Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Wednesday, August 11, 2010

How to remove Security Suite malware (Uninstall Instructions)

Tell your friends:
Security Suite is a fake anti-spyware program that gives exaggerated or false reports of threats on the computer. Most of the time, this peace of malware has to be manually installed. Malware authors and distributors use misleading social engineering schemes, fake online scanners, spam emails and other methods to spread their malicious code and infect as many computers as possible. Security Suite is a typical rogue anti-spyware scanner. Once installed, it will scan your computer and display a list of fake infections. You are not allowed to remove those infections, unless you pay for a full version of the program. And that's the whole point; it attempts to get you to pay for fake anti-virus software. Please don't buy this bogus program. If you have already purchased it then contact your credit card company's fraud department immediately. It goes without saying, that you should remove Security Suite from your computer as soon as possible. Thankfully we've got the instructions to help you remove this virus.




(Thanks to rogueamp for this video)

When Security Suite is active, it will display many fake security warnings and state that your computer is seriously infected with spyware, adware and other malware. You can safely ignore those fake security alerts. The biggest problem is that SecuritySuite blocks legitimate anti-spyware and antivirus programs. When you attempt to run a program, Security Suite closes it and then display the following error message:
Security warning
Application cannot be executed. The file [file_name].exe is infected. Do you want to activate your antivirus software now?


Furthermore, Security Suite will configure Windows to use a proxy server. It will intercept the request and display fake security warnings.





Other fake security warnings:




SecuritySuite is from the same family as Antivir Solution ProAV Security SuiteAntispyware Soft and Antivirus Soft scareware.

Last, but not least, this fake program can be installed with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility. What is more, you should also purge all old system restore points and create a new one. If you don't know how to delete system restore points then please follow the steps in the Microsoft knowledgebase article http://support.microsoft.com/kb/310405.

As you can see, Security Suite is nothing more but a scam. It wants to make you think that your computer is infected, but the only real infection is the rogue program itself. Without a doubt, you should uninstall Security Suite from the system upon detection. You can remove it manually, but we strongly recommend you to use anti-virus or anti-spyware program. Please follow the removal instructions below. If you have any questions or additional information about Security Suite, please leave a comment. Good luck and be safe!


Security Suite removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Alternative Security Suite removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [mreqslst] C:\Documents and Settings\[User]\Local settings\Application data\rhfrlps\ncfdskshdw.exe
O4 – HKCU\..\Run: [mreqslst] C:\Documents and Settings\[User]\Local settings\Application data\rhfrlps\
ncfdskshdw.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]shdw.exe, located in C:\Documents and Settings\[UserName]\Local settings\Application data\
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Delete the follow file C:\WINDOWS\Prefetch\[RANDOM]SHDW.EXE-[RANDOM].pf if exists.
4. Download at least one anti-malware program from the list below and run a full system scan.
NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Security Suite associated files and registry values:

Files:
  • %UserProfile%\Local Settings\Application Data\SET OF RANDOM CHARACTERS]\
  • %UserProfile%\Local Settings\Application Data\SET OF RANDOM CHARACTERS]\SET OF RANDOM CHARACTERS]shdw.exe
  • C:\Users\User\AppData\Local\[SET OF RANDOM CHARACTERS] (Windows Vista & Windows 7)
  • C:\WINDOWS\Prefetch\[RANDOM]SHDW.EXE-[RANDOM].pf (if exists)
Registry values:
  • HKEY_CURRENT_USER\Software\wnxmal
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:6522"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "%UserProfile%\Desktop\flash_player_installer\flash_player_installer.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" ="1"
Share this information with other people:

49 comments:

Anonymous said...

WORKED LIKE A CHARM.. THANK YOU!!

Anonymous said...

Awesome help. Thank you!

Anonymous said...

I got this from a random pop-up that i click on accident. It's still on my computer in a way but I restored my computer to 5 days before it infected it. It doesnt have the annoying anti virus things anymore and it isn't blocking my internet but for some reason my McAffe is not working right at all. I can't scan my computer with it nor can I enable real time scanning. Which tells me I have a virus on my computer. So I dled malwarebytes'. I renamed it and hopefully when its done it should have removed whatever virus I have on my computer. Thanks so much for the helpfull info!!

