Personal Security Analysis and Removal
December 4, 2009 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
On being redirected to a compromised website, this scareware displays a message ” Warning!!! “Your personal computer needs to install antivirus software! Personal Security can perform fast and free virus and malicious software scan of your computer”
The fake scan is simulated with the use of javascript and gif animated images irrespective of whether the OK or Cancel button is pressed.
Personal Security Scare Messages
The Website uses Javascript to display many warning messages, some of them are:
- Harmfull spyware or adware software. Such vulnerabilities can destroy or steal your private info and mail. On-lines scan should install Personal Security utilities to fix your pc. Please click OK to download and install Personal Security tool.
- Computer scan completed successfully. 31 Malware programms was found!
- This computer is in danger with malware!’ ‘They can seriously harm your private data or files, and should be healed immediately.”Return to Personal Security and download it secure to your PC
- Computer might be affected by spyware or other types of viruses! Your mail, passwords and private documents might be in danger, protect your PC immediately ‘Return to Personal Security and download it secure to your PC
- All information on your PC could be stolen by attackers
Once the trojan downloader is executed the installer for Personal Security is displayed. The user needs to agree to download and install the scareware. The Personal Security scareware also installs the infamous Fake Windows Security Center as a means to goad the user to purchase a subscription.
The rogue security software then proceeds to run a fake scan and identifies non-existent files as high and medium risk malware infections. The user is also warned that they may lose their personal data and infect their other network computers. This scan is run at every restart.
A rogue security software such as Personal Security belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
The trojan dropper in this instance is named Inst_102.exe and 195584 Bytes in size. It is detected by 9/40 (22.5%) of the virus engines available at VirusTotal. It is detected in various names such as Trojan.Win32.FakeAV!IK, Win32.Packed.Katusha.e.9, Trojan.Win32.FakeAV, Trojan-Downloader.Win32.FraudLoad.gbi, Trojan:Win32/FakeXPA and Win32.Malware!Drop.
The main executable of the scareware is psecurity.exe and is about 1279488 bytes in size. It is detected by 3/41 (7.32%) of the virus engines available at VirusTotal.
Personal Security Associated Files and Folders
- C:\Program Files\PSecurity\psecurity.exe
- C:\Program Files\Common Files\PSecurityUninstall\Uninstall.lnk
- C:\Documents and Settings\All Users\Start Menu\PSecurity\Computer Scan.lnk
- C:\Documents and Settings\All Users\Start Menu\PSecurity\Help.lnk
- C:\Documents and Settings\All Users\Start Menu\PSecurity\Personal Security.lnk
- C:\Documents and Settings\All Users\Start Menu\PSecurity\Registration.lnk
- C:\Documents and Settings\All Users\Start Menu\PSecurity\Security Center.lnk
- C:\Documents and Settings\All Users\Start Menu\PSecurity\Settings.lnk
- C:\Documents and Settings\All Users\Start Menu\PSecurity\Update.lnk
- C:\Documents and Settings\malware_help\Desktop\Personal Security.lnk
- C:\Documents and Settings\malware_help\Application Data\Microsoft\Internet Explorer\Quick Launch\PSecurity.lnk
- C:\WINDOWS\system32\UpdateCheck.dll
- C:\WINDOWS\system32\win32extension.dll
- C:\WINDOWS\Prefetch\PSECURITY.EXE-2DBDA1BB.pf
- C:\Program Files\PSecurity
- C:\Documents and Settings\All Users\Start Menu\PSecurity
- C:\Program Files\Common Files\PSecurityUninstall
Some of the file names may be randomly generated.
Personal Security Associated Registry Values and Keys
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\psecurity
- HKEY_CLASSES_ROOT\CLSID\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc}
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc}
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSecurity
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises
- HKLM\Software\Classes\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
- HKCR\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
- HKCR\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}\InprocServer32#ThreadingModel
- C:\WINDOWS\SYSTEM32\WIN32EXTENSION.DLL
Personal Security Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://antispylistm com/scan1/?pid=102
- http://windowssp3download com/?b=1s1
- http://winupdateserver com
- http://protected.advancedsecbilling com
Note: Visiting the domains mentioned above may harm your computer system.
Personal Security Removal (How to remove Personal Security)
The free versions of MalwareBytes’s Anti-Malware and SuperAntiSpyware appear to remove Personal Security Scareware.
- Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
- Also download CCleaner.
- Boot in to Windows Safe Mode.
- Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
- Turn System Restore off and on
- Install, scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
Personal Security Scareware — Screenshots
Personal Security Scareware — Video
Note: The Personal Security rogue security software installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
i came across this “personal security” problem, and was tipped off by the disappearance of my ie window with a single warning pop-up centered on my desktop…did a ‘ctrl+alt+del’ to start task manager, then dumped ie session…
thanks for the info so I could double check that none of the files associated with this sucker made it on my system. If I am mistaken, please email a warning.
I went and found the site which triggered this pop-up and googled
‘roblproperties.com+adware’
and got THREE PAGES of sites all with the prefix
roblproperties.com/uwsco
followed by
/(bunch of names).php
I hope this helps your work, I am sure others will be hit with this sucker before long.
‘
The program doesn’t let you download any software. We sent a message to the company that created Personal Security on the “customer service” link that we would track them down and sue them for attacking our kids computer. They emailed this solution and it worked in less than one minute. We still downloaded and ran an antispyware program afterwards to make sure nothing remained. This was their response which worked:
“Dear customer,
Thank you for contacting Customer Support Center.
Please follow my instructions to uninstall the program:
Paste the following string to Windows Explorer address bar and execute it (Press Enter key):
C:\Program Files\Common Files\PSecurityUninstall\Uninstall
or
1. Open My computer, choose Disk C;
2. Find Program Files=>Common Files=>PSecurityUninstall=>Uninstall
3. Run the file Uninstall.lnk
After that our product will be removed.Sometimes it takes more than one try to remove the product due to temporary technical difficulties, so please try to do it several times.
If you have any questions concerning our software, please contact our Customer Support Service.
With best wishes,
Customer Support Team”
I want to thank you for this web site. I have been having problems with Personal Security since yesterday(12-28-09) around 9 am. Today when I got on my computer I could not do anything at all. I could not get on the internet and all of my icons on the desk top were gone. Personal Security kept popping up wanting me to download their program. I did not have a good feeling about Personal Security from the very start and now I was in a panic. My friend download spywaredoctor on a cd but Personal Security blocked everything I tried to do. By this time all I could do was cry and pray. I managed to get on the internet and I came to your site. Thank God for this site and for Michael Ditkowsky. I followed the instructions in his comment and now the bad Personal Security is gone from my computer. I highly recommend that if anyone is having this problem to do the same. Thank both of you and God Bless You.
Thanks for Michael Ditkowsky…
I was irritated by this software n was unable even ti insatll software to prevent Ps…
Finally the instructions given worked ..
This web site info saved my life. I had this fake personal security stuff on my computer for 4 days. I tryed to deleat it, uninstall it, system restore, everything i could think of. I was even going to pay norton $120 to fix the problem but decided to look one more time online for a solution and found this link with the simple simple fix:
1. Open My computer, choose Disk C;
2. Find Program Files=>Common Files=>PSecurityUninstall=>Uninstall
3. Run the file Uninstall.lnk
After that our product will be removed.Sometimes it takes more than one try to remove the product due to temporary technical difficulties, so please try to do it several times.
Thanks Michale D.