Windows Security Suite
» If you can't view the screen shot, you may have to click the screen shot when you put the mouse over the it.
» Dependant upon your browser settings.
This sleek program is another to watch out for. So be don't be tricked.
It appears that the client was browsing myspace.com, when their browser was hijacked and redirected to
another site. The client was duped into installing this program.
Beware if you see this URL:
- pay1.windowssecuritysuite.com/
- 7avsearch.net
- http://www.windowssecuritysuite.com/support.php?uid=136&mid=6d442a67e903243d0f1004bf684b0239&StrWinOS=wvXP&bid=b_Unknown&sid=11011&ls=6&errors=18&nid=0
- http://www.windowssecuritysuite.com/help.php?uid=136&mid=6d442a67e903243d0f1004bf684b0239&StrWinOS=wvXP&bid=b_Unknown&sid=11011&ls=6&errors=1&nid=0
Below are entries found in the Registry(If you are unfamiliar with the registry...Leave this page NOW)
and files associated with the program.
Key Name:
HKEY_USERS\S-1-5-21-*****-*****-****-****\Software\Microsoft\Windows\CurrentVersion\Run
- Value 1
Name: Windows Security Suite
Type: REG_SZ
Data: "C:\Documents and Settings\All Users\Application Data\904c03c\WI904c.exe" /s /d
Key Name:
HKEY_USERS\sss\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
- Value 0
Name:
Type: REG_SZ
Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\904c03c\WI904c.exe
Key Name:
HKEY_USERS\sss\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
- Value 0
Name:
Type: REG_SZ
Data: WI904c.DocHostUIHandler
Key Name:
HKEY_USERS\sss\Classes\WI904c.DocHostUIHandler\Clsid
- Value 0
Name:
Type: REG_SZ
Data: {3F2BBC05-40DF-11D2-9455-00104BC936FF}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"wi904c.exe" the name may be randomly generated
c:\documents and settings\all users\application data\904c03c\wi904c.exe
You will find shortcuts to the program on the
- Desktop,
- on the Quick Launch
- in the Program Groups (i.e. Start » All Programs) » Windows Security Suite
***The following folder is hidden: You will need to set your system to show Hidden Files AND Folders.
C:\Documents and Settings\<User Name>\Application Data\Windows Security Suite
- Instructions.ini (Delete the parent folder)
Delete this folder ("904C0"); it contains the folder "WINSSSys"
( some names may be randomly generated)
C:\Documents and Settings\<User Name>\Application Data\904C0\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\Documents and Settings\<User Name>\Application Data\904C0\" Folder
Size
Name
- 4,286 bytes » WINSS.ico
- 342 bytes » 3152.mof
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\Documents and Settings\<User Name>\Application Data\904C0\WINSSSys" Folder
Size
Name
- 1,307 bytes » VDAI.ntf
- 11,376 bytes » vd952342.bd
Remember to always check here:
C:\WINDOWS\Prefetch
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\Documents and Settings\<User Name>\Recent" Folder
Size
Name
- 5 bytes » ANTIGEN.drv
- 3 bytes » ANTIGEN.exe
- 48 bytes » ANTIGEN.sys
- 65 bytes » cb.dll
- 80 bytes » cb.drv
- 41 bytes » cb.tmp
- 54 bytes » CLSV.dll
- 43 bytes » CLSV.drv
- 12 bytes » CLSV.tmp
- 31 bytes » DBOLE.tmp
- 1 bytes » ddv.drv
- 64 bytes » ddv.sys
- 13 bytes » delfile.drv
- 52 bytes » dudl.dll
- 70 bytes » eb.dll
- 51 bytes » eb.exe
- 64 bytes » eb.tmp
- 7 bytes » energy.exe
- 46 bytes » energy.sys
- 78 bytes » energy.tmp
- 41 bytes » exec.dll
- 19 bytes » exec.tmp
- 69 bytes » fan.dll
- 70 bytes » fix.drv
- 53 bytes » FS.tmp
- 52 bytes » FW.sys
- 2 bytes » gid.dll
- 29 bytes » hymt.exe
- 27 bytes » kernel32.drv
- 32 bytes » kernel32.exe
- 27 bytes » kernel32.sys
- 9 bytes » pal.exe
- 75 bytes » PE.dll
- 52 bytes » PE.drv
- 31 bytes » PE.exe
- 31 bytes » PE.sys
- 64 bytes » PE.tmp
- 18 bytes » ppal.dll
- 7 bytes » ppal.tmp
- 7 bytes » runddl.tmp
- 71 bytes » runddlkey.sys
- 73 bytes » SICKBOY.exe
- 40 bytes » SICKBOY.tmp
- 12 bytes » sld.drv
- 10 bytes » sld.exe
- 76 bytes » sld.sys
- 57 bytes » SM.drv
- 60 bytes » SM.exe
- 51 bytes » SM.sys
- 78 bytes » SM.tmp
- 40 bytes » snl2w.drv
- 29 bytes » snl2w.sys
- 49 bytes » std.dll
- 56 bytes » std.drv
- 20 bytes » tempdoc.sys
- 8 bytes » tjd.dll
- 65 bytes » tjd.sys
- 16 bytes » tjd.tmp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-
-
-
-