Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to remove isecurity.cpl

Posted on 2008-06-24
14
Medium Priority
?
1,196 Views
Last Modified: 2013-12-06
I have a computer at hand that has a malware problem: Virtumonde. I used Panda pqremove.com to clean the pc and I have Panda webadmin installed as antivirus solution . Still it keeps coming back again. On the desktop there whre icons for Malware protector 2008 and SystemDefender. The systemdefender icon would open c:\windows\rundll32 with reference to a file isecurity.cpl. Now that file can be found but even under DOS it cannot be removed. I also tried a utility eraserd.exe to remove it but is doesn't succeed.

Is this file iSecurity.cpl indeed garbage or is it part of Windows? Can I delete it and if yes: HOW?
0
Comment
Question by:ruud00000
14 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 21855942
Run either one of these tools:(both removes isecurity and related files, combofix also removes virtumonde)
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


2.  download ComboFix to your Desktop, from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 

Author Comment

by:ruud00000
ID: 21857076
Thanks.

I have run SDFix, but after pressing a kay to start rebooting the pc looks rather unresponsive since about half an hour... What I have on screen now is just the black background from the safe mode Windows desktop and a dos-command window show 'press a key to continue... (which I did), without a cursor now. How long should I wait?
0
 

Author Comment

by:ruud00000
ID: 21858035
I shut down the system after another 2 hours.

Here's the Report.txt from SDFix.exe

Virtumonde is still present uptill now (Panda just popped up reporting having removed it again). Now I'm going to run ComboFix...
Report.txt
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:ruud00000
ID: 21858581
Here's the log from ComboFix
CFixLog.txt
0
 

Author Comment

by:ruud00000
ID: 21858617
What is a HJT log?
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 21858679
Download Hijackthis from : http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis and install, once installed, run and do a system scan and save a log file. Post that log file here. This log is also known as a HJT log.
0
 

Author Comment

by:ruud00000
ID: 21858684
Here's the HJT log...
hijackthis-log.txt
0
 

Author Comment

by:ruud00000
ID: 21858877
It looks better to me now.

What do the logs say, all gone?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21861775
There are bad services there that has been stopped(their files are already gone), just the reg entries need removing, also some leftover files.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\rfclbedk.dll
C:\WINDOWS\system32\uieckjxo.dll
C:\tmp803751.dll
C:\WINDOWS\system32\xhmbdsjp.dll
C:\WINDOWS\system32\1144785452.dat
C:\Program Files\IE Extensions\cj.v5.dll

Driver::
aeH25
chK58
gjN68
jnR02
quX47
qvY71
Winej25
Winhl25
Winhl58
ydG25

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B552B8A4-76AC-4e8c-A469-C1585B111116}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aeH25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\chK58.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gjN68.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jnR02.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\quX47.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qvY71.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wineh60.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winej25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl58.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ydG25.sys]

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21861841
RE: Hijackthis log.

You can fix these entries in Hijackthis:(after fixing the 023 entries you can also delete them in Hijackthis > Misc.Tools > Delete an NT Service)
Fixing them in Hijackthis only disables/stops them.
O21 - SSODL: CDRam - {c785349e-9c7b-4df8-b2a6-9086a954b79d} - C:\WINDOWS\Resources\CDRam.dll (file missing)
O23 - Service: Event Log EventlogLmHosts (EventlogLmHosts) - Unknown owner - ð%¬|x .exe (file missing)
O23 - Service: Network DDE NetDDETapiSrv (NetDDETapiSrv) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Smart Card SCardSvrSENS (SCardSvrSENS) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Print Spooler SpoolerRemoteAccess (SpoolerRemoteAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Volume Shadow Copy VSSSharedAccess (VSSSharedAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: WebClient WebClientSpooler (WebClientSpooler) - Unknown owner - ð%¬|x .exe (file missing)


OR: instead of fixing the entries in Hijackthis, you can stop and delete them using sc.exe.
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop EventlogLmHosts
sc delete EventlogLmHosts
sc stop NetDDETapiSrv
sc delete NetDDETapiSrv
sc stop SCardSvrSENS
sc delete SCardSvrSENS
sc stop SpoolerRemoteAccess
sc delete SpoolerRemoteAccess
sc stop VSSSharedAccess
sc delete VSSSharedAccess
sc stop WebClientSpooler
sc delete WebClientSpooler

exit
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21867577
After you finish running what suggested above, Please download Spybot search and destroy.
http://www.freewarearchiv.com/sicherheit/spywarescanner/spybotsd15.exe

Install and Scan after updating definitions.

instructions on how to use it.
http://www.5starsupport.com/tutorial/spybot.htm
 
0
 

Author Closing Comment

by:ruud00000
ID: 31470137
You're great, thanks!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21870950
Glad to know it's been resolved.
You can then uninstall combofix.
From the Start menu > Run > and copy and paste next command in the field:

ComboFix /u

Thank you.

For future reference:
In case you're not aware, you can also distribute points to more than one expert by clicking the "Accept Multiple Solutions" button, thanks.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question