Anonymous said...

if i go into safe mode got on and got the superantispyware virus protection thing and i did quick scan didnt work, if i do full scan will it find it and remove it???

Anonymous said...

Thank you this was a huge help

Anonymous said...

Thank You, Thank You, Thank You!

Anonymous said...

Thank you for your help!!

Anonymous said...

these instructions worked for a small amount of time before this program showed back up. I found a much easier way of removal for those who aren't too familiar with the registries. as your computer is booting up, use ctrl/alt/dlt to open the task manager. (if you don't do it quick, Ssuite blocks task manager) Under the processes tab, there should be a process with a bunch of random letters with a description that is similar. Right click this, open file location, delete. THen all you have to do is simply delete it from your recycle bin : ) hope this works for someone as else

Anonymous said...

it's true, if you restart your computer, then quickly do a ctrl-alt-delete right as soon as the computer allows you to (before the virus kicks in), then look for a file with an bunch of random letters with a description of the same letter (in my case it was "eqicngbshdw.exe" with a description of the same letters), then just RENAME the file because the virus won't let you delete it. In my case, I named it "badfile". Then I restarted my computer, and now I was able to access the internet via my browser.

Anonymous said...

Thank you so much this worked just perfect

Anonymous said...

Thank you so much for the help!!!!!!!

Anonymous said...

Massive help. Thank you!

Anonymous said...

Im glad there are people who take the time out to help. Ill be sure to help proliferate this guide.

Anonymous said...

omg, totally worked didnt have option to change name... so do the ctrl-alt-del then hit stop action on a file that ends in shwd.exe then go to start, search, then search for shwd.exe it will take a while but it will pop up and then rename and delete to recycle bin gone...computer back to normal. :)

Anonymous said...

you saved my computer. thank you

Anonymous said...

This is great. Thanks.

Anonymous said...

thank you. you saved me from formatting my disc today! now I can finally get my tasks accomplished :D

Big ups on the guide. I really appreciate it

Anonymous said...

The task manager trick worked to get it off my computer, but now I can't access the internet?????? I can access my home network, but when I try to set up a connection, it says that I'm connected to the net already. Tried browsing using IE, FireFox and Google Chrome - none work.

Anonymous said...

You could also use msconfig to remove it from the startup then delete it.

Anonymous said...

Above--you have to do the "proxy server" thingie in the instructions. Ain't I a great techie?

Anonymous said...

Task Manager trick did indeed work like a charm. Found the rogue application and wrote down the name, then disabled through Processes in Task Manager. Searched to find application file and an associated Prefetch file--renamed them both and deleted to trash bin. After that, everything worked except IE8. Once I unchecked 'Proxy Server' box from the connection settings, everything completely back to normal. I'm a very happy camper. Thank you, thank you, thank you!

Anonymous said...

Perfect instructions. Thanks very much for your help.

Anyone free this weekend to go looking for the f**ks that wrote this malware?

Anonymous said...

Thank you! The CTRL ALT DEL worked upon bootup. The safe mode with networking did not work for MAMB, no threats found. I had to rename the infected file, then reboot and go back to the file location and delete it's root folder. All good now, thanks for the help!

Anonymous said...

The task manager trick worked wonders :) but now I can't access the Internet I'm attempting to restart my pc to see if that helps thank you so much I was worried the comp was done for lol

Anonymous said...

That worked perfectlly. Thank you! :)

And yes if i had any free time this weekend I would love nothing more than to hunt down whoever created this monster.

Anonymous said...

I tried to get to task manager but I had so many processes that were a bunch of random letters. How do I know which one it is? Or is it all of them with random letters? I'm so confused!

Admin said...

Q: "I tried to get to task manager but I had so many processes that were a bunch of random letters. How do I know which one it is? Or is it all of them with random letters? I'm so confused!"

A: Look for such process [RANDOM CHARACTERS]shdw.exe, for example: ncfdskshdw.exe. It should end with shdw.exe

Good luck!

Anonymous said...

Thank you! you did it ;)
the post really helped me!!
But on my computer, it only worked with malwarebites, the other programms found some spyware, but they didnt kill the security suite process.

But nice blog at all!!!

patrick said...

Uh.... I followed these instructions step by step and still antimalware pops up.. what am i missing?

Anonymous said...

how do you get task manager to stay to look through everything?

