Remove "Security Suite for Windows" Malware

Published:
To Remove Security Suite for Windows Malware from a Windows XP Machine:

 Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p)

Login as Administrator

Go to My Computer /Tools/ Folder Options/ View/  check mark the selection that says Show Hidden Files and Folders and then make sure you uncheck Hide Protected System Files.   That is very important b/c that’s where this particular variation hides!!
Then go to C:\Documents and Settings\User Profile infected\Local Settings\Application Data     Then in the Application Data Folder there was a folder called goijmdwag and one called awmdlrnuqiw.   I deleted both of those b/c when I opened the folders I found the offending program “Security Suite for Windows” in them.

Empty Recycling Bin

Run Regedit (to do this see: http://preview.tinyurl.com/yhph8yt ) On a side note, ALWAYS backup your registry before making edits to it.  You can render your computer USELESS with incorrect editing.  Once that is done, you will have to reinstall Windows.
Go to the Edit menu and select search.  A pop up box will show up and in your search, type in the offending files, in my case  “goijmdwag” and “awmdlrnuqiw”
These files can be located in the following hives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Deleted the keys that contained “goijmdwag” AND “awmdlrnuqiw”

After this I rebooted the computer.  The computer came back up and I ran the anti-virus software AND another virus and malware program.   I like to use two or three different scanners on infected machines, b/c sometimes one will catch something that the other scanners didn’t catch.

Once I got a clean bill of health, I had to fix the internet connection.   Even after the mal-ware is gone there is one last thing it does, hijacks your internet connection.    It does this by changing your default internet connection settings to use a “proxy connection”.   Most people have their internet connection set up to use “automatically detect my connection”.   So check to make sure your internet settings are what they are supposed to be.
 

After that you should be good!  Hope you find this posting helpful!
0
3,014 Views

Comments (2)

Author

Commented:
I had tried Malware Bytes, Spybot, Symantec and TrendMicro and none of them completely cleaned the system.   After I cleaned the system with all 4 of these tools we still had issues, the infection would come back even though Windows Restore feature was shut off.   I did lots of research on the internet and couldn't find anything.   What I did find is that there were hidden folders with weird names that I know didn't belong on the system.  I deleted the files and then did a search on the registry to find that the offending malware kept reinstalling itself because of what hives it resided in the registry.   Once I cleared those up we haven't had any issues with the system.  
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
I think most users would be better served to use the automated tools available here:
http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite

In virtually every instance, the automated tools do the delicate work of modifying the Registry entries properly and we don't have to worry about having one of those 'Oops' moments that can have some very serious consequences.

They will make sure that ALL of the needed changes are made (including the Proxy setting).

It should also be noted that there is a great deal more involved in repairing this infection than is described here.

For MBAM to be effective with this variant, you need to boot to Safe Mode (with networking) before starting.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.