I recently ran up against the nastiest piece of malware I’ve ever encountered – Windows Security Suite – (which of course has nothing whatsoever to do with Microsoft or Windows).  In a word, the program makes your computer seem completely infected and compromised, to the point where you can’t launch your browser, Task Manager, your anti-virus software, or much of anything.

Also known as Windows Defender virus, the program launches numerous – and I mean TONS – of popups which politely suggest that you are hopelessly, irretrievably FUBAR’d.   …and of course, it offers to sell you a program – for $49.95+ – to clean up your computer.  …hence, “ransomware.”

YMMV, but I was able to find a way to defeat it, and effectively remove it from my PC (This is a Dell Inspiron running XP.)  I discovered that if I rebooted the computer, it took the malware 40 seconds or so to actually start running – and launching popups.  Knowing this, I rebooted the computer, launched Start/All Programs/Accessories/System Tools/System Restore as quickly as I could, and restored the computer to its state 3 days ago.

That seemed to clear things up, other than my McAfee AV program was acting a bit strangely.  I re-downloaded the software (it then ran normally), and performed a full scan of the hard drive, which produced absolutely nothing.

Then I downloaded and ran a scan using Malwarebytes Anti-Malware, which identified 2 issues with the Registry and 2 infected files and removed them.

These were the Registry issues:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

And the two infected files:

Files Infected:
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Everything’s OK now.

I’m not sure how the system became infected, but I imagine it was from an email or perhaps a questionable website.  In any event, it was not an enjoyable experience.

Keep this in mind, should you encounter a similar problem.

Similar Posts:

    None Found

22 Comments on My encounter with ransomware “Windows Security Suite”

  1. Michael W. says:

    In this age of inexpensive netbooks, it’s probably a good idea to keep one set aside dedicated solely to accessing on-line financial components – a bill-paying, money transferring netbook, so-to-speak. No browsing at all on that one! No emails at all!

    [Reply]

    Kevin Reply:

    Yeah… probably not a bad idea. I used my test iPad to find the anti-malware program – although I could have used our netbook.

    [Reply]

  2. Nicole says:

    Your timing could not be better! My daughter’s computer just started showing signs of the same infection. Thanks for the post!

    [Reply]

  3. Jose says:

    Hi. Trying to find if my PC slowness could be due to malware, I visited the site (Malwarebytes Anti-Malware) thru the link in your column. There, I was offered a “Cyber defender software” for a free trial, but with numerous pop-ups intended to have you buy it ($ 49.95)instead of downloading it for the free trial. I insisted with the free download, but when it was about to install it, my trusty Norton Antivirus blocked it advising it had blocked an attemp to install a Trojan Fake antivirus. I immediately turned off the computer and after restarting it ran a full analysis which fortunately did not find any malware. I write this as a warning for whoever visits the said site.

    [Reply]

    Kevin Reply:

    Jose,

    First, I have no connection whatsoever with Malwarebytes. I’m afraid you clicked on the wrong download button.

    The one I used is labeled “Download Now (5.87MB).” Immediately below the download button is the caption “Tested spyware free.” This is a CNET download, and is perfectly safe.

    The download you clicked on is over to the right, and if you look above the download button, it says “Ad info.” This is an AD, not the CNET download I was recommending. It’s a shame that CNET has ads like that on their site, but I can’t control that.

    Please visit the site again and try the correct download. Thanks.

    P.S. – the software I downloaded (Malwarebytes Anti-Malware) is completely compatible with my anti-virus software from McAfee.

    [Reply]

  4. M says:

    I was infected with the same virus when I downloaded the latest version of IE a few months back. I can’t remember why I downloaded IE because I only use Firefox or Safari as web browsers, but there you go. I downloaded Malwarebytes in safe mode and was able to isolate the infected files and get rid of them.

    [Reply]

  5. Mark says:

    Malwarebytes Anti-Malware has been around for many years and is a respected piece of software. I have been infected with the same (or a similar) bit of ransomware “anti-virus” a few times over the years, and for some reason the Malwarebytes product is the only antivirus that’s been able to fully clean it off my system.

    I’ll offer one tip for avoiding this type of infection…

    Often you will get an initial pop-up saying something like “Your computer is infected, do you want to run our anti-virus software?” The name will usually be something with “Windows” in it to make it seem “official”, just like in Kevin’s instance above. It will sometimes be structured to look like a Windows notification box also. The important thing is to *not* click that box, even to try and close it. Even if you click “cancel” or the corner X box to close the popup, you are initiating the malware install. By then it’s too late.

    Instead, open your Windows Task Manager – CTRL-ALT-Delete will bring up the box to open it. Close the offending popup via Task Manager. You may need to close all instances of your browser if it won’t close the individual popup. This will usually kill the malware before it has a chance to infect your system.

    I don’t know if this is the same way Kevin got infected, but it’s a common method of attack for similar malware.

    [Reply]

    Kevin Reply:

    Mark – thanks; great suggestion.

    [Reply]

  6. Adriano says:

    What about using an alternative OS.
    I work with Linux sometimes and it is fine. Moreover it doesn’t get any “flu” of this kind, AFAIK.

    [Reply]

  7. Zvi says:

    Kevin, did you do the rebooting in the safe mode, or regular mode? In such cases, it is generally better to do it the safe mode, which I think actually gives you the option of doing system restore before anything else happens.

    [Reply]

    Kevin Reply:

    Zvi,

    Actually I rebooted normally. Thanks for the tip!

