Browse All Articles > Remove "Security Suite for Windows" Malware
To Remove Security Suite for Windows Malware from a Windows XP Machine:
Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p)
Login as Administrator
Go to My Computer /Tools/ Folder Options/ View/ check mark the selection that says Show Hidden Files and Folders and then make sure you uncheck Hide Protected System Files. That is very important b/c that’s where this particular variation hides!!
Then go to C:\Documents and Settings\User Profile infected\Local Settings\Application Data Then in the Application Data Folder there was a folder called goijmdwag and one called awmdlrnuqiw. I deleted both of those b/c when I opened the folders I found the offending program “Security Suite for Windows” in them.
Empty Recycling Bin
Run Regedit (to do this see: http://preview.tinyurl.com/yhph8yt ) On a side note, ALWAYS backup your registry before making edits to it. You can render your computer USELESS with incorrect editing. Once that is done, you will have to reinstall Windows.
Go to the Edit menu and select search. A pop up box will show up and in your search, type in the offending files, in my case “goijmdwag” and “awmdlrnuqiw”
These files can be located in the following hives:
HKEY_CURRENT_USER\Software\Microsoft
\Windows\C
urrentVers
ion\RunOnc
e
HKEY_CURRENT_USER\Software\Microsoft
\Windows\C
urrentVers
ion\Run
HKEY_CURRENT_USER\Software\Microsoft
\Windows\C
urrentVers
ion\polici
es\Explore
r\Run
HKEY_LOCAL_MACHINE\Software\Microsof
t\Windows\
CurrentVer
sion\Run
HKEY_LOCAL_MACHINE\Software\Microsof
t\Windows\
CurrentVer
sion\RunOn
ce
HKEY_LOCAL_MACHINE\Software\Microsof
t\Windows\
CurrentVer
sion\ RunServices
HKEY_LOCAL_MACHINE\Software\Microsof
t\Windows\
CurrentVer
sion\ RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsof
t\Windows\
CurrentVer
sion\ RunOnce\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsof
t\Windows\
CurrentVer
sion\polic
ies\Explor
er\Run
Deleted the keys that contained “goijmdwag” AND “awmdlrnuqiw”
After this I rebooted the computer. The computer came back up and I ran the anti-virus software AND another virus and malware program. I like to use two or three different scanners on infected machines, b/c sometimes one will catch something that the other scanners didn’t catch.
Once I got a clean bill of health, I had to fix the internet connection. Even after the mal-ware is gone there is one last thing it does, hijacks your internet connection. It does this by changing your default internet connection settings to use a “proxy connection”. Most people have their internet connection set up to use “automatically detect my connection”. So check to make sure your internet settings are what they are supposed to be.
After that you should be good! Hope you find this posting helpful!
Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p)
Login as Administrator
Go to My Computer /Tools/ Folder Options/ View/ check mark the selection that says Show Hidden Files and Folders and then make sure you uncheck Hide Protected System Files. That is very important b/c that’s where this particular variation hides!!
Then go to C:\Documents and Settings\User Profile infected\Local Settings\Application Data Then in the Application Data Folder there was a folder called goijmdwag and one called awmdlrnuqiw. I deleted both of those b/c when I opened the folders I found the offending program “Security Suite for Windows” in them.
Empty Recycling Bin
Run Regedit (to do this see: http://preview.tinyurl.com/yhph8yt ) On a side note, ALWAYS backup your registry before making edits to it. You can render your computer USELESS with incorrect editing. Once that is done, you will have to reinstall Windows.
Go to the Edit menu and select search. A pop up box will show up and in your search, type in the offending files, in my case “goijmdwag” and “awmdlrnuqiw”
These files can be located in the following hives:
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\SOFTWAR
Deleted the keys that contained “goijmdwag” AND “awmdlrnuqiw”
After this I rebooted the computer. The computer came back up and I ran the anti-virus software AND another virus and malware program. I like to use two or three different scanners on infected machines, b/c sometimes one will catch something that the other scanners didn’t catch.
Once I got a clean bill of health, I had to fix the internet connection. Even after the mal-ware is gone there is one last thing it does, hijacks your internet connection. It does this by changing your default internet connection settings to use a “proxy connection”. Most people have their internet connection set up to use “automatically detect my connection”. So check to make sure your internet settings are what they are supposed to be.
After that you should be good! Hope you find this posting helpful!
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (2)
Author
Commented:Commented:
http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite
In virtually every instance, the automated tools do the delicate work of modifying the Registry entries properly and we don't have to worry about having one of those 'Oops' moments that can have some very serious consequences.
They will make sure that ALL of the needed changes are made (including the Proxy setting).
It should also be noted that there is a great deal more involved in repairing this infection than is described here.
For MBAM to be effective with this variant, you need to boot to Safe Mode (with networking) before starting.