Security Suite Removal Guide

Security Suite is a clone of the AV Security Suite threat.  It is part of the Antivurs Soft family of viruses.  This is a fake security client.  The purpose of this program is to hold the users computer for ransom.  Making them think they are infected with a virus and hundreds of threats.  In reality all those threats shown are false and this client is really the virus.

In many cases those infected with Security Suite will also be infected with several other viruses.  It is IMPORTANT to run a full Virus scan using a legit antivirus client.  The problem is Security Suite blocks users from using security clients and will also setup a proxy on your Internet settings so you can not connect to other resources online.  However we have your back!  We will show you how to regain your internet connection and how to manually remove Security Suite.  After that you will be able to download a antivirus client like the one we recommend Spyware Doctor with Antivirus.  It is a must once you stop this virus to run a security scan to see if you are infected with anything else.

Security Suite

Security Suite

» Download Security Suite Removal Software

As soon as you find yourself infected with this threat you need to take immediate action to remove it. Security Suite removal can be a little challenging for non savvy computer users but we have included a removal video for Security Suite that should help provide guidance. Also be sure to watch the Proxy re-set video as well.

Security Suite Removal Video :)

Security Suite

 

HELP US:  We took the time to make this video and help you.  Please rate us on http://www.mywot.com/en/scorecard/removevirus.org .  It will only take you a minute to register and add a comment.  We would also welcome any posative facebook or social bookmark comments. It's a great way to thank us for helping you out.

Don't forget.  If it's too hard for you to remove yourself or things just aren't working for you then a cheap route for repair is www.pcninja.com.

Remove Proxy Setting so You Can Connect to the Internet Again.

Proxy Settings

 

Security Suite Manual Removal Procedures

The first step you must take in order to remove Security Suite is to stop the following process:

  • [random]shwd.exe or [random].exe  Normally 11 random characters in length

Top Stop this process you can either browse to the file location and re-name the file like we did in the video above, or you can download our process killer tool under SOFTWARE tab above.  Be sure to download the one already re-named explorer.exe. Normally re-named program work for threats like this. You may also be able to use the Task Manager if you act fast right when you loggin. In safe mode this process will not be running so you could just manually delete it there if that is easier for you.

We also want to point out that your Internet Explorer, Chrome and Firefox will not be able to connect to the internet in many cases.  You need to remove the proxy setting first.  View the video above on how to do this. We also have manual guide for this under the How To Guides section.

The next step in Security Suite removal is to delete the following file:

Windows XP:

  • %Documents and Settings%\[UserName]\Local Settings\Application Data\[random characters ]\[random characters]shdw.exe

Windows Vista/7:

  • %User%\AppData\Local\[random characters ]\[random characters]shdw.exe

Security Suite Registry Removal Procedures

Removing files and folders alone is not sufficient to completely remove Security Suite. The following keys and settings should also be removed from the Windows registry to complete Security Suite removal:

  • HKEY_LOCAL_MACHINE\SOFTWARE\AVSS ( Mostlikely there will be a good 32+ files in this folder. Just delete them all.
  • HKEY_LOCAL_MACHINE\SOFTWARE\WNXMAL ( May have this instead of the above AVSS trace.  You will still have the same 32+ files in this section )

Updated Regsitry traces: May not apply to you

  • HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\shwd (and AVscan)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\######shwd_RASAPI32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\######shwd_RASMANCS

You should now run a full security scan to ensure no other threats are installed on your computer.

Security Suite Directories:

  • Vista and Windows 7 Users: %User%\AppData\Local\[random characters ]\
  • XP Users: %Documents and Settings%\[UserName]\Local Settings\Application Data\[random characters ]\

Outside Resources:

http://www.bleepingcomputer.com/virus-removal/remove-security-suite

http://www.geek.com/chips/dealing-with-the-windows-security-suite-960512/

 

  • andy

    I consider myself a relatively experienced computer user – but I’m stuck in the user folder (even with hidden files shown, after the local settings>application data>user) and there’s no folder with a funky eleven letter name. The only ones that seem suspicious is a folder named “WMTools Download files” and a “configuration settings” file named “DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF”. would any of these be it? please help! thanks

  • technical admin

    We did not find it in the Application Data/User folder. It should be in the Application Data folder on XP.

