Monday, April 19, 2010

Personal Security - Virus Removal Steps

HowTo: Uninstall the Personal Security virus along with tips to avoid future infections.



This article has been retired.  See this up-to-date Keyliner article:
Keyliner - Virus Cleanup Steps


>Historical:

Contents:
  • Virus Symptoms
  • How you got infected
  • How to stop future infections
  • Removal Steps - Long and Tedious
My neighbor's laptop was infected with the "Personal Security Virus"
This is a legitimate-looking program that is professional in design and layout, but under the hood, it is a virus.


While my neighbors were surfing, a prompt appeared: "You are infected with such-and-such virus. Do you want to clean it?" Regardless whether they answered "Yes" or "No," the virus virus installs itself. Even if you click the Red-X, the virus can install (there is debate on this point).
Here is where Windows 7 / Vista's UAC nag comes into play: The desktop will turn gray and a UAC prompt will ask for permission, saying "Personal Security" wants to install - do you approve?. 96% of you will click OK, defeating the purpose of the nag. Another 20% of you disabled the prompt entirely, and because of that, you will get the virus installed without even a hint. XP users will be in similar trouble.

My neighbor should have asked himself this question when the prompt appeared: "Don't I already have a virus scanner installed? ... Why do I need to install another one?" This is your hint to click Cancel. This is especially true if you did not initiate the update process yourself.

Symptoms:
  • Numerous windows warning of infections (scareware)
  • Unable to open, can't open Add-Remove Programs
  • Unable to launch Virus utilities, such as MalwareBytes
  • Various Windows functions report "Windows cannot access the specified device path or file"
  • Unable to launch Internet Explorer or other browsers
  • Unable to open Task Manager; cannot end tasks
  • Add-Remove (Personal Security) shows a registration screen, which attempts to gather personal information

(Add-Remove Phishing Screen)
"Personal Security" *is* the virus.

The "vendor's" screen reports this is an unregistered version and for $89.00, they can clean the virus. My neighbor was completely convinced this was a legitimate virus-cleaning program and was on the verge of paying when he called me.
Do not give your credit-card to a company (Personal Security) when you have never heard of them and did not buy their product in the first place. If you paid the $90, it will disable the virus but it will undoubtedly leave it installed and after a few months, it will re-enable itself, asking for more money. Plus, they would have your credit-card number; very risky.

The program starts out with subtle nags that get more aggressive. If you don't pay right away, it will install several dozen other viruses. Ultimately the PC becomes slow and unusable. In the end, the only working program will be the Virus registration screen. My neighbor put up with this for several weeks before he called.

Scareware: The program will bug you with other prompts, such as "Privacy Violation alert!", "System Files Modification Alert!", "Internal Conflict Alert". It will also display a screen, showing you are infected with 47 different viruses. This is all hooey and can be ignored. While infected with this virus, I wouldn't even bother closing these screens.

In the Future -- What to Do

While surfing, assume *all* unexpected and unsolicited popups to be a virus. The key is this: If a surprise window opens while surfing, it is invariably a virus or spyware. This includes virus warnings, offers for free screen savers or wallpapers or for free games. Legitimate websites do not use popups.

When you see a Popup, you could click the red-x in the upper right corner, but there is debate about whether this is effective or not; some say the virus will still install and I am unsure on this point. Here is the safest way to handle them.
  • On these popups: Do not answer either Yes or No.
  • Instead, press Ctrl-Alt-Delete, open Task Manager
  • Click the "Applications" tab
  • End-task on the Browser Session
  • Alternately, and more brutally, power-off the computer

See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials


Personal Security Uninstall Steps

Here are the procedures I followed to clean the virus and it will take several hours to complete. Similar steps were used in this popular Keyliner article: Removing Win32/Cry-ptor Virus but this virus required slightly different steps.

1.  Do this first:  System Sweeper

Important update: 2014.03.01:
Microsoft has a new bootable Virus scanner that I now recommend.
See this Keyliner article: Microsoft Standalone System Sweeper

Follow the steps in that article before doing the remaining steps here. 

I now consider the remaining steps in this article as obsolete and are left for documentation.

2. Pre-Download files.
Out of an abundance of caution, on a non-infected computer, download the following programs and burn them to a CD (steps on how to burn are not detailed here; ask a knowledgeable friend to help, if needed). Ideally, burn the downloaded files to a read-only CD -- not a pen drive.

If the download is Zipped, de-compress the Zip file before burning to the CD.
For ease-of-use, place each downloaded program in a separate subdirectory.

