Video Screencast Help

Personal Protection

Created: 02 Jan 2010 • Updated: 11 Sep 2010 | 4 comments

I have a virus that must have come from a pop up that shows a screen called Personal Security and asks for 59.99 to
download software.  I get it any time I try to gor to a web site.  Anyone know the name of this virus and how to get rid
of it

Comments 4 CommentsJump to latest comment

Rafeeq's picture

Check if you have these files, if so please submit it to Symantec , so that we can have a definitions for it.

Personal Security virus will modify Windows Registry and add the following entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “Personal Security”
  • HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Internet Settings\5.0\User Agent\post platform “WinTSI 01.12.2009″

The threat will drop the following malicious files:

  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Personal Security.lnk
  • %UserProfile%\Desktop\Personal Security.lnk
  • %Program Files%\Personal Security
  • %Program Files%\Personal Security\personalsecurity.exe
  • %Program Files%\Common Files\Personal Security Uninstall
  • %Program Files%\Common Files\Personal Security Uninstall\Uninstall.lnk
  • %Documents and Settings%\All Users\Start Menu\Personal Security
  • %Documents and Settings%\All Users\Start Menu\Personal Security\Computer Scan.lnk
  • %Documents and Settings%\All Users\Start Menu\Personal Security\Help.lnk
  • %Documents and Settings%\All Users\Start Menu\Personal Security\Personal Security.lnk
  • %Documents and Settings%\All Users\Start Menu\Personal Security\Registration.lnk
  • %Documents and Settings%\All Users\Start Menu\Personal Security\Sec Center.lnk
  • %Documents and Settings%\All Users\Start Menu\Personal Security\Settings.lnk
  • %Documents and Settings%\All Users\Start Menu\Personal Security\Update.lnk
  • %WINDOWS%\system32\win32extension.dll
  • here is the link to submit the virus
  • https://submit.symantec.com/gold
snekul's picture

Fake "extortionware" A/V software like this have a tendancy to create tons of variants to avoid detection.  If you get the files to Symantec, they'll be able to get it fixed for you.  Otherwise, if you need to get rid of them quickly, there are special tools out there just for removal of Fake A/V.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

Serengeti's picture

a user had this popup on both W7 and XP.
On W7, they clicked cancel in theinstallation request popup - the malware then installed itself - coudl be seen in Add / Remove Programs

The second time, on XP, they did not click anything, just killed the IE browser window displaying the spoofed infection warnings and the install request. Nothing appears in Add/Remove Programs.

SEP did not detect anything in either case.

No idea where this launches from - Facebook perhaps? How does this get onto a PC without any kind of detection? Would TruScan detect this as malware?

sbertram's picture

Hi you can try a free online virus scanner like House call from Trend micro see what it finds
good luck