Sign in to follow this  
Christian Mairoll

Security Suite Adware Removal Instructions

Recommended Posts

The Emsisoft malware research team has discoverd a new outbreak of the Security Suite adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.SecuritySuite.

Security Suite is a rogue security program, this is a new variant from AV Security Suite, Antivirus Suite, and Antivirus Soft. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer is infected with viruses or trojan, but you will not be able to delete them before you purchase. We have been researching more deeply about this rogue, you can see it at http://blog.emsisoft.com/2010/08/20/rogue-antivirus-again/.

Create new file:

  • %userprofile%Local SettingsApplication Data%random%%random%.exe

Create/modify registry entries:

  • HKEY_LOCAL_MACHINEsoftwaremicrosoftWindowsCurrentVersionRun
    (SZ) %random% = %userprofile%Local SettingsApplication Data%random%%random%.exe
  • HKEY_CURRENT_USERsoftwareMicrosoftInternet ExplorerDownload
    (DWORD) RunInvalidSignatures = 0×00000001 (1)
  • HKEY_CURRENT_USERsoftwareMicrosoftInternet ExplorerPhishingFilter
    (DWORD) EnabledV8 = 0×00000000 (0)
    (DWORD) Enabled = 0×00000000 (0)
  • HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionInternet Settings
    (SZ) ProxyServer = http=127.0.0.1:6522
    (SZ) ProxyOverride = <local>
  • HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations
    (SZ) LowRiskFileTypes = .exe
  • HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments
    (DWORD) SaveZoneInformation = 0×00000001 (1)
  • HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionRun
    (SZ) %random% = %userprofile%Local SettingsApplication Data%random%%random%.exe
  • HKEY_CURRENT_USERsoftwarewnxmal
    (DWORD) knkd = 0×00000001 (1)
    (DWORD) aazalirt = 0×00000001 (1)
    (DWORD) skaaanret = 0×00000001 (1)
    (DWORD) jungertab = 0×00000001 (1)
    (DWORD) zibaglertz = 0×00000001 (1)
    (DWORD) iddqdops = 0×00000001 (1)
    (DWORD) ronitfst = 0×00000001 (1)
    (DWORD) tobmygers = 0×00000001 (1)
    (DWORD) jikglond = 0×00000001 (1)
    (DWORD) tobykke = 0×00000001 (1)
    (DWORD) klopnidret = 0×00000001 (1)
    (DWORD) jiklagka = 0×00000001 (1)
    (DWORD) salrtybek = 0×00000001 (1)
    (DWORD) seeukluba = 0×00000001 (1)
    (DWORD) jrjakdsd = 0×00000001 (1)
    (DWORD) krkdkdkee = 0×00000001 (1)
    (DWORD) dkewiizkjdks = 0×00000001 (1)
    (DWORD) dkekkrkska = 0×00000001 (1)
    (DWORD) rkaskssd = 0×00000001 (1)
    (DWORD) kuruhccdsdd = 0×00000001 (1)
    (DWORD) krujmmwlrra = 0×00000001 (1)
    (DWORD) kkwknrbsggeg = 0×00000001 (1)
    (DWORD) ktknamwerr = 0×00000001 (1)
    (DWORD) iqmcnoeqz = 0×00000001 (1)
    (DWORD) ienotas = 0×00000001 (1)
    (DWORD) krkmahejdk = 0×00000001 (1)
    (DWORD) otpeppggq = 0×00000001 (1)
    (DWORD) krtawefg = 0×00000001 (1)
    (DWORD) oranerkka = 0×00000001 (1)
    (DWORD) kitiiwhaas = 0×00000001 (1)
    (DWORD) otowjdseww = 0×00000001 (1)
    (DWORD) otnnbektre = 0×00000001 (1)
    (DWORD) oropbbsee = 0×00000001 (1)
    (DWORD) irprokwks = 0×00000001 (1)
    (DWORD) ooorjaas = 0×00000001 (1)
    (SZ) id = 68.947
    (DWORD) ready = 0×00000001 (1)

Screenshots:

Adware.Win32.SecuritySuite_1-400x303.png

How to remove the infection of Security Suite (Adware.Win32.SecuritySuite)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

HKEY_LOCAL_MACHINEsoftwaremicrosoftWindowsCurrentVersionRun

(SZ) %random% = %userprofile%Local SettingsApplication Data%random%%random%.exe

HKEY_CURRENT_USERsoftwareMicrosoftInternet ExplorerDownload

(DWORD) RunInvalidSignatures = 0×00000001 (1)

HKEY_CURRENT_USERsoftwareMicrosoftInternet ExplorerPhishingFilter

(DWORD) EnabledV8 = 0×00000000 (0)

(DWORD) Enabled = 0×00000000 (0)

HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionInternet Settings

(SZ) ProxyServer = http=127.0.0.1:6522

(SZ) ProxyOverride = <local>

HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations

(SZ) LowRiskFileTypes = .exe

HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments

(DWORD) SaveZoneInformation = 0×00000001 (1)

HKEY_CURRENT_USERsoftwareMicrosoftWindowsCurrentVersionRun

(SZ) %random% = %userprofile%Local SettingsApplication Data%random%%random%.exe

HKEY_CURRENT_USERsoftwarewnxmal

(DWORD) knkd = 0×00000001 (1)

(DWORD) aazalirt = 0×00000001 (1)

(DWORD) skaaanret = 0×00000001 (1)

(DWORD) jungertab = 0×00000001 (1)

(DWORD) zibaglertz = 0×00000001 (1)

(DWORD) iddqdops = 0×00000001 (1)

(DWORD) ronitfst = 0×00000001 (1)

(DWORD) tobmygers = 0×00000001 (1)

(DWORD) jikglond = 0×00000001 (1)

(DWORD) tobykke = 0×00000001 (1)

(DWORD) klopnidret = 0×00000001 (1)

(DWORD) jiklagka = 0×00000001 (1)

(DWORD) salrtybek = 0×00000001 (1)

(DWORD) seeukluba = 0×00000001 (1)

(DWORD) jrjakdsd = 0×00000001 (1)

(DWORD) krkdkdkee = 0×00000001 (1)

(DWORD) dkewiizkjdks = 0×00000001 (1)

(DWORD) dkekkrkska = 0×00000001 (1)

(DWORD) rkaskssd = 0×00000001 (1)

(DWORD) kuruhccdsdd = 0×00000001 (1)

(DWORD) krujmmwlrra = 0×00000001 (1)

(DWORD) kkwknrbsggeg = 0×00000001 (1)

(DWORD) ktknamwerr = 0×00000001 (1)

(DWORD) iqmcnoeqz = 0×00000001 (1)

(DWORD) ienotas = 0×00000001 (1)

(DWORD) krkmahejdk = 0×00000001 (1)

(DWORD) otpeppggq = 0×00000001 (1)

(DWORD) krtawefg = 0×00000001 (1)

(DWORD) oranerkka = 0×00000001 (1)

(DWORD) kitiiwhaas = 0×00000001 (1)

(DWORD) otowjdseww = 0×00000001 (1)

(DWORD) otnnbektre = 0×00000001 (1)

(DWORD) oropbbsee = 0×00000001 (1)

(DWORD) irprokwks = 0×00000001 (1)

(DWORD) ooorjaas = 0×00000001 (1)

(SZ) id = 68.947

(DWORD) ready = 0×00000001 (1)



View the full article

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.