    Open the WMTOOLs folder and see what is in there. If it’s a bunch of giberish .exes then yes that is the one.

    You may have better luck booting into safe mode with networking and installing Spyware Docotr with Antivirus and run a full scan. This will show you the exact folder path of the file you need to delete.

  • Anonymous

    Is it really a must to delete the files from Application Data (Vista)?

    I also have this virus now, and I deleted the files in the regedit, but if there are any files in de App Data which are supposed to be deleted, I have a problem I think.
    A while ago somehow all my files were deleted, long story, but I had to “un-delete” them and since then I wasnt able to open “Local Settings” “Application Data” and other maps like that.

    Currently Im in Safe Mode running a Full Scan, but this is the third time Im doing this. The first time after I deleted the files in regedit, though.

    I hope its not neccesary to delete the files in App Data?!

  • Anonymous

    I NEED HELP!PLEASE! MY COMPUTER IS DEALING WITH A BAD VIRUS I TRIED YOU VIDEO ABOUT THE ANTI VIRUS SOFTWARE I COULDENT FIND IT THE FOLDERS! PLEASE HELP MY COMPUTER IS INFECTED AND I KNOW ITS A SCAM ISANT THIS ILEGAL PLEASE HELP HOW DO I GET RID OF IT!

  • Aaron

    i used system restore before i found this website and now there are no popups but theres a problem when i try to go on my homepage it goes to this wierd page that says that i cant go to this webpage anymore but when i type an website to another in the address bar it goes there but then i checked my homepage tab and saw the internet explorer cannot display the website and when i removed it and set up a different website windows defender said that some changes were made and when i go on my homepage the same internet explorer cannot display the page also it has a circle with 4 different colors split in forths

  • Karen S

    thank you sooooo much- i was so frustrated~~

  • Anonymous

    My computer got infected by security suite and I’ve been working on deleting it but when I run my computer in safe mode with networking or just regular mode I get a message stating:” Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now.” and then after a minute the computer restarts. And then it does it all over again…
    Do you know if this is from security suite or now do I have another problem?
    Thanks

  • technical admin

    This is not caused by security suite however it is a virus that is causing this issue. With out knowing the exact name of the threat or operating system you have it will be hard for us to help.

    With that said if your computer is not shut down in normal mode you should be able to bring up the task manager right away after first loggin on and attempt to terminate the running process. Also you may be able to access the startup files on your computer by typing in MSCONFIG into the run box and then under the Start-Up tab you can uncheck startup files that look suspicoius. This may help you to be able to download Spyware Docotor with Antivirus and run a full scan. Alternatively you should also download Malwarebytes and run a scan with that program as well.

  • technical admin

    Glad we could help. Tell your friends.

  • technical admin

    You ask for help but provide us with no information to help you. What is the operating system you are using. What have you tired in our guide? What is the exact step you are trying to do that you can not do?

    We know the guide works and it has been used by others thousands of times to remove this threat. We are all for helping you but you have to help us help you by providing more details on what exactly you have tried and what you could not do.

  • technical admin

    Because you have Vista you will not have access to the folders you mentioned. They are simply mapped traces and will contain nothing of value.

    You do need to remove the file or files in the AppData folder( It’s a different folder then you showed) that is shown in the guide. You must be following the XP file path and not the Vista / Windows 7 file path.

    What is the scanner you are using? As stated we recommend Spyware Doctor with Antivirus and running a scan with Malwarebytes is a very good idea as well. Try them both and see if it does not detect the exact file locations for you.

    Best of luck.

  • technical admin

    What browser are you using? That will determine the course of action that is needed. I would recommend you try the default things, re-setting the browser, attempt a re-isntall, update it to the latest version.

    Sounds like a reg key may be set to over ride what you have preset in there. You may also want to check the Windows Hosts file. We have guides on all of the above in the How to guides section. At least I think we do.

  • technical admin

    Kaspersky is good stuff and should get the job done just fine. Update the client before you run a full scan. Also if it picks nothing up be sure to run another full scan in another day or so after you update.

