• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1203
  • Last Modified:

How to remove isecurity.cpl

I have a computer at hand that has a malware problem: Virtumonde. I used Panda pqremove.com to clean the pc and I have Panda webadmin installed as antivirus solution . Still it keeps coming back again. On the desktop there whre icons for Malware protector 2008 and SystemDefender. The systemdefender icon would open c:\windows\rundll32 with reference to a file isecurity.cpl. Now that file can be found but even under DOS it cannot be removed. I also tried a utility eraserd.exe to remove it but is doesn't succeed.

Is this file iSecurity.cpl indeed garbage or is it part of Windows? Can I delete it and if yes: HOW?
1 Solution
Run either one of these tools:(both removes isecurity and related files, combofix also removes virtumonde)
1.  Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

2.  download ComboFix to your Desktop, from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ruud00000Author Commented:

I have run SDFix, but after pressing a kay to start rebooting the pc looks rather unresponsive since about half an hour... What I have on screen now is just the black background from the safe mode Windows desktop and a dos-command window show 'press a key to continue... (which I did), without a cursor now. How long should I wait?
ruud00000Author Commented:
I shut down the system after another 2 hours.

Here's the Report.txt from SDFix.exe

Virtumonde is still present uptill now (Panda just popped up reporting having removed it again). Now I'm going to run ComboFix...
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

ruud00000Author Commented:
Here's the log from ComboFix
ruud00000Author Commented:
What is a HJT log?
Download Hijackthis from : http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis and install, once installed, run and do a system scan and save a log file. Post that log file here. This log is also known as a HJT log.
ruud00000Author Commented:
Here's the HJT log...
ruud00000Author Commented:
It looks better to me now.

What do the logs say, all gone?
There are bad services there that has been stopped(their files are already gone), just the reg entries need removing, also some leftover files.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
C:\Program Files\IE Extensions\cj.v5.dll


[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B552B8A4-76AC-4e8c-A469-C1585B111116}]


3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

RE: Hijackthis log.

You can fix these entries in Hijackthis:(after fixing the 023 entries you can also delete them in Hijackthis > Misc.Tools > Delete an NT Service)
Fixing them in Hijackthis only disables/stops them.
O21 - SSODL: CDRam - {c785349e-9c7b-4df8-b2a6-9086a954b79d} - C:\WINDOWS\Resources\CDRam.dll (file missing)
O23 - Service: Event Log EventlogLmHosts (EventlogLmHosts) - Unknown owner - ð%¬|x .exe (file missing)
O23 - Service: Network DDE NetDDETapiSrv (NetDDETapiSrv) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Smart Card SCardSvrSENS (SCardSvrSENS) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Print Spooler SpoolerRemoteAccess (SpoolerRemoteAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Volume Shadow Copy VSSSharedAccess (VSSSharedAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: WebClient WebClientSpooler (WebClientSpooler) - Unknown owner - ð%¬|x .exe (file missing)

OR: instead of fixing the entries in Hijackthis, you can stop and delete them using sc.exe.
Go to Start Menu > Run > type


Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop EventlogLmHosts
sc delete EventlogLmHosts
sc stop NetDDETapiSrv
sc delete NetDDETapiSrv
sc stop SCardSvrSENS
sc delete SCardSvrSENS
sc stop SpoolerRemoteAccess
sc delete SpoolerRemoteAccess
sc stop VSSSharedAccess
sc delete VSSSharedAccess
sc stop WebClientSpooler
sc delete WebClientSpooler

Mohammed HamadaSenior IT ConsultantCommented:
After you finish running what suggested above, Please download Spybot search and destroy.

Install and Scan after updating definitions.

instructions on how to use it.
ruud00000Author Commented:
You're great, thanks!
Glad to know it's been resolved.
You can then uninstall combofix.
From the Start menu > Run > and copy and paste next command in the field:

ComboFix /u

Thank you.

For future reference:
In case you're not aware, you can also distribute points to more than one expert by clicking the "Accept Multiple Solutions" button, thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now