Jump to content

Windows System Suite


Recommended Posts

We had a close call with this rogue program yesterday.

My husband was doing a google search, using Firefox 3.5 with WOT as a browser add-on. We are using AVG free 8.5, as well as the free versions of Malwarebytes and SuperAntispyware, along with the Windows firewall behind a hardware router. Quick scans are done with MWB and SAS every day at day's end.

He clicked on a link in google that WOT said was OK, and he was redirected to a malicious website--the home page of Windows Security Suite. WOT blocked the site, but through the black cover that WOT put up which covered the web page's contents, we could read dire stuff like 'windows will shut down to protect your system from damage' and stuff to that effect. My husband phoned me when this happened, as I was not home at the time, so I was advising by phone before I got home and saw for myself what was going on. By telephone I told him to open taskmanager and had him go to 'applications' and try to shut down Firefox with that. He said a window came up saying that Windows Security Suite was not responding, 'end now' or 'cancel'. At this point I had him leave things as is until I got home several minutes later. Once home, I clicked on the 'end now' and Firefox closed. I opened MWB and updated it, then ran a quick scan, which came up clean. I re-opened Firefox, but it tried to restore the browser session, which was, of course, on the malicious page. The page didn't load (I didn't have it open that long), but Firefox generated a small popup offering to scan my infected system. I used taskmanager to shut down Firefox. I then opened FF again, as I realized I wasn't going to get off that page otherwise and quickly closed the Windows Security Suite tab, then went to the home page I have set. That was fine. I closed FF with the red x and reopened it and it was fine. I cleared FF's cache.

I see in the history, there is a listing for a 'redirect123' as well as the url for the Windows Security Suite site. My husband had been conducting a search for a specific model of 5th wheel camper trailer, the site he clicked on was about that, supposedly.

I've run full scans with MWB, SAS, and AVG. The system is behaving normally and I have no signs of any malware on that machine. I've examined a couple of HJT logs I've generated and while I admit I'm not an expert, I don't see anything abnormal there, nothing unusual.

I guess I just want to make sure that MWB recognizes this threat and would have found it if it was present on my machine. :)

Link to post
Share on other sites

Greetings :)

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?

2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs

3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

* Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.

* Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.

* Using these other tools often makes the cleanup task more difficult and time consuming.

* If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.

* Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.

* There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

* NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

Thanks for your response, Prairiedog.

I think my computer is OK. I had run a quick scan with MWB right after the incident and then a full scan later in the evening, and they both came back showing no malware. SuperAntispyware and AVG free 8.5 also come back clean. I also came across this:

http://www.bleepingcomputer.com/virus-remo...ws-system-suite

Is there a list somewhere of a MWB 'threat center' or something showing which specific malware detections are in the database? I thought I had seen something like that a while back, but I can't find it now.

Do I need to post a HJT log in the other section of the forum just to double check? I can't see anything amiss in the log, but I don't claim to be an expert. I don't want to tie up someone else's time needlessly if the concensus is that MWB would have found something if there was anything to find. I can't see any indicators that this bad guy actually got in, only that it made an attempt.

This is making me consider springing for the pro version of MWB, actually. Will it play nicely with AVG 8.5, which has an antispyware component of its own?

Link to post
Share on other sites

  • Staff
Thanks for your response, Prairiedog.

I think my computer is OK. I had run a quick scan with MWB right after the incident and then a full scan later in the evening, and they both came back showing no malware. SuperAntispyware and AVG free 8.5 also come back clean. I also came across this:

http://www.bleepingcomputer.com/virus-remo...ws-system-suite

Is there a list somewhere of a MWB 'threat center' or something showing which specific malware detections are in the database? I thought I had seen something like that a while back, but I can't find it now.

Do I need to post a HJT log in the other section of the forum just to double check? I can't see anything amiss in the log, but I don't claim to be an expert. I don't want to tie up someone else's time needlessly if the concensus is that MWB would have found something if there was anything to find. I can't see any indicators that this bad guy actually got in, only that it made an attempt.

This is making me consider springing for the pro version of MWB, actually. Will it play nicely with AVG 8.5, which has an antispyware component of its own?

We have two pages, but they don't list files or anything like that, just the current list of rogues:

http://www.malwarebytes.org/malwarenet.php

http://www.malwarebytes.org/roguenet.php

And you ought not have any issues with AVG beyond the outside possibility of needing to add our files to exclusions list:

http://www.malwarebytes.org/forums/index.php?showtopic=10138

Link to post
Share on other sites

We have two pages, but they don't list files or anything like that, just the current list of rogues:

http://www.malwarebytes.org/malwarenet.php

http://www.malwarebytes.org/roguenet.php

And you ought not have any issues with AVG beyond the outside possibility of needing to add our files to exclusions list:

http://www.malwarebytes.org/forums/index.php?showtopic=10138

Thank you, those were the links I was looking for. I've saved them to my FF speed dial. :) I see Windows System Suite is on the list, too.

Link to post
Share on other sites

Update, and not good news.

I updated MWB and ran my daily quick scan. This time it picked up what it called a "Rogue Installer". It identified PYCITSYq.exe.part. I uploaded this to Virustotal and it was identified by 2 scanners. Microsoft called it "TrojanDownloader:Win32FakeVimes, and Sunbelt called it Trojan.Win32.Tdss.w (v). I had MWB quarantine it. I have no idea if this is the Windows System Suite item or not. The file in question was created yesterday, although I didn't note the exact time to actually pinpoint it to the Windows System Suite event.

I have rebooted as per MWB's instructions and am currently running another scan with MWB. I'll be starting another thread. :) And I suppose doing a bunch of other scans to make sure it didn't let in something else.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.