    If your still very curious I would recommend you running a scan using Malwarebytes. The SDA client we recommend is what we recommend people purchase and use. However Kaspersky is still a very good client. The free malwarebytes version can be added and used once a month as a backup scan for Kaspersky.

  • Anonymous

    Thank you so much for this page, you seem to have saved many people’s lives!

    I didn’t see this guide before I used System Restore on XP. It appears to have cleared up the immediate problem but of course the virus is probably still present. I use Kaspersky (premium) and was wondering if this would remove the problem, or if I should download Spyware Doctor or something as well…

    Thanks again

    Apologies if I accidentally double posted

  • Anonymous

    thanks for the awesomely clear instructions. Successfully removed and on my way again.

  • Anonymous

    Thanks to an I-phone with google and your instructions and the videos, I was up and running again very fast.
    Videos are a little hard to see clearly in safe mode but you can stop them and follow instructions and start them again, until the tasks are finished.
    Thanks again.

  • technical admin

    Did you go to the folder path shown in the guide?
    What is the exact path you are looking in?
    Did you unhide hidden files and folders?
    Did you boot into safe mode with networking and install Spyware Doctor with Antivirus and run a full scan?

    The above should all help you find the threat. report back if the SDA scan does not pick the exact folder and files were this threat is stored.

    alternatively you can read the comment a few above yours about going into the msconfig and startup section and locating the file that way.

  • technical admin

    Great that you are able to stop it. You can also right click on it next time in the task manager and SELECT file location to view the path were it is at. Please report back the FULL path if it is different then in the guide.

    I am amusing you have vista or windows 7. I say this because you used the AppData term. Be sure you are looking in the correct folder as described in the guide / video.

    It is not un-common for users to not be able to change the unhide system files and folders. You can still manually type them in

    C:\Users\YourUSERNAME\AppData\Local

    Safe mode may no longer be working because of the virus. Often times going into safe mode and doing a system restore actually can do far more harm then good when viruses are involved.

    Try all the above. also be sure to run a full scan with Spyware Doctor with Antivirus. the stuff works great at finding this threat and will also tell you the exact path to were it is located. You should be able to install it once you stop the shwd.exe process from running.

  • technical admin

    The proxy setting is all that you have to change to have internet access.

    Spyware doctor with Antivirus when fully updated does work to pick up this trace in most cases. I would encourage you to simply ensure you are updated and then run the full scan again.

    You should disable all other security clients when you run a full scan with the SDA client. Those others will only interfere. While SDA does cost money for the client to remove threats you can run the scan to see were all the files are located. I have a sneaking suspition that it’s not fully updated because of the problems that you mentioned earlier.

    You should also follow the manual guide and look in the locations that we have provided.

    Lastly if you see the icon still in the task bar it tells me it’s still there. You can go to the windows start button and in the run/search box type in MSCONFIG. Under the startup tab you will see a list of programs that start when you computer starts. Uncheck the box that says shwd.exe and then manually browse to the location path given there and delete the file.

    because you are already trying other security products you might as well run a full scan with malwarebytes. That is our second favorite client. Just note that free clients do nothing or little to protect your computer.

  • Anonymous

    Okay well…I believe I did something really stupid.

    I got this Virus a couple of days ago, now I of course panicked but didn’t give into buying the product thing (Because I’m not young enough to have a Credit Card yet) and so I went to my sister for help once it didn’t let me back on the Internet.

    She tried everything but we both didn’t think about using her computer to look for information.

    But my FireFox worked fine (I had downloaded it before that had happen so I’m kind of thinking that might have given me the Sercuity Suite).

    So I tried looking for some info. on that, I heard that Spyware Doctor would work, so I downloaded that. But when I did it wouldn’t work for a while (Until I updated it by using the link from this page).

    But anyways since it didn’t worked I used Spy Sweeper. And I restarted my computer. And then the Security Suite wasn’t there anymore but it still wouldn’t let me use Internet Explore (Once again I wished that I’ve seen this video before).

    But then I reinstalled Internet Explore then it worked fine.

    But then my Trend Mirco AntiVirus would pop up and say that I either have a ‘Low’ or ‘High’ Risk rating, the High one from Internet Settings.

    But not only that each time I would turn my computer on I would see the Security Suite icon on the Right hand side of my Task Bar but each time I move my mouse towards it, it would disappear.