Anonymous said...

I am having problems with this virus as well, currently I can disable it from task manager but I don't get any hits when I look for a file with a shdw.exe. Is there anyone who can help with this? Should I look for a folder instead?

Anonymous said...

I can disable the program in task manager, but I can't find the shdw.exe file? even with the search function. does anyone know the root folder

Anonymous said...

the browser connection is easy to fix. I have about five browsers installed, but chose to use Firefox for the "fix" so I could search and find websites like this to learn more about how to remove this pest. In Mozilla, under "Tools" choose "Options" and click on the "Advanced" icon. You'll see four tabs, one of which is "Network", choose that one. The first option this option offers is "Connection Configure how Firefox connects to the internet." Click on the "Settings" button. You'll see that the little bullet that says "Use system proxy settings" is selected. Select "No proxy" instead, and voila, you're back online.

The "system proxy settings" this bugger has buggered are in the registry, which appear to be covered in the removal instructions of this article. Nonetheless, you can get your browser around its "hijack".

My Microsoft Essentials has found and removed a trojan called "FakeSpypro" for me as I've sat here typing this. It was removed from C://Documents and Settings/...(username).../Local Settings/Application Data/fpfpqefg/hesqxucshdw.exe <--This directory and filename are randomly generated by the trojan and probably differ from machine to machine infected. The "mothership" exe and root folder is always masked with jibberish to make it hard to find. It can also write itself to random locations, I suspect, so that while in my case it was located in ..Local Settings/Application Data.., in another case it have installed itself elsewhere. Blogger was absolutely correct that the dead giveaway for the .exe is that the gibberish ends in "shdw".


It also removed two regkeys and two runkeys from the registry all named "waaabjnd".

Anonymous said...

Thank you for this guide. I'm lucky I found it because I went to the website it gave for activation and shot them an email on how to remove it thinking it was a real business. You saved me a lot of time and hassle. By the way my email is djdoublejake@rocketmail.com if anyone wants to help find these people and mess them up.

Anonymous said...

I LOVE YOU ..... THANK YOU SOOO MUCH!!!! it worked fantastically and for the first time ever felt the urge to tell you how much i appreciated your help.

Anonymous said...

Thank you all!!! After reading the ctl alt delete tip, worked right away!

ariana said...

What will it say if its bad and you trying to end the process in the task manager? Is that what I'm suppose to do? Please I need help! I had to viruses there driving me crazy.

Anonymous said...

been trying to get rid of this virus for 2 days it blocked my norton antivirus program so i couldnt scan for it. the ctrl alt del option worked for me. thankyou!!

Anonymous said...

This absolutely worked. Thank you very much.

kara R said...

thank you thank you, it took me a few tries to get it completely outa my computer but this worked great

Anonymous said...

I have a suggestion for people who are having problems getting around security suite. If you have more than one user profile to access windows (i.e. guest). Log into the guest profile, security suite hasn't touched that. Then log back into the administrator profile ( or the one that isn't affected). Before it security suite has a chance to load, ctrl+alt+delete, go to processes, and end the process for security suite when it pops up. This will temporarily stop the blocks and warning messages that pop up so that you can follow the insructions listed above. Hope that helps...it helped me. I still haven't completely removed it, but now I'm able to access the internet, windows task manager, and antivirus software.

Anonymous said...

It disabled my keyboard, any suggestions?

Anonymous said...

till now it looks the solution... thanks a lot!

Anonymous said...

thanks works great now!!!!

Anonymous said...

Awesome!!!! it helps me a lot.

Curtis Dutiel said...

My boss got hit with this on her laptop yesterday... It seems as if some of the file names have been changed, but they were easy to spot, based on the info provided.

It even blocked me from running Task manager and Add/Remove programs...
Still working on it, downloading and installing the malware program....

this malware is really just an extortion attempt... wonder how many paid them? fools and their $$ soon parted.

Anonymous said...

I did a system restore to an earlier time in safe mode and all has worked out well thus far. I'm currently check registry settings and running a malware scan to make sure the virus is not "lerking" somewhere.

Anonymous said...

Good stuff, it worked for me.
Thanks!!!!!
Mark

Anonymous said...

Thanks you saved me hours of work using the ctrl , alt del trick. I only wasted 4 hours before finding this website