Paladin Antivirus is reported to be a rogue application. There are several ways a fake/rogue application may enter into your computer.

{slide=Ok Tell me more about it! }

1) You may have downloaded it knowingly or unknowingly mistaking it to be something else.
2) It may have automatically downloaded while you were visiting some harmful website
3) Your computer may have a trojan virus which in turn downloads such an application.

Recently I have noticed that the malware authors are also keeping track of the removal instructions published on the internet. As soon as they think that the malware is exposed, they change the file/folder names and the locations where they are saved on the hard disk. So keeping this in mind you will require the latest information of the malware in order to be able to remove it.

 You can see the threat expert report on this link., and a sandbox analyzer report published in Malwarebytes forum

If you happen to have the rogue installer, you can submit it to threatexpert site and get it analyzed. That will help you to get the precise information about the virus.  

When this rogue application runs on your computer it will display several fake security alerts, you need to pay attention to those alerts, because they are fake warnings.

 Files Associated

 These are the identifiable file names that are used in this malware

There are several installers of this malware, the initial installer is about 143 kb, and it further download more installers. Some of them were located on [Paladin Antivirus.com]

 {/slide}{slide=Can I get rid of it by just doing a system restore ?}

Trying system restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection

• Using system restore in windows XP
  •          Using system restore in windows Vista

 Most of the malware/rogue removal sites recommend using Malwarebytes Antimalware. Although if you try any antivirus program, installed on your computer or by scanning online , that could be equally helpful. I have listed them here for your convenience  Special tools to remove a single virus or a family of virus, Free Online virus scanners and Fully functioning freeware antivirus/ antispyware programs

•  Free tools for windows XP
  
  
  • Free tools for windows Vista

These are the steps to be taken, if you want to remove the infected files manually. You may not find all the files that are mentioned here on an infected computer.  Don't be worried. Do as much as you can. 

Boot in safe mode

Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.

• How to boot in safe in windows XP

• How to boot in safe mode in windows Vista

 Remove Processes from Task Manager 

Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for any process pav.exe, Paladin Antivirus.exe. Select and press End Process button, Confirm to terminate the process and Close Task Manager.

Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in windows defender.

• How to use Windows Defender in windows XP
  
  
  •         How to use Windows Defender in windows Vista

• How to use Sysinternal's Process Explorer 

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.

After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck  "Paladin Antivirus",   pav.exe, Paladin Antivirus.exe  (look for any other suspicious names)  Press Apply , Press Close/Ok , Select  "do not restart" at the next prompt.

Starting the Security Center

This rogue application stops the service wscsvc/ Security Center. While in the system configuration utility, click on Services tab, locate the above mentioned service. See whether is Checked or not. You need to Check it , if you find it unchecked.  Press Apply , Press Close/Ok , Select  "restart" at the next prompt.

View Hidden Files

Before you could delete Paladin Antivirus and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders 

•  How to Enable to View Hidden Files and Folders in Windows XP
  •         How to Enable to View Hidden Files and Folders in Windows Vista

Deleting files

After restarting the computer, use the windows search utility to search for "Paladin Antivirus" and also search for the names that you found and removed in the task manager or in the startup list. This search should find all its folders on the hard disk , delete the folders from the hard disk. 

These are some folders that were found on an infected computer.

C:\Documents and Settings\All Users\Start Menu\Programs\Paladin Antivirus
C:\Documents and Settings\[UserName]\Start Menu\Programs\Paladin Antivirus
C:\Program Files\Paladin Antivirus

 These are some files that are generally found on an infected computer.

C:\Program Files\Paladin Antivirus\help.ico
C:\Program Files\Paladin Antivirus\pav.db
C:\Program Files\Paladin Antivirus\pav.exe
C:\Program Files\Paladin Antivirus\pavext.dll
C:\Program Files\Paladin Antivirus\phook.dll
C:\Program Files\Paladin Antivirus\uninstall.exe
C:\Users\Administrator\AppData\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus Support.lnk
C:\Users\Administrator\AppData\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus.lnk
C:\Users\Administrator\AppData\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Uninstall Paladin Antivirus.lnk
C:\Users\Administrator\AppData\Desktop\Paladin Antivirus Support.lnk
C:\Users\Administrator\AppData\Desktop\Paladin Antivirus.exe
C:\Users\Administrator\AppData\Desktop\Paladin Antivirus.lnk

Modified Files

  This rogue application has the capability of modifying files on the infected computer. This is a list of files that this rogue can alter/ modify. In case if you doubt that these files on your computer are modified, then formatting the hard disk and reinstalling windows is the only way to disinfect your computer. However you can backup all your files/images/videos etc before formatting the hard disk, because the user files are not infected by this.