The viruses are sneaky and will stop you from running known cleanup utilities. Because of this, each file must be renamed to a random name, as described below; use my recommended name or any other name you see fit, including "Winlogon.exe".

Files:

Download Process Explorer: technet.Microsoft.com
On the page, search/Ctrl-F for "Process Explorer"
Rename ProcExp.exe to "WinLogon.exe"

Download RootRepeal: http://rootrepeal.googlepages.com/
The download can be found about in the middle of the page, under "static links".
  • Click (download) the Zip version; select "Open file."
  • Highlighting "RootRepeal.exe" in the opened Zip folder
  • Other-mouse-click, select "Copy"
  • Paste to your temporary directory
  • Rename the pasted file to xxRootRepeal.exe (or other random name)
Download ComboFix: ComboFix Download
Rename to xxComboFix.exe

DownLoad SuperAntiSpyware: superAntiSpyware
Choose the Free Edition; this is a legitimate program, despite its flaky name.
Rename to xxSuperAntiSpyware.exe

Download MalwareBytes: Malwarebytes

Choose the Free Version; this is a legitimate program.
Rename to xxMBam.exe
Later, you will have to rename the installed EXE.

Burn these files to a CD.

3. Disconnect the infected computer from the Internet.

Unplug the Cat-5 network cable or press your laptop's function key/other key to disable wireless.

The virus causes too many problems while connected to the net, so unplugging was the easiest solution. Of course, the downloaded programs will not be able to download their latest updates; although this would be nice, the updates will have to wait.

4. Boot computer in "Safe Mode"

With the infected computer I worked on, control panels, task managers, start menus and other Windows features were disabled and performance on everything else was horrible. For these reasons, start the computer in Safe-Mode. Safe-mode is a special diagnostic mode for Windows. The steps to open it are weird and may take some practice:

- Cold boot the machine (power off/on).
- Just after the BIOS splash screen, repeatedly tap on the f8 key (press insistently but not frantically).
- Choose Safe-mode, when prompted
- If you miss and Windows loads normally, reboot gracefully and try again.


5. Run Process Explorer

This is a Microsoft program. Once launched, look for suspicious programs in the Explorer.exe section -- although admittedly, this step has not produced results on the most recent versions of this virus, it is worth a try.

a. From the CD, run D:\ProcessExplorer\WinLogon.exe (the renamed file)

b. Scroll to the Explorer.exe section; watch for changes

c. If you see a program that is likely a virus, highlight it and "End Task." Program names may have unusual names, such as 12348483.exe or other gobblede-gook. Note: It is normal to have multiple "SVcHosts."


6. Install RootRepeal

Before running this step, close all windows and programs on the computer -- including this browser page. You may need to write down these steps.
Note: RootRepeal only works on x86 (32-bit) versions of Windows. If you are running x64 Windows Vista or Windows 7, skip this entire step and rely on the next program.
a. Copy xxRootRepeal.exe to a temporary directory (any) on the C: drive (this cannot run from the CD).

b. Launch the program by "other mouse clicking/right-click" and choosing "Run as Administrator".

c. When the program loads, select the bottom-tab "Files"

d. Select "Scan" and choose [x] the C:\ drive

The scan will take considerable time with *inconsistent* hour-glassing.
Wait for the status-bar message "Found xxx hidden/locked file(s)!"

e. Scroll down the list, looking for the "C:\Windows\System32" or "C:\Windows\System32\Drivers" section. The list will contain a mixture of legitimate and illegitimate programs.
Programs marked as "Hidden from the Windows API" (in the "C:\Windows\System32" or "C:\Windows\System32\Drivers" sections) will be the virus. As of this writing, Personal Security is called "Gather~1.xsl" -- be aware it can change to other names. You may have seen this name in the ProcessExplorer step.

Other viruses use other random names, such as TDSSspax.sys, UACd.sys, MSIVXwfjwbppivasavbfjmtkibegxvnftiqxt.sys ... and will have no rhyme or reason.

f. Highlight the offending file, other mouse-click and choose "Wipe File".
--Unfortunately, there is no indication this step succeeds; trust that it did.

g. Important: Immediately select Start, Shutdown and reboot the computer; do not close any programs. Reboot back into Safe Mode, as described above.


