Troj/FakeAV-CNJ

“Troj/FakeAV-CNJ” is the detection name given by the Sophos antivirus protection service for a specific fake anti-spyware Trojan application. This particular malware is classified as both a virus and as spyware.

The Troj/FakeAV-CNJ operates by way of an execution file named “palladium” that copies itself to a Windows user’s hidden Application Data folder. This Trojan also creates processes in the Windows “System32” folder, and creates and modifies settings in the system’s registry.

Computers infected with the Troj/FakeAV-CNJ displays a bogus security alert indicating that a virus has been found on the computer and that the owner should take immediate action to eliminate the threat. The truth is that if this sham security alert does appear, it does actually mean that the computer has been compromised by a virus, but it is not the virus the fake security alert would have you believe. The security alert itself is part of the virus.

The Troj/FakeAV-CNJ hijacks the current user’s desktop, preventing access from normal operation procedures until the user purchases the sham Palladium Pro antivirus software. You should not under any circumstances yield to this hijacker’s ransom by purchasing this software.

To clean up and repair the Troj/FakeAV-CNJ using your computer’s real antivirus software, reboot the computer in Windows Safe Mode (but not the phony Safe Mode presented on the Palladium antivirus start screen). Booting the computer in Safe Mode prevents the processes associated with the palladium.exe file from loading. Once in Windows Safe Mode, run your computer’s antivirus software.

To manually delete the palladium.exe file associated with the Troj/FakeAV-CNJ malware, you must first disable the Trojan application’s active processes. To do this, you must have access to the Windows Task Manager to end the “palladium.exe” process. However, the Troj/FakeAV-CNJ malware will likely deny you access to the Windows Task Manager.

To get around this, try rebooting the computer in Windows Safe Mode. Only essential Windows processes load during a boot up in Safe Mode. Alternatively, you can also reboot the computer and then type “Ctrl” plus “Shift” plus “Delete” at the phony Palladium antivirus start screen. Go to the “Processes” tab and end the “palladium.exe” process. To load the current user's desktop, open the “File” menu, select “New Task (Run...),” type “explorer.exe” and click “OK.” With the palladium.exe process disabled, you should have no trouble deleting the “palladium.exe” execution file from the “Application Data” folder.

Even with the main Trojan execution file deleted, the computer will likely still be affected by other files related to the Troj/FakeAV-CNJ malware, including modifications made to the current user’s Winlogon registry shell value at:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

You must fix this registry shell prior to the next Windows boot up or the current user’s desktop will not be displayed.

Other registry keys created by the Troj/FakeAV-CNJ malware include:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPostRedirect.”

The virus might also have made modifications to the "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPost” registry key.

You can use the Windows System Restore tool to reset the computer’s registry settings to a time prior to the Troj/FakeAV-CNJ malware infection. Once the registry settings have been repaired, the currently saved restore points should be deleted in order to prevent the system from reverting to the corrupt settings.

The Troj/FakeAV-CNJ malware is not just a nuisance infection. It’s presence on your computer compromises your security. You should take every measure to ensure that you completely eradicate the threat.

At TopTenREVIEWS We Do the Research So You Don't Have To.™