Palladium – it’s not a security suite!

Topic

New Reply

Hi there

My mom-in-law called yesterday to tell me that Palladium had taken over her machine….. could not get past the flash screen that wants her to pay for the “Pro” version….. told her to turn off, and I would check it out last night.

What I found out is that Palladium is a Trojan – and its nasty! It takes over, making your machine unusable. It tells you you have a whole host of spyware and viruses (in actual fact only one – Palladium!).

I went into safe mode – same result! but by using Task Manager I managed to stop Palladium.exe from running. NExt I tried to find where the file was located, but could not get explorer.exe to run – it’s been deleted!

I had a look at some of the AV vendors sites, and it seems that this one is a really nasty one – so watch out!

I will be re-installing the old laptop – XP SP3 here we come!

Be aware that I had Sophos Antivirus running on this machine all the time. The problem is that the machine is turned on only once or maybe twice a week, so the virus definitions were not up to date enough to catch this bug! Be aware……..

Reply | Quote

Replies

Manual Removal may need to be effected via the command prompt in safe mode
or bootable dos disk. One may also need to do a post eradication repair install of the operating system since “sfc /scannow” may be unreliable for post clean up repairs.

Since this scamware has the potential for other uninvited pests, like potential rootkits, the safest course of action would be a total reformat & clean install.

Delete palladium antivirus files:
%appdata%palladium.exe
%appdata%z.exe
%programs%palladium.lnk
%desktop%palladium.lnk

delete palladium antivirus registry entries:
hkcrclsid{5e2121ee-0300-11d4-8d3b-444553540000}

palladium pro manual removal guide:
delete palladium pro files:
%appdata%asdfasfas.bat
%appdata%completescan_pal
%appdata%install_pal
%appdata%palladium.exe
%appdata%start_pal
%appdata%uid_pal
%desktop%palladium for windows.lnk
%tempdir%perflib_perfdata_550.dat
%programs%palladium for windows.lnk
%windir%tasksat1.job
%windir%tasksat10.job
%windir%tasksat11.job
%windir%tasksat12.job
%windir%tasksat13.job
%windir%tasksat14.job
%windir%tasksat15.job
%windir%tasksat16.job
%windir%tasksat17.job
%windir%tasksat18.job
%windir%tasksat19.job
%windir%tasksat2.job
%windir%tasksat20.job
%windir%tasksat21.job
%windir%tasksat22.job
%windir%tasksat23.job
%windir%tasksat3.job
%windir%tasksat4.job
%windir%tasksat5.job
%windir%tasksat6.job
%windir%tasksat7.job
%windir%tasksat8.job
%windir%tasksat9.job
delete palladium pro registry entries:
hkcusoftwaremicrosoftwindows ntcurrentversionwinlogon shell=”%appdata%palladium.exe”
hkuss-1-5-21-121440339-1343024091-1060284298-1004softwaremicrosoftwindows ntcurrentversionwinlogon shell=”%appdata%palladium.exe”

Reply | Quote

Clint….. Thanks for the tips…..

I think I will have to opt for the total re-install, because Windows is damaged beyond repair – there is no file called explorer.exe …… The trojan knocked that out somehow!

I will obviously be very careful when trying to recover information and data. I don’t want to re-infect the machine with bad data!

I thought it would be a good thing to warn others that this is a really nasty one – be careful and certainly don’t make any payments to these scammers……..!

Reply | Quote

http://www.bleepingcomputer.com/virus-removal/remove-palladium-pro
Exact instructions for its removal without doing a complete reinstall. This one came out I believe Jan 1 of this year and bleeping computer had the fix up pretty quick. Its a bad bug, but you don’t have to reinstall.

Actually, when you terminated palladium, you needed to restart your explorer and fix the shell. Then you would not have had to reinstall. Hope this helps.

[*]When the Task Manager starts, click on the Processes tab.
[*]You will now be at the Processes tab as shown in the image below.


When you are at the above screen, scroll down through the list of running processes and left-click once on the palladium.exe process.
[*]Once the palladium.exe process is higlighted, click on the End Process button. When you press this button, Windows will ask if you are sure you want to terminate the process. You should press the Yes button to terminate it.
[*] Palladium Pro will now be terminated and you will be at a blank screen with Task Manager running. Now click on the File menu and select New Task (Run…) from the menu.
[*]When the Create New Task prompt appears, type explorer.exe into the Open: field and press the OK button. After a minute or so you should be back at your Windows desktop.
[*]Now that we have the Windows desktop back, the first thing we have to do is fix your Windows Registry Shell value. If we do not fix this entry and palladium.exe is deleted, then your Windows desktop will not be displayed the next time you reboot.

To fix the Shell entry, simple download the following file to your desktop. If you are having trouble downloading the file, try right-clicking on it and selecting Save as.

Shell.reg Download Link

I did a little searching and microsoft also has a link for that shell file too. I know its late for you, but hoping that if someone else gets the bug, they can fix it the easy way.

Reply | Quote

That’s pretty much the repair solution suggested by most sites that I looked at. The problem is that somehow Palladium managed to remove explorer.exe…. I used an Ubuntu Live CD to view the files on the drive, and explorer.exe was gone…..

No alternative but to re-install…. so a day or so later, the machine was back up and running, with all the data intact! (I scanned all the data first with Sophos before putting it back!) It’s all back to normal again!

Thanks for the support!

Reply | Quote