How to remove Live Security Platinum in minutes in NTFS?


REMOVE LIVE SECURITY PLATINUM IN JUST 3 MINUTES WITHOUT USING ANY SOFTWARE IN NT FILE SYSTEM


THIS METHOD WORKS ONLY FOR THOSE USERS WHO HAVE NT FILE SYSTEM (NTFS) AS THE FILE SYSTEM TYPE FOR THEIR SYSTEM DRIVE(C: DRIVE IN MY CASE)

LIVE SECURITY PLATINUM


LIVE SECURITY PLATINUM

LIVE SECURITY PLATINUM is a fake Antivirus program. I use Windows 7 Build 7600 with no Antivirus program installed and it made it's way inside my PC and started it's copy as an executable file renamed with a .tmp(".tmp" is a Windows Temporary file extension) in Temp folder.

Live Security Platinum as tmp file

The effect is that it can still be launched normally and with ".tmp" file extension, it "virtually disappears" mixed along with other "real" temporary files in the Temp folder - sort of "Camoflage".

 My Computer was infected on 11.08 AM in the morning when i had been online for almost 2 hours then.

LIVE SECURITY PLATINUM in start menu

As soon as it popped up it's Window, i started taking Screen Snapshots, amazed for i had just found a new topic for the Blog. Then I ended it's process from Taskmanager which stopped it's copy running in the Temp folder. 

Then i realized that it had ended up copying itself in a (random, i suppose) directory inside ProgramData folder inside the C: drive.

As you can see in the above picture, the virus copy in a (random i think,) folder inside C:\ProgramData folder. Note: The snapshot above was taken after neutralizing the virus(because of which it's "icon" has is displayed incorrectly).

I must say, I was surprised by it's simplicity and wickedness although i removed it within 14 minutes (ie. including the time in which i took screen snapshots and tried to open MSPAINT, NOTEPAD and TASKMANAGER). It prevents the user from running any application file and displays a fake warning baloon-tip.

One interesting fact about the virus is that it actually prevents other programs from running but to fool the user and keep the threat alive, "it actually checks to see if the application being launched by the user is the virus itself" ie. if the path to the program being launched by the user matches with the virus's own filepath, it lets the user get away with it and doesn't complain. But if the filepath doesn't match, it simply terminates the program being launched by the user and displays a fake warning and a baloon-tip on the Taskbar.
If we make a copy of the virus(with the name changed) and launch it, it will complain about it's own copy(as the filepath of the copy of virus and the virus don't match) - convincing us that it makes a comparison of the filepath.

How did i remove LIVE SECURITY PLATINUM?

To remove LIVE SECURITY PLATINUM, obtain the file location from the Shortcut:


Now, this is where File ACL(Access Control List) comes into play:

Right-Click the virus file and then click Properties:


Now, for every user, set the "file accessiblity" (well that's what i'd like to call it - it is a set of permissions that can be attached to an object) to DENY ALL:

On the Security tab, click Edit...


Then click Add...

 Now under the text section of Enter the object names to, write Everyone and click OK

 Make a tick on the Full Control under the Deny section and click OK

You will see a new warning click Yes and then restart your computer, the virus will not be able to run this time and you will not see the following window popup:

You will see this if you didnot do it correctly

Now, even if you double click the virus itself, it should pop up an error like so:




What we have done is set the virus file ACL to DENY ALL so that the virus can't be opened under any account(ie. we told the Operating System that no permission of access to the file is to be granted to any account - ie. the file shouldn't be accessible in any way to any user/account). This implies that the virus won't be launched at the next startup even if it has already setup "startup registry entries" or setup for any other agent to launch it on startup.

And under the given condition, you will receive an permission error even if you try to copy the virus file.

Now, undo all the steps and you can delete the file to get rid of the virus 

NOTE THAT MANY VIRUSES MAKE A COPY UNDER ALTERNATIVE SYSTEM FOLDERS UNDER WINDOWS VISTA AND WINDOWS 7 BECAUSE OF UAC. SO IF YOUR OS IS PRE-WINDOWS VISTA OS, CHANCES ARE THAT THE VIRUS WILL MAKE A COPY UNDER SYSTEM FOLDERS SUCH AS WINDOWS OR SYSTME32 FOLDER IN THE SYSTEM DRIVE

NOTE THAT YOU MUST USE A TRUSTED ANTIVIRUS SOFTWARE TO BE FREE FROM SUCH THREATS AND MUSTN'T UNDER ANY CIRCUMSTANCE/S HOPE FOR A SUCCESSFUL MANUAL CLEANUP. SO BE SURE TO UPDATE YOUR TRUSTED ANTIVIRUS SOFTWARE


MANUAL REMOVAL OF VIRUS AS SUGGESTED IN THIS POST DOESN'T IN ANY WAY ENSURE FULL REMOVAL OF THREAT. SO BE SURE TO PERFORM A FULL SYSTEM SCAN

No comments:

Post a Comment