STFU && RTFM

Like their physical counterparts, software tools are absolutely necessary for successful IT support. I usually divide them up into two categories; CD images and executables. In my last post, I covered CD images, now to the executables I bring with me:
 

• Autoruns
  • Autoruns is a nifty little app from SysInternals that lets you quickly and simply see what executables are launched at startup
• KeyFinder
  • The Magical Jelly Bean Keyfinder Does exaclty what it says; finds the registration keys for the software you’ve got installed, which is practical if you need to reinstall them
• KillNotes
  • When Lotus Notes starts misbehaving, stopping it dead in its tracks is at times the only solution. KillNotes does just that
• MBAM
  • Malwarebytes’ Anti-Malware (MBAM for short) is a great tool for finding and eradicationg malware and spyware
• Process Explorer
  • Process Explorer Is another nifty app from SysInternals, letting you do so much more than the task manager does
• SpaceMonger
  • SpaceMonger is a little app that shows you, graphically, what files are taking up all your hard drive real estate
• TeamViewer
  • TemaViewer is a free and simple remote control and assistance app that I’ve been using for some time, with great success

 
I usually carry these files with me on a memory stick, as well as having them stored at my Dropbox.

In a post a while back, I wrote about how to remove Personal Security, a rather nasty piece of spyware. I recently had a computer in that was badly infected.
 
I tried removing it with MBAM, but it kept on returning. Annoyed, and not wanting to do a reinstall, I found a list of files, folders and registry entries to remove, after which the problem was solved.
 
Files:
c:\Program Files\PSecurity\
c:\Program Files\PSecurity\psecurity.exe
C:\Program Files\PersonalSec\
C:\Program Files\PersonalSec\psecurity.exe
C:\program files\PersSecurity\
C:\program files\PersSecurity\psecurity.exe
C:\program files\PersSecurity\system.dat
C:\Program Files\PersonSecurity\
C:\Program Files\PersonSecurity\psecurity.exe
c:\Program Files\Common Files\PSecurityUninstall\
c:\Program Files\Common Files\PSecurityUninstall\Uninstall.lnk
c:\WINDOWS\system32\win32extension.dll
c:\Documents and Settings\All Users\Start Menu\PSecurity
c:\Documents and Settings\All Users\Start Menu\PSecurity\Computer Scan.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Help.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Personal Security.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Registration.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Security Center.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Settings.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Update.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PSecurity.lnk
%UserProfile%\Desktop\Personal Security.lnk
 
Registry entries
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PSecurity"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PersonalSec"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PersSecurity"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PersonSecurity"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\post platform "WinTSI 01.12.2009"
 
Keep in mind that not all of the entries show up, and even after removing them, you might still see Personal Security on the computer. At any rate, I’d recommend running a scan with MBAM after removing these entries.

I’ve recently had a few users call in, telling me that they’ve been infected with Personal Security, a rogue anti-spyware program from the same family as Cyber Security. Luckily, it’s pretty easily removed. Here’s how:
 

1. Turn off System Restore on the infected computer
2. Download and run rkill.com, which kills the processes
3. Download and install Malwarebytes’ Anti-Malware
4. Run a full scan of the computer
5. Remove all threats
6. Reboot, then repeat step 4

 
The second search should turn up no threats at all. If it does, repeat step 2, then step 4. If a second removal run doesn’t do the trick, my advice is to reinstall the computer.