Solved

How to remove isecurity.cpl

Posted on 2008-06-24
14
1,166 Views
Last Modified: 2013-12-06
I have a computer at hand that has a malware problem: Virtumonde. I used Panda pqremove.com to clean the pc and I have Panda webadmin installed as antivirus solution . Still it keeps coming back again. On the desktop there whre icons for Malware protector 2008 and SystemDefender. The systemdefender icon would open c:\windows\rundll32 with reference to a file isecurity.cpl. Now that file can be found but even under DOS it cannot be removed. I also tried a utility eraserd.exe to remove it but is doesn't succeed.

Is this file iSecurity.cpl indeed garbage or is it part of Windows? Can I delete it and if yes: HOW?
0
Comment
Question by:ruud00000
14 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
Run either one of these tools:(both removes isecurity and related files, combofix also removes virtumonde)
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


2.  download ComboFix to your Desktop, from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 

Author Comment

by:ruud00000
Comment Utility
Thanks.

I have run SDFix, but after pressing a kay to start rebooting the pc looks rather unresponsive since about half an hour... What I have on screen now is just the black background from the safe mode Windows desktop and a dos-command window show 'press a key to continue... (which I did), without a cursor now. How long should I wait?
0
 

Author Comment

by:ruud00000
Comment Utility
I shut down the system after another 2 hours.

Here's the Report.txt from SDFix.exe

Virtumonde is still present uptill now (Panda just popped up reporting having removed it again). Now I'm going to run ComboFix...
Report.txt
0
 

Author Comment

by:ruud00000
Comment Utility
Here's the log from ComboFix
CFixLog.txt
0
 

Author Comment

by:ruud00000
Comment Utility
What is a HJT log?
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
Comment Utility
Download Hijackthis from : http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis and install, once installed, run and do a system scan and save a log file. Post that log file here. This log is also known as a HJT log.
0
 

Author Comment

by:ruud00000
Comment Utility
Here's the HJT log...
hijackthis-log.txt
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 23

Expert Comment

by:phototropic
Comment Utility
0
 

Author Comment

by:ruud00000
Comment Utility
It looks better to me now.

What do the logs say, all gone?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
There are bad services there that has been stopped(their files are already gone), just the reg entries need removing, also some leftover files.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\rfclbedk.dll
C:\WINDOWS\system32\uieckjxo.dll
C:\tmp803751.dll
C:\WINDOWS\system32\xhmbdsjp.dll
C:\WINDOWS\system32\1144785452.dat
C:\Program Files\IE Extensions\cj.v5.dll

Driver::
aeH25
chK58
gjN68
jnR02
quX47
qvY71
Winej25
Winhl25
Winhl58
ydG25

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B552B8A4-76AC-4e8c-A469-C1585B111116}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aeH25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\chK58.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gjN68.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jnR02.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\quX47.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qvY71.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wineh60.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winej25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl58.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ydG25.sys]

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
RE: Hijackthis log.

You can fix these entries in Hijackthis:(after fixing the 023 entries you can also delete them in Hijackthis > Misc.Tools > Delete an NT Service)
Fixing them in Hijackthis only disables/stops them.
O21 - SSODL: CDRam - {c785349e-9c7b-4df8-b2a6-9086a954b79d} - C:\WINDOWS\Resources\CDRam.dll (file missing)
O23 - Service: Event Log EventlogLmHosts (EventlogLmHosts) - Unknown owner - ð%¬|x .exe (file missing)
O23 - Service: Network DDE NetDDETapiSrv (NetDDETapiSrv) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Smart Card SCardSvrSENS (SCardSvrSENS) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Print Spooler SpoolerRemoteAccess (SpoolerRemoteAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Volume Shadow Copy VSSSharedAccess (VSSSharedAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: WebClient WebClientSpooler (WebClientSpooler) - Unknown owner - ð%¬|x .exe (file missing)


OR: instead of fixing the entries in Hijackthis, you can stop and delete them using sc.exe.
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop EventlogLmHosts
sc delete EventlogLmHosts
sc stop NetDDETapiSrv
sc delete NetDDETapiSrv
sc stop SCardSvrSENS
sc delete SCardSvrSENS
sc stop SpoolerRemoteAccess
sc delete SpoolerRemoteAccess
sc stop VSSSharedAccess
sc delete VSSSharedAccess
sc stop WebClientSpooler
sc delete WebClientSpooler

exit
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
After you finish running what suggested above, Please download Spybot search and destroy.
http://www.freewarearchiv.com/sicherheit/spywarescanner/spybotsd15.exe

Install and Scan after updating definitions.

instructions on how to use it.
http://www.5starsupport.com/tutorial/spybot.htm
 
0
 

Author Closing Comment

by:ruud00000
Comment Utility
You're great, thanks!
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Glad to know it's been resolved.
You can then uninstall combofix.
From the Start menu > Run > and copy and paste next command in the field:

ComboFix /u

Thank you.

For future reference:
In case you're not aware, you can also distribute points to more than one expert by clicking the "Accept Multiple Solutions" button, thanks.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now