Rogue software details: Windows Security Suite

Windows Security Suite is a rogue security application. In order to remove it, find out what files and registry entries to look for below.

Known system changes:

Folders
c:\ApplicationData\WINSSSys

Registry entries
Key: HKEY_CLASSES_ROOT\CLSID\
{3F2BBC05-40DF-11D2-9455-00104BC936FF}
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\avp.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navapsvc.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\navapw32.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ollydbg.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\agentsvr.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\scan32.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\bdagent.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ccapp.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\cmd.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\mcagent.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\nvsvc32.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\rtvscan.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\vptray.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\_avpcc.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\_avp32.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\_avpm.exe
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ackwin32.exe

Source: Lavasoft Malware Lab’s Rogue Gallery.




Share this