I just copied and pasted the page, so the formatting might be weird, and the images are missing. It starts with description of the virus. The actual removal instructions are further down. If any of the missing images are critical to understanding what they are saying, post back and I will try to copy them for you. Also, if you need information from a link they mention, let me know.
Good luck!
http://www.bleepingcomputer.com/virus-removal/personal-shield-proRemove Personal Shield Pro (Uninstall Guide)
Posted by Grinler on June 10, 2011 @ 01:12 AM · Views: 16,131
What this infection does:
Personal Shield Pro is the name of a rogue that has belonged to numerous families of rogue anti-spyware programs in the past. The latest incarnation of this program is now MS Removal Tool family of rogue anti-spyware programs. This rogue is installed on your computer through the use of Trojans that pretend to be updates to various programs such as Flash, Shockwave, or codecs required to view an online video. These programs are also installed without your knowledge by exploiting vulnerabilities in programs installed on your computer when visiting normally safe sites that have been hacked with exploit kits. Regardless of how Personal Shield Pro arrives on your computer, when it is installed it will store the infection in a random folder located in C:\Documents and Settings\All Users\Application Data\ for Windows XP and C:\ProgramData in Windows Vista and Windows 7. The infection will then be configured to start automatically when you login to Windows.
Personal Shield Pro screen shot
Personal Shield Pro screen shot
For more screen shots of this infection click on the image above.
There are a total of 12 images you can view.
While Personal Shield Pro is running it will terminate most programs that you attempt to run while stating that the program is infected. It does this in order to protect itself from any security programs that may be used to assist in the removal of this infection. The text of an alert you could see when attempting to run an executable is:
Warning!
Application cannot be executed. The file taskmgr.exe is infected. Please activate your antivirus software.
This program will also display fake security warnings that are used to scare you into thinking that you computer has a severe security problem. The text of some of these alerts include:
Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software...
Personal Shield Pro Firewall Alert
Personal Shield Pro Firewall has blocked a program from accessing the internet.
Internet Explorer Internet Browser is infected with worm Lsas.Blaster.Keylogger. This worm is trying to send your credit card details using Internet Explorer Internet Browser to connect to remote host.
All of these security alerts, including the infection warnings, are all false and should be ignored.
Without a doubt, Personal Shield Pro was designed to scare you into thinking that your computer has a security problem so that you will then purchase the program. For no reason should you purchase Personal Shield Pro, and if you have, you should contact your credit card company and dispute the charge stating that the program is a computer virus. To remove Personal Shield Pro and any related malware, please follow the steps in the removal guide below.
Threat Classification:
Information on Rogue Programs & Scareware
Advanced information:
View Personal Shield Pro files.
View Personal Shield Pro Registry Information.
Tools Needed for this fix:
Malwarebytes' Anti-Malware
Symptoms that may be in a HijackThis Log:
The line below is an example. The names used by this infection change per install.
O4 - HKCU\..\RunOnce:
%AllUsersProfile%\hL10300JeEfM10300\hL10300JeEfM10300.exe
Guide Updates:
06/09/11 - Initial guide creation.
06/27/11 - Updated for new variant.
07/17/11 - Updated for new Security Tool variant using the same name.
Automated Removal Instructions for Personal Shield Pro using Malwarebytes' Anti-Malware:
1. Print out these instructions as we may need to close every window that is open later in the fix.
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you run into this problem when following the steps in this guide you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
3. Reboot your computer into Safe Mode with Networking using the instructions for your version of Windows found in the following tutorial:
How to start Windows in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
When following the steps in the above tutorial, select Safe Mode with Networking rather than just Safe Mode. When the computer reboots into Safe Mode with Networking make sure you login with the username you normally use. When you are at your Windows desktop, please continue with the rest of the steps.
4. This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. Regardless of the web browser you use, for these instructions we will first need need to fix this problem so that we can download the utilities we need to remove this infection.
Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options as shown in the image below.
Internet Explorer Tools Menu
5. You should now be in the Internet Options screen as shown in the image below.
Internet Options screen
Now click on the Connections tab as designated by the blue arrow above.
6. You will now be at the Connections tab as shown by the image below.
Internet Options connections tab
Now click on the Lan Settings button as designated by the blue arrow above.
7. You will now be at the Local Area Network (LAN) settings screen as shown by the image below.
Proxy Settings screen
Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.
8. Now we must end the processes that belong to Personal Shield Pro so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
RKill Download Link - http://www.bleepingcomputer.com/download/anti-virus/rkill
(Download page will open in a new tab or browser window.)
When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
If you are unable to connect to the site to download RKill, please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings. You may have to do this quite a few times before you can get RKill downloaded. If you still cannot download the RKill program on the infected computer, you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
9. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Personal Shield Pro and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Personal Shield Pro when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Personal Shield Pro . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
10. Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
Malwarebytes' Anti-Malware Download Link http://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malware
(Download page will open in a new window)
If you are unable to connect to the site to download Malwarebytes', please go back and do steps 3-6 again and make sure the infection has not reenabled the proxy settings.
11. Once downloaded, close all programs and Windows on your computer, including this one.
12. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
13. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
14. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
MalwareBytes Anti-Malware Screen
15. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Personal Shield Pro related files.
16. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
MalwareBytes Anti-Malware Scanning Screen
17. When the scan is finished a message box will appear as shown in the image below.
MalwareBytes Anti-Malware Scan Finished Screen
You should click on the OK button to close the message box and continue with the Personal Shield Pro removal process.
18. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
19. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
MalwareBytes Scan Results
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
20. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
21. You can now exit the MBAM program.
22. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, Personal Shield Pro changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
hosts-perm.bat Download Link (http://download.bleepingcomputer.com/bats/hosts-perm.bat)
When the file has finished downloading, double-click on the hosts-perm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
23. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.
Windows XP HOSTS File Download Link: http://download.bleepingcomputer.com/misc/host-files/windows-xp/hosts
Windows Vista HOSTS File Download Link: http://download.bleepingcomputer.com/misc/host-files/windows-vista/hosts
Windows 2003 Server HOSTS File Download Link: http://download.bleepingcomputer.com/misc/host-files/windows-2003-server/hosts
Windows 2008 Server HOSTS File Download Link: http://download.bleepingcomputer.com/misc/host-files/windows-2008-server/hosts
Windows 7 HOSTS File Download Link: http://download.bleepingcomputer.com/misc/host-files/windows-7/hosts
Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
24. Now reboot your computer.
25. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the Personal Shield Pro program. You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Associated Personal Shield Pro Files:
%AllUsersProfile%\<random two letters>10300<random five letters>10300
%AllUsersProfile%\<random two letters>10300<random five letters>10300\<random two letters>10300<random five letters>10300
%AllUsersProfile%\<random two letters>10300<random five letters>10300\<random two letters>10300<random five letters>10300.exe
File Location Notes:
%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.
Associated Personal Shield Pro Windows Registry Information:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "<random two letters>10300<random five letters>10300"
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