7. Run ComboFix.exe (xxComboFix)

ComboFix is also a root-kit cleaning program for a different vendor. I also like to run it because they sometimes see programs that RootRepeal misses. This program works in x86 and x64 systems.

a. Close all programs, including this browser. You should be in Safe-Mode
b. Other-mouse-click the exe and select "Run as Administrator".
While it runs, it may need to install Microsoft's Recovery Console (especially if Windows XP); allow this to happen. Do this by plugging in your network cable / turn on wireless; wait about 1 minute for the connection to establish; then click OK.
The scan process takes 10 to 20 minutes, depending. You may notice various black screens. Be patient. It will reboot.
Reboot in normal (not Safe-mode). For its next step, it generates a log file and this will take about 10 minutes. Your firewall may spring to life, prompting for pev.cfxxe -- this is a ComboFix program and allow it access to the Internet.

After the program runs, they recommend uploading your log-files for further review (see C:\Combofix.txt). You can do this if you like but I recommend continuing with the next steps. The displayed Log file will not be that interesting.


8. Run SuperAntiSpyware

Despite its flaky-sounding name, this is a great program. To run, follow these steps:

a. If needed, reboot the computer; you cannot be in Safe Mode when running this program.

b. Locate the Renamed program; other-mouse-click; "Run as Administrator"

c. Accept the legal agreements, etc. Install in a different folder than recommended. I recommend choosing C:\Program Files\Util\SuperAntiSpyware

d. Accept various installation options, as you see fit; optionally allow it to send a diagnostic report.

e. Run a *Full/Complete* scan. Allow it to reboot if it finds anything.


9. Install and run the renamed MalwareBytes program.

Despite its scary name, this is a legitimate program. For now, *do not* allow it to check for updates.

a. Install the program by double-clicking the renamed exe file.

b. When prompted, choose a different install directory. I recommend C:\Program Files\Util\MBam

c. Once installed, use Windows Explorer to locate the installed files: See "C:\Program Files\Util\MBam". -- Rename MBam.exe to xxMBam.exe

d. Launch the program; allowing it to run. Under "Scanner", choose Full-Scan (do not bother with a quick scan). Allow the scan to run. It will be time consuming.

e. Reboot gracefully once the scan completes.


The virus should be removed.
Continue with these recommended steps:

A. If you still suspect a virus

Plug in the network cable/wireless and re-establish a connection to the internet. Allow MalwareBytes and SuperAntiSpyware to update to their latest versions. Once it updates, you will have to re-re-name mbmam.exe to a new name, such as 123Mbam.exe. Re-run those steps as "administrator."
B. Download and install a new Virus Scanner, if neededIf you have an existing virus scanner (that is still active), re-enable the program and run a full-system scan.

If your existing scanner's paid subscription has expired, and you have no intention on paying for the upgrade, go into the Control Panel's add-remove/Programs and features, and uninstall. Un-install their Updater programs, if found.

If you do not have a virus scanner, download and install Microsoft's free scanner. I do not recommend commercial vendors for reasons I've written about in the past.

Microsoft Security Essentials (Review and comments here)
(Shift-click the link(s) to open the download page in a new window. Choose and install only one of the above)


C. Uninstall likely Viruses

Using Windows Control Panel, "Add-Remove Programs" or Windows 7 "Programs and Features", un-install p2p programs such as uTorrent, Bittorrent, LimeWire, Morpheus and others. These are typical sources for spyware. Take the time to delete other programs and toolbars you no longer need.


D. Delete all old Restore Points (they may be infected)
  • Launch Windows Explorer, other-mouse-click the C: drive.
  • In the [General] Tab, click "Disk Cleanup"; click "Cleanup System Files" (Windows 7), click top-tab "[More Options].
  • Click "Clean up" on the System Restore and Shadow Copies. Allow it to delete all but the most recent restore point.
  • Consider making an image backup of your newly-cleaned hard drive for safe-keeping. See this article: Using Acronis.

F. Why not give the folks at SuperAntiSpyware and MalwareBytes a financial reward for their hard work. They deserve it. Donate on their website.


Your comments on how well these steps worked are welcome.
See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials

1 comment:

  1. Mr. Richardson, Blogger does not allow me to edit the posts and because of this, I can't correct your previous message. I'll delete both. Please re-post your comments.

    When you do, keep in mind that a program called "Antispyware.com" *is* a virus and it is often confused with SuperAntispyware.

    In this article I warn people about this similar and deceitful name: http://keyliner.blogspot.com/2009/05/removing-win32cryptor-virus.html. I stand by my comments that SuperAntiSpyware is a legitimate and useful program.

    Please repost. thanks.

    ReplyDelete

Comments are moderated and published upon review.