladin Antivirus version. Finally, Paladin Antivirus Safebrowser will be launched, suggesting user to fill an Order Form and make a secure purchase. Do not enter any credit card details and other confidential information or try to buy the program, because Paladin Antivirus is a rogue program and will not remove any of real threats.

2. Paladin Antivirus screen shot:

Paladin Antivirus

3. How to remove Paladin Antivirus:

  1. Internet connection might be disabled or Internet browser might be blocked by Paladin Antivirus, so it won't be possible to download any files to infected computer. In this case please download all files required for Paladin Antivirus removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove Paladin Antivirus download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove Paladin Antivirus.

  5. Restart the computer to complete Paladin Antivirus removal procedure.

4. Paladin Antivirus files:

C:\Program Files\Paladin Antivirus\pav.exe

5. Hijackthis entries:

O4 - HKCU\..\Run: [msdtctr.exe] C:\DOCUME~1\user\LOCALS~1\Temp\msdtctr.exe
O4 - HKCU\..\Run: [Paladin Antivirus] "C:\Program Files\Paladin Antivirus\pav.exe" -noscan
O4 - HKUS\S-1-5-21-789336058-1935655697-1957994488-1003\..\Run: [msdtctr.exe] C:\DOCUME~1\user\LOCALS~1\Temp\msdtctr.exe (User '?')
O4 - HKUS\S-1-5-21-789336058-1935655697-1957994488-1003\..\Run: [Paladin Antivirus] "C:\Program Files\Paladin Antivirus\pav.exe" -noscan (User '?')