    [Reply]

  8. Bill says:

    I mentioned picking this up in one of your previous blog posts. At the time, the only thing up on my screen was Firefox on Lifehacker. Maybe one of the ad frames was malicious?

    If these guys are extorting revenue (“buy our software to fix this”), shouldn’t there be a way to follow the money trail to this scum?

    Bill

    [Reply]

  9. Kyle says:

    I’m afraid “Windows Security Suite” has found its way onto my computer… Unfortunately, I cannot seem to be able to rid myself of the beast. I already had Malwarebytes Anti-Malware installed on my computer, so I rebooted my computer in safe mode and ran a quick scan. It didn’t find anything. Then I started my computer normally, but the virus was still there. I managed to open Malwarebytes Anti-Malware before the virus took control. I did a regular scan this time, but it still didn’t find anything. Any ideas? Is there a different Anti-Malware program I should try? Or should I try re-downloading Malwarebytes Anti-Malware? I need some advice…

    [Reply]

    Kevin Reply:

    Kyle,

    Just a couple of ideas…

    First, there’s a Forum at the Malwarebytes website; I’d post there and see if someone could help: http://forums.malwarebytes.org/

    Secondly, can you check with someone at the IT Dept. at your school or company? There may be someone there who can offer advice or help.

    Perhaps another reader can comment with other suggestions… good luck!!

    [Reply]

  10. jmancool says:

    This virus just recently got onto my girlfriends computer and completely took over. It wouldn’t let me open even the smallest of files claiming that they were infected and I needed to buy their stupid software. I was able to open up Malwarebytes, which was already loaded onto the computer, and run a scan only because of the few second delay it takes for the virus to boot up. However when the scan was finished it shut down the processes needed to eliminate the virus. After it rebooted and I ran another scan the virus had hidden itself and did not show up on Malwarebytes at all. Though it still gave me all the popups. I even tried running Malwarebytes in Safe mode and it didn’t show up. Unfortunately, as with many things, I didn’t know not to interact with the spyware boxes and probably worked the virus deeper into the computer with every attempt I used to get rid of it. What I eventually did to get rid of it was open it up in Safe Mode (with or without networking, it didn’t matter), she runs Windows 7, so I was able to go in to the “start”/windows logo thingy -> accessories -> system tools -> system restore and restore to a point a few days ago. I was very glad to find that windows makes a habit of doing frequent system restores whenever it updates. I would suggest to anyone who tries to run Malwarebytes with the virus is shutting down every program; to try and run Malwarebytes in safe mode. It might not work, but then again it definately won’t work if the virus shuts down the program that’s eliminating it. The best thing to do and save yourself alot of time is to try the system restore from safe mode. It’s not reverseable, but this virus will brick your computer if you don’t get rid of it. The virus seems to be dormant in safe mode so you can back up files onto thumb drives from there if need be. It might also be worth mentioning that I have never caught this virus on my computer. I run Norton360 and go to much worse sites than TPB where she got her infection. Also I run PeerBlock quite a bit when I go to those sites and it seems to shut down just about every ad on the screen. So that might have something to do with it. Good luck Everybody!

    [Reply]

    Dragon Reply:

    Malwarebytes is designed to run in normal mode, but I also sometimes run SuperAntiSpyware as a backup, that might get something MWBytes doesn’t get.

    Also, there is a new version [32 bit or 64 bit] of Avast that do a boot scan. I got rid of a trojan I didn’t even know I had.

    As a bit of insurance, I run a small program called KeyScrambler, so I ever have a trojan, and it is trying to “write home” everything it sees, then I won’t have to worry because it only sees gibberish.

    [Reply]

    Kevin Reply:

    Dragon,

    Thanks for the tip re: KeyScrambler. I’ll definitely check it out.

    [Reply]

  11. Jim Costa says:

    Many thanks Kevin. Restoring and adding Malwarebytes Anti Malware saved my computer and my sanity.

    [Reply]

    Kevin Reply:

    Jim, glad it was of help!

    [Reply]

  12. Steve says:

    Kevin,

    Thanks for thorough explanation of how to rid my wifes computer of this awful randomware. I spent 6 hours with my anti virus software support group yesterday to no avail. After reading your remedy I resolved the problem by restoring the system in minutes. I’m running the malware program as we speak.

    Many thanks for taking the time to explain the process to remove this beast!

    Steve

    [Reply]

    Kevin Reply:

    Steve,

    Glad I was able to help!

    [Reply]

  13. Michael W. says:

    I decided to reinstall Windows on my desktop computer just so I could reclaim the “recovery partition” space installed by the maker in lieu of providing me with recovery disks. I also figured it would be a nice, cleaner install, since I would be working from my own Win 7 Premium disk instead of from the maker’s discs which would just reinstall all the bloatware that originally came on my machine (I just re-entered the license key on from the computer case when finished).

    Guess what? The machine is faster and the fan does not come on nearly as often as it used to.

    I am now suspicious that I may have picked up a virus not caught by Microsoft Security Essentials OR Malwarebytes on my old installation. How else can I explain that pre-Windows re-installation the machine ran a tad slower AND the fan came on a lot more?

    I think there is a lot to be said for an annual Windows re-installation, even if it does mean many, many boring Windows updates, since Windows never updates itself all at once, it does it a nibble at a time.

    (Technically the fan is always on, but if I am doing heavy computer work – burning DVDs etc. – the fan blows noisy.)

    [Reply]

Leave a Reply