Search This Blog

Tuesday, June 19, 2012

Windows Security Suite virus - The most concentrated evil juice there is

My son somehow picked up Windows Protection Suite
on his PC.  It started with a a pop up, and ended up hijacking all the browsers and making
them non functional, shut off the firewall and disabled the antivirus.   It had tricked him into
clicking a dialog that downloaded the software.  Then it pretends to be a security suite and asks you for your credit card number to upgrade it to save you from all these threats it is pretending to have detected (which it caused).  Reasonable attempts to kill processes and remove files were useless, it repaired itself on reboot.   I was able to temporarily restore Chrome by renaming the file back, but that only lasted about a minute before it was swapped back. It disables virus scanner anew every time you attempt to re-install it from USB.    I was unable to do a system restore either.  I don't know how they managed  to hose that up too.  msconfig of the startup sequence didn't help either. I advocate extreme violence  against the authors of this program.

This is not my screenshot, because my PC was dead, but it looked pretty much like this.

Windows Security Suite snapshot

Some links I found.
Some web searches recommended Malwarebytes and rkill.   I think they are written by Malwarebytes, to sell their software.    After initial resistance I tried Malwarebytes and rkill and it didn't work at all.  After giving in and following their directions,  I ended up with a PC that would not boot at all.   I could not even boot it from the CD or USB stick with either windows or Linux.  I've never seen this before, I've always been able to boot from linux USB, but this time, halfway through the boot, the PC goes black and reboots. A windows install from CDROM also stops after the initial load and the PC reboots.  Holy crap.

Don't waste your time if this happens to you.  This is the most evil virus I've ever seen.  I doubt that you will ever be able to clean it out.

Now I'm buying a new hard drive and starting from scratch.   My plan is to take the old hard drive out to a Linux machine and extract some of the data I want from it then reformat it.  It will never touch a windows machine again.   I will update the post once the hard drive is replaced.    Hopefully it has not done hardware damage or screwed with the BIOS too.  I will dedicate my life to tracking these people down if it has.

Update... the computer is back up and running.
The computer hard drive and all the data was a total loss.   Started over with a new drive.  However it turned out a bad fan on the video card was the true cause of the constant rebooting, and the reason even loading ubuntu didn't work.  <Red Faced>.  Odd how this problem popped up just as the computer got this crippling virus, maybe something about the virus caused the video card to work extra hard and fail, or just plain coincidence.  However when you have two problems at once, debugging and fixing become 10 times as difficult.   I solved the problem by pulling memory modules and cards one at a time until the machine was stable, since I knew the virus was gone when I replaced the hard drive.

I still think this virus is one of the worst I've ever seen, but it's not conclusive that it caused hardware damage as well.

1 comment:

  1. I have had a version of this virus twice. Once on a desktop and once on a netbook, both running XP with all current security updates. The desktop was infected when my daughter fell for the download trap like your son did. I found rkill was the only way to regain enough control to start the search to find and destroy the virus. It took 6 days and countless hours to finally root it all out. I found that I had to run three different anti virus programs multiple times one after each other to get all of it. Malwarebytes helped, although it is very annoying how it insists on updating before it does anything.

    I had a dedicated USB drive with essential tools ready the next time it happened, just before an important conference started while I was overseas. I don't know how it loaded as I don't recall clicking on anything suspicious. I was able to get rid of it in about three hours this time, only because I had been through the mill before.

    I agree with you that it is the worst virus I have seen. Where I work they automatically re-image if they come across a varient of it.

    While looking for help I read comments that it was supposed to have been developed as an electronic warfare exercise by a large asian country's military. Don't know how true that is but it is certainly a worry.