Windows Security Suite



» If you can't view the screen shot, you may have to click the screen shot when you put the mouse over the it.
» Dependant upon your browser settings.

This sleek program is another to watch out for. So be don't be tricked.

It appears that the client was browsing myspace.com, when their browser was hijacked and redirected to another site. The client was duped into installing this program.

Beware if you see this URL:
  1. pay1.windowssecuritysuite.com/
  2. 7avsearch.net
  3. http://www.windowssecuritysuite.com/support.php?uid=136&mid=6d442a67e903243d0f1004bf684b0239&StrWinOS=wvXP&bid=b_Unknown&sid=11011&ls=6&errors=18&nid=0
  4. http://www.windowssecuritysuite.com/help.php?uid=136&mid=6d442a67e903243d0f1004bf684b0239&StrWinOS=wvXP&bid=b_Unknown&sid=11011&ls=6&errors=1&nid=0


Below are entries found in the Registry(If you are unfamiliar with the registry...Leave this page NOW) and files associated with the program. Windows Security Suite Windows Security Suite Taskbar

Key Name:
HKEY_USERS\S-1-5-21-*****-*****-****-****\Software\Microsoft\Windows\CurrentVersion\Run
  1. Value 1
    Name: Windows Security Suite
    Type: REG_SZ
    Data: "C:\Documents and Settings\All Users\Application Data\904c03c\WI904c.exe" /s /d
Key Name:
HKEY_USERS\sss\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
  1. Value 0
    Name:
    Type: REG_SZ
    Data: C:\DOCUME~1\ALLUSE~1\APPLIC~1\904c03c\WI904c.exe
Key Name:
HKEY_USERS\sss\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
  1. Value 0
    Name:
    Type: REG_SZ
    Data: WI904c.DocHostUIHandler
Key Name:
HKEY_USERS\sss\Classes\WI904c.DocHostUIHandler\Clsid
  1. Value 0
    Name:
    Type: REG_SZ
    Data: {3F2BBC05-40DF-11D2-9455-00104BC936FF}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"wi904c.exe" the name may be randomly generated c:\documents and settings\all users\application data\904c03c\wi904c.exe

You will find shortcuts to the program on the ***The following folder is hidden: You will need to set your system to show Hidden Files AND Folders. C:\Documents and Settings\<User Name>\Application Data\Windows Security Suite Delete this folder ("904C0"); it contains the folder "WINSSSys"
( some names may be randomly generated)
C:\Documents and Settings\<User Name>\Application Data\904C0\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\Documents and Settings\<User Name>\Application Data\904C0\" Folder
            Size          Name
  1. 4,286 bytes » WINSS.ico
  2. 342 bytes » 3152.mof

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\Documents and Settings\<User Name>\Application Data\904C0\WINSSSys" Folder
            Size          Name
  1. 1,307 bytes » VDAI.ntf
  2. 11,376 bytes » vd952342.bd


Remember to always check here: C:\WINDOWS\Prefetch

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\Documents and Settings\<User Name>\Recent" Folder
            Size          Name
  1. 5 bytes » ANTIGEN.drv
  2. 3 bytes » ANTIGEN.exe
  3. 48 bytes » ANTIGEN.sys
  4. 65 bytes » cb.dll
  5. 80 bytes » cb.drv
  6. 41 bytes » cb.tmp
  7. 54 bytes » CLSV.dll
  8. 43 bytes » CLSV.drv
  9. 12 bytes » CLSV.tmp
  10. 31 bytes » DBOLE.tmp
  11. 1 bytes » ddv.drv
  12. 64 bytes » ddv.sys
  13. 13 bytes » delfile.drv
  14. 52 bytes » dudl.dll
  15. 70 bytes » eb.dll
  16. 51 bytes » eb.exe
  17. 64 bytes » eb.tmp
  18. 7 bytes » energy.exe
  19. 46 bytes » energy.sys
  20. 78 bytes » energy.tmp
  21. 41 bytes » exec.dll
  22. 19 bytes » exec.tmp
  23. 69 bytes » fan.dll
  24. 70 bytes » fix.drv
  25. 53 bytes » FS.tmp
  26. 52 bytes » FW.sys
  27. 2 bytes » gid.dll
  28. 29 bytes » hymt.exe
  29. 27 bytes » kernel32.drv
  30. 32 bytes » kernel32.exe
  31. 27 bytes » kernel32.sys
  32. 9 bytes » pal.exe
  33. 75 bytes » PE.dll
  34. 52 bytes » PE.drv
  35. 31 bytes » PE.exe
  36. 31 bytes » PE.sys
  37. 64 bytes » PE.tmp
  38. 18 bytes » ppal.dll
  39. 7 bytes » ppal.tmp
  40. 7 bytes » runddl.tmp
  41. 71 bytes » runddlkey.sys
  42. 73 bytes » SICKBOY.exe
  43. 40 bytes » SICKBOY.tmp
  44. 12 bytes » sld.drv
  45. 10 bytes » sld.exe
  46. 76 bytes » sld.sys
  47. 57 bytes » SM.drv
  48. 60 bytes » SM.exe
  49. 51 bytes » SM.sys
  50. 78 bytes » SM.tmp
  51. 40 bytes » snl2w.drv
  52. 29 bytes » snl2w.sys
  53. 49 bytes » std.dll
  54. 56 bytes » std.drv
  55. 20 bytes » tempdoc.sys
  56. 8 bytes » tjd.dll
  57. 65 bytes » tjd.sys
  58. 16 bytes » tjd.tmp


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  1. Windows Security Suite

  2. Windows Security Suite

  3. Windows Security Suite

  4. Windows Security Suite

  5. Windows Security Suite