 [pathname with a string SHARE]\msinfo32.exe
[pathname with a string SHARE]\sapisvr.exe
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe
C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe
C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe
C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe
C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe
C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe
C:\Program Files\Internet Explorer\iedw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\MSN\MSNIA\prestp.exe
C:\Program Files\MSN\MsnInstaller\msninst.exe
C:\Program Files\NetMeeting\cb32.exe
C:\Program Files\NetMeeting\conf.exe
C:\Program Files\NetMeeting\wb32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Outlook Express\oemig50.exe
C:\Program Files\Outlook Express\setup50.exe
C:\Program Files\Outlook Express\wab.exe
C:\Program Files\Outlook Express\wabmig.exe
C:\Program Files\Web Publish\WPWIZ.EXE
C:\Program Files\Windows Media Player\migrate.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\dialer.exe
C:\Program Files\Windows NT\hypertrm.exe
C:\Program Files\Windows NT\Pinball\PINBALL.EXE
C:\Windows\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
C:\Windows\hh.exe
C:\Windows\inf\unregmp2.exe
C:\Windows\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
C:\Windows\msagent\agentsvr.exe
C:\Windows\mui\muisetup.exe
C:\Windows\NOTEPAD.EXE
C:\Windows\pchealth\helpctr\binaries\HelpCtr.exe
C:\Windows\pchealth\helpctr\binaries\HelpHost.exe
C:\Windows\pchealth\helpctr\binaries\HelpSvc.exe
C:\Windows\pchealth\helpctr\binaries\HscUpd.exe
C:\Windows\pchealth\helpctr\binaries\msconfig.exe
C:\Windows\pchealth\helpctr\binaries\notiflag.exe
C:\Windows\pchealth\UploadLB\Binaries\UploadM.exe
C:\Windows\regedit.exe
C:\Windows\System32\accwiz.exe
C:\Windows\System32\actmovie.exe
C:\Windows\System32\ahui.exe
C:\Windows\System32\arp.exe
C:\Windows\System32\asr_fmt.exe
C:\Windows\System32\asr_ldm.exe
C:\Windows\System32\asr_pfu.exe
C:\Windows\System32\at.exe
C:\Windows\System32\atmadm.exe
C:\Windows\System32\attrib.exe
C:\Windows\System32\auditusr.exe
C:\Windows\System32\blastcln.exe
C:\Windows\System32\bootcfg.exe
C:\Windows\System32\bootok.exe
C:\Windows\System32\bootvrfy.exe
C:\Windows\System32\cacls.exe
C:\Windows\System32\calc.exe
C:\Windows\System32\charmap.exe
C:\Windows\System32\chkdsk.exe
C:\Windows\System32\chkntfs.exe
C:\Windows\System32\cidaemon.exe
C:\Windows\System32\cipher.exe
C:\Windows\System32\cisvc.exe
C:\Windows\System32\ckcnv.exe
C:\Windows\System32\cleanmgr.exe
C:\Windows\System32\clean_all.exe
C:\Windows\System32\cliconfg.exe
C:\Windows\System32\clipbrd.exe
C:\Windows\System32\clipsrv.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmdl32.exe
C:\Windows\System32\cmmon32.exe
C:\Windows\System32\cmstp.exe
C:\Windows\System32\Com\comrepl.exe
C:\Windows\System32\Com\comrereg.exe
C:\Windows\System32\comp.exe
C:\Windows\System32\compact.exe
C:\Windows\System32\conime.exe
C:\Windows\System32\control.exe
C:\Windows\System32\convert.exe
C:\Windows\System32\cscript.exe
C:\Windows\System32\ctfmon.exe
C:\Windows\System32\dcomcnfg.exe

Registry Modifications

 Most of the registry keys created by this rogue application can be automatically eliminated after deleting the files/ folders of the rogue application and then running the Registry menu of CCleaner program

Run CCleaner

After deleting Paladin Antivirus and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files . Click here to read more

Edit Registry

if you are comfortable in using the regedit command. You  can find the registry modifications in any of the threatexpert analysis reports. One such link is provided in the above para.

• How to edit registry in windows XP
  •           How to edit registry in windows Vista
    

If you are unable to open Task Manager, registry editor, system restore, Folder Options etc

If the virus has disabled them. There are free tools and techniques to solve this problem.  They are listed here.

Tools for Windows XP

Tools for Windows Vista

Use the system file checker

If you want to make sure that the windows system files are not altered by the virus, and in case if they are altered then to repair them.

•  How to run System File checker utility in windows XP
  •          How to run System File checker utility in windows Vista

Unable to access security related sites

Using Firewall

Check your firewall for any suspicious communication from your computer to the internet and block it using firewall.

Sometimes the virus infects your computer so badly , that it becomes nearly impossible to practically clean the computer. In that case you sholud reinstall windows on your computer. There is no batter alternative. You need to copy or backup whatever is of any importance to you either using a CD/DVD writer, or an external hard disk, or an pen drive. If your computer is not responding at all, then you can take out the hard disk and connect it as an external hard disk/ or as a slave disk to another computer and then get the data copied. Of course you need to get help from someone to do all that if yo can't do it yourself. But I am explaining all the options you have. It is better to copy all the data from the hard disk, and then delete all the partitions and then repartition the hard disk, so that there are no chances of any trace of the virus. 

{/slide}{slide=Is there anything I can do so that I don't get into this situation again! }
You can take several precautionary measure so that such thing never (hopefully) happens to you ever again. I have found some simple steps that will help you to a great extent.

1) You need to have a functioning antivirus, antispyware and a firewall, free or commercial. Please see the link elsewhere in this article for the list of freeware applications. 

2) Use FireFox browser. It is safer than other browsers. You will require to install some browser plugins for better safety, some of them are WOT - a site advisor plugin from mywot.com. NOSCRIPT - a browser plugin that prevents the javascripts of sites, and allows upon your selection. 

3) Use CCleaner - it is a freeware temp files and registry cleaner. Set it so that it runs everytime you start windows. That will save you the efforts to run it manually. It is your choice, you can either run it at the end of your browsing session, or before closing the computer. 

{/slide} {slide=My computer is infected, is there anything I should be worried about! }
Yes, you should be concered about the safety of your online accounts. If your computer is infected and you have been accessing internet by logging into your mail or banking accounts, I would advise you to change the passwords of your accounts so that they are not misused even if they are stolen by the trojan or the keylogger that might be present on your computer. Also take any additional steps as advised by your banking service, or any online service that you may be using. Use an uninfected computer for that purpose.

Reprinted with permission from ThreatExpert.com

{/slide}