3 Replies Latest reply on Feb 25, 2010 11:28 AM by OldEEng

    Paladin Antivirus and Antivirus Vista 2010 Infection

      I have been running McAfee Total Protection on all my PC's on my home network since last May. Yesterday, I received a McAfee pop-up message on a Laptop running Vista Home Premium that saie "Restart Required" ..to finish installing these programs   3-User McAfee Total Protection. At the end of the day, I went ahead and closed all of my programs and restarted the computer but did not log in again until this morning. When I did login, I had a new icon in the program tray and a popup for "AntivirusVista 2010". There were also three icons on my desktop for porn sites. I started McAfee SecurityCenter right a way and started a scan. I then started getting popup windows for "Paladin Antivirus" with click here to scan and click here to install buttons. They interfered with the McAfee scan and paused it and then froze it up. I turned off the machine and am now running scans on my other machines (which are all XP Professional machine) and so far don't seem to be infected on any of them. I did a search on Google and found any number of sites that tell me how to remove "Antivirus Vista 2010" and "Paladin Antivirus" but I and not familiar with any of them. Can anyone direct me to a good removal site? I tried searching this forum but didn't find any discussion of these viruses.

        • 1. Re: Paladin Antivirus and Antivirus Vista 2010 Infection
          techrumy

          You can search bleepingcomputer.com for removal instructions. They have removal instructions for both viruses. Here you go:

          http://www.bleepingcomputer.com/virus-removal/remove-paladin-antivirus

          http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

           

          Slightly different but also good Paladin and Antivirus Vista 2010 removal instructions can be found here:

          How to remove Paladin Antivrius and How to remove Vista Antispyware 2010

           

          Also note that Paladin Antivirus comes with TDSS rootkit/trojan that blocks Malwarebytes, so you will have to remove it first. Search for TDSSKiller tool.

           

          Good luck!

          1 of 1 people found this helpful
          • 2. Re: Paladin Antivirus and Antivirus Vista 2010 Infection

            techrumy,

             

            Thank you for the help, I really appreciate you taking the time to direct me to the links on bleepingcomputer.com. It took me a long time but I finally got them mess cleaned up. Prior to your message, searched around and found some additional information on the Paladin virus removal by making some changes to the Windows registry, which were detailed on the site. I made those manual changes and I DO NOT recommend anyone else doing them because they triggered something from the viruses that kept me from being able to run any programs at all. Every time I tried to run anything (by icon or by 'start, run') I got a message that said "this file does not have a program associated with it for performing this act". This applied to both .exe files and to .com files, even though it seems to be most common with .exe files.
            I was also unable to run regedit in Safe Mode or any other way.
            I had downloaded Malwarebytes' Anti-Malware but I couldn't get it to run, even following the instructions to put it on the desktop and rename it iexplore.com. Your Paladin cleanup link:

             

            http://www.bleepingcomputer.com/virus-removal/remove-paladin-antivirus

             

            said to use rkill.com and I successfully ran it once but after that, the computer automatically rebooted and I couldn't get it to run again.

             

            What ultimately saved me was being able to run FixExe.reg from your other link:

             

            http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

             

            and then running Kaspersky Lab's TDSSKiller.exe. TDSSKiller definitely found a rootkit virus and cleaned it up. I can't find a link to the site that told me to run TDSSKiller but that seemed to turn the tide. McAfee had been flashing up that it had found a trojan called Vundo.H but it wasn't able to clean it so I searched the web for info on that virus.

             

            From the following link:

             

            http://forums.malwarebytes.org/index.php?showtopic=27430

             

            I found that I needed to run Combofix with information at:

             

            http://www.bleepingcomputer.com/combofix/how-to-use-combofix

             

            This cleaned me up enough to allow me to install and run Malwarebytes' Anti-Malware which found the following:

             

            Files Infected:
            C:\Windows\System32\jorojura.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
            C:\Windows\System32\zilafaba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
            C:\Windows\System32\zuzahovo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

             

            I am currently working with Malwarebytes support because I still can't update Anti-Malware but think I am just about clean.

             

            I am not sure why I got infected in the first place but in looking at the McAfee firewall, it defaults to having protection disabled during Windows startup. I have obviously changed that but still can't see how my notebook got infected sitting there waiting for my login since it was inside my NAT router firewall.

             

            Anyway, thanks again for getting me started in the right direction.

            • 3. Re: Paladin Antivirus and Antivirus Vista 2010 Infection

              Update:

              After much effort, I was finally able to get Malwarebytes' Anti-Malware to update and then ran a new scan. The new scan found an additional 7 infections:

               

              Registry Data Items Infected:
              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces \{27657d47-efce-4f67-8800-a874585d1a4b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.215,93.188.166.19 -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces \{27657d47-efce-4f67-8800-a874585d1a4b}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.215,93.188.166.19 -> Quarantined and deleted successfully.

               

              Folders Infected:
              C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

               

              Files Infected:
              C:\$RECYCLE.BIN\S-1-5-21-4033314815-3682911532-637652802-1003\$R2T86PX\jobapoja. dll.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
              C:\$RECYCLE.BIN\S-1-5-21-4033314815-3682911532-637652802-1003\$RQR95VU\kejepuha. dll.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
              C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus Support.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
              C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
              C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Uninstall Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

               

              I am currently working with a support person from Malwarebytes to ensure that everything is okay now. I think he is probably interested in which virus was hanging on to block Anti-Malware from updating the virus definitions.

               

              In case you missed it in my last post, I would like to emphasise that McAfee defaults to a firewall security setting that has protection disabled during Windows startup.