<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Remove "Security Suite for Windows" Malware

Published on
8,712 Points
2,712 Views
Last Modified:
Approved
To Remove Security Suite for Windows Malware from a Windows XP Machine:

 Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p)

Login as Administrator

Go to My Computer /Tools/ Folder Options/ View/  check mark the selection that says Show Hidden Files and Folders and then make sure you uncheck Hide Protected System Files.   That is very important b/c that’s where this particular variation hides!!
Then go to C:\Documents and Settings\User Profile infected\Local Settings\Application Data     Then in the Application Data Folder there was a folder called goijmdwag and one called awmdlrnuqiw.   I deleted both of those b/c when I opened the folders I found the offending program “Security Suite for Windows” in them.

Empty Recycling Bin

Run Regedit (to do this see: http://preview.tinyurl.com/yhph8yt ) On a side note, ALWAYS backup your registry before making edits to it.  You can render your computer USELESS with incorrect editing.  Once that is done, you will have to reinstall Windows.
Go to the Edit menu and select search.  A pop up box will show up and in your search, type in the offending files, in my case  “goijmdwag” and “awmdlrnuqiw”
These files can be located in the following hives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Deleted the keys that contained “goijmdwag” AND “awmdlrnuqiw”

After this I rebooted the computer.  The computer came back up and I ran the anti-virus software AND another virus and malware program.   I like to use two or three different scanners on infected machines, b/c sometimes one will catch something that the other scanners didn’t catch.

Once I got a clean bill of health, I had to fix the internet connection.   Even after the mal-ware is gone there is one last thing it does, hijacks your internet connection.    It does this by changing your default internet connection settings to use a “proxy connection”.   Most people have their internet connection set up to use “automatically detect my connection”.   So check to make sure your internet settings are what they are supposed to be.
 

After that you should be good!  Hope you find this posting helpful!
0
Comment
Author:aimee1002
2 Comments
LVL 3

Author Comment

by:aimee1002
I had tried Malware Bytes, Spybot, Symantec and TrendMicro and none of them completely cleaned the system.   After I cleaned the system with all 4 of these tools we still had issues, the infection would come back even though Windows Restore feature was shut off.   I did lots of research on the internet and couldn't find anything.   What I did find is that there were hidden folders with weird names that I know didn't belong on the system.  I deleted the files and then did a search on the registry to find that the offending malware kept reinstalling itself because of what hives it resided in the registry.   Once I cleared those up we haven't had any issues with the system.  
0
LVL 38

Expert Comment

by:younghv
I think most users would be better served to use the automated tools available here:
http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite

In virtually every instance, the automated tools do the delicate work of modifying the Registry entries properly and we don't have to worry about having one of those 'Oops' moments that can have some very serious consequences.

They will make sure that ALL of the needed changes are made (including the Proxy setting).

It should also be noted that there is a great deal more involved in repairing this infection than is described here.

For MBAM to be effective with this variant, you need to boot to Safe Mode (with networking) before starting.
0

Featured Post

Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Join & Write a Comment

Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This is Part-2 of Learning to use the Power of Mailwasher Pro so if you haven't watched Part-1 yet, I urge you to do so before watching this video. Click this link to watch Part-1 (https://www.experts-exchange.com/videos/56638/Learn-to-use-the-POWER…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month