    Now I’m scared that I can’t remove it properly and fear that it will mess up my computer.

  • Anonymous

    I was able to stop the process in the task manager ending in shwd.exe, but im not able to find the offending folder in user > local settings > appdata, nor in user > appdata, all the folders have normal names and no unusual folders or exe files inside them. i was running both avast and ad aware and they have yet to detect the files.
    i thought i had hidden files visible but i went to double check and when i opened the control panel something called “drwatson postmortem debugger” crashed and froze my computer. i tried rebooting into safe mode but i cant even do that. when i select safe mode lines of text referring to system32 appear on the screen and its frozen there.

  • Kevin

    When I highlight the shwd.exe on the windows task manager i can’t find the location of the file. I have XP and I recently restore my pc to a week before and it stop popping up. I scan it with malwarebyte and found some threats and deleted them but the security suite came back two days later. I open the Application Data folder but i cant find the file. Every time i try to restore my pc the process fails. What can I do to find the file?

  • technical admin

    A repair at this time is going to be hard. Chances are your computer may already have an image on it. Dell HP, Sony, Emachines, Gateway ect… They all include factory images on the computer. Some times it will fully restore the computer to factory mode. However others do sometimes provide options like deleting everything but keep all your personal folders, documents, videos, music. I would advice you to look for your manufacturer and model number and see if it holds an image and look around for how to access the image.

  • Anonymous

    ahh sorry for forgetting to mention i was using xp. i guess i said appdata because thats how they referredto it in the video. i think its application data but i cant really check to be sure and unfortunately cant test those methods because i can no longer boot the computer in safe mode or any other mode, period. it freezes instantly after selecting which mode to boot in (or when picking safe mode loads up to a file ending in config/system.log) is there no hope for me at this point? :( i cant find any solutions to this online other than booting from a windows xp cd which i dont have, or burning an iso onto a cd which i have no access to any other computer.. (posting from my iphone)

  • Anonymous

    Well earlier this afternoon I had restarted my computer and quickly went to the Video on how to remove it. And in note of that the other one that my computer had caught (The one I couldn’t remember) was a shdw.exe

    I was able to get it off, but as of right now (I’m not sure later in the future, but so far it looks good) that the Spyware Doctor had said it must reboot to stop (Or I think it was block) other infections.

    And so far nothing bad has happen, I really thank you very much for all the helpful tips you had given out.

  • Anonymous

    Thanks for the great advice, had the virus out in no time! I’ve used your site before and it’s always been of great help. Thanks again and keep up the great work :)

  • Mels A

    When i try to open the taskmanager, it says that taskmng.exe is infected, what should i do?

    -Thanks:D

  • Sean Batz

    Ive gotten This specific virus so many times, it is practically a weekly task for me, easy to remove now though, I use search and destroy to clean my registry

  • technical admin

    It will say that when you open just about any program. That is the nature of the virus.

    what should you do?

    Follow the guide. It works. If you have a question on a specific step we would be more then happy to help.

  • technical admin

    Sounds like you don’t have active protection to stop the virus from infected your computer. I’m willing to bet all the security clients you are using are free ones. That is why you keep getting infected. That or P2P sites.

  • Tracy

    I found your website after searching for “computer virus security suite”. It’s very informative. Thank you! Apparently, I have the virus that is described on your website. Not only am I getting pop ups continually, but, it is starting up internet explorer with the web address showing the following: Domains Removed, etc. Very annoying! It doesn’t show anything probably because the virus won’t allow me to go online. I guess that is a good thing considering the addresses that it is automatically adding! Anyway, I am doing a full scan using the Norton Software. It is now 43% complete and so far it has not found any viruses. However, I am getting very impatient. Should I pause the scan and follow your instructions on your video or should I continue with the scan and then work with the video? I appreciate your help! :)

  • technical admin

    All comments go through moderation that is why yours did not show right away.

    You might as well finish the scan. I bet Norton does not fully pickup this threat. When it fails just follow our guide and it will help you out.

  • Tracy

    I finished the full scan and Norton picked up nothing. I went ahead and followed the instructions on the video. I found two folders with weird names as you described but both folders were empty. I went ahead and deleted them. It did not seem to do anything. Suggestions? And, thank you for your response…I really appreciate it!

  • technical admin

    What is your operating system?

    What is the exact folder path you found those folders in?

    Are you able to open the Task Manager and identify the malicious process? Hint. As soon as you log into your computer you should be able to bring up the taskmanager right away before this virus starts up. then you will be able to right click on the process identified in the guide and click Open File Location. Then you can go ahead and stop the process and delete the file.

    Please note we recommend all people to run a Full scan with Spyware Doctor with Antivirus because it is known to pickup the security suite virus. You may need to boot into safe mode with networking to install and run the scan. This program will also tell you the exact folder location were this threat is at.

    In adition to all of the above you can also find out the needed folder by tying MSCONFIG into the run command. From there go into the startup tab and find the malisious file from the manual guide. Uncheck the box so the program does not start when you boot up your computer. In that section you will also be shown the registry key that needs to be deleted and the folder path to the executable that needs to be delted. Write it all down ( IT should already be in the guide) and re-boot your computer then delete the needed files.

  • Mike Smith

    My father accidentally put the Security Suite virus on his computer, but thanks to your instructions, I was able to successfully remove it. I can’t thank you enough.

  • technical admin

    If the problem remains that means your not getting the core of the infection. Most likely a trojan or rootkit is reinstalling the virus on you.

    Try to un-install the SDA client. Re-boot. Go into safe mode with networking and run the install again and update the client and run a full scan. Based off the scan you can then manually remove the needed items that it finds.

    If the client fails to update after the re-installation then I would re-set the windows hosts file. We have a guide for this under the How to Guides section.

    Normally once the process is started for a factory restore all your data is wiped. This virus is not able to interfer with the factory restore process so you may have a secondary issue going on as well. I would suggest you attempt a system restore before trying to do a factory restore. That is if it’s not too late and you corrupted the operating system by trying it already.

  • Drew

    Your site is awesome, but everything I try leads me nowhere. I have tried running Malware Bytes and Spyware Doctor. Malware Bytes will run and give me a list of things to remove, but when I reboot in normal mode, the problem remains. I can’t open Spyware Doctor because it says it needs to be updated…which the virus wont allow for. I’ve tried doing a straight restore to factory settings too but the program just stalls out.

    Unfortunately, the thieves at Best Buy want me to pay $200 to have it fixed. I need serious help!

    None of the stuff mentioned here showed up in the task manager and I had no local settings folder when I went to rename the files. I hope that’s enough description.

  • technical admin

    The full path is already in the guide. Follow the path outlined in the guide for your operating system.

    In our initial testings Mcafee did not stop this threat. However it’s been out long enough that it should now be able to pick it up. I personaly do not like their software and highly recommend you run a scan with Spyware Docotor with Antivirus to help identify the traces.

  • Anonymous

    Would McAfee’s virus removal be effective in stopping security suite and could you give me a full folder route on stopping the process at the beginning because task manager doesn’t work and i haven’t got a clue what the process’ name is…

    thanks in advance

  • Leah

    I’m so glad I found this website to remove this Security Suite fake security client….phew!!!! Thank you very much. I wasnt able to view the from this site, but I went on YouTube to do so!!! THANK YOU SO MUCH!!!!!

  • Emma

    Thank you so much for your clear instructions – this was simple to follow and removed the virus from my computer. Thanks once again

  • Anonymous

    Delete it as per this page:

  • Anonymous

    Mcafee still does not detect this threat at all. Malwarebytes dioes not detect all the virus files either. If you have Mcafee (as I do) you will need to follow the instructions and manually delete the virus files described above. I did this and it seems to have worked.

RemoveVirus.org cannot be held liable for any damages that may occur from using our community virus removal guides. Viruses cause damage and unless you know what you are doing you may loose your data. We strongly suggest you backup your data before you attempt to remove any virus. Each product or service is a trademark of their respective company. We do make a commission off of each product we recommend. This is how removevirus.org is able to keep writing our virus removal guides. All Free based antivirus scanners recommended on this site are limited. This means they may not be fully functional and limited in use. A free trial scan allows you to see if that security client can pick up the virus you are infected with.