How to remove isecurity.cpl

Posted on 2008-06-24
Medium Priority
Last Modified: 2013-12-06
I have a computer at hand that has a malware problem: Virtumonde. I used Panda pqremove.com to clean the pc and I have Panda webadmin installed as antivirus solution . Still it keeps coming back again. On the desktop there whre icons for Malware protector 2008 and SystemDefender. The systemdefender icon would open c:\windows\rundll32 with reference to a file isecurity.cpl. Now that file can be found but even under DOS it cannot be removed. I also tried a utility eraserd.exe to remove it but is doesn't succeed.

Is this file iSecurity.cpl indeed garbage or is it part of Windows? Can I delete it and if yes: HOW?
Question by:ruud00000
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 21855942
Run either one of these tools:(both removes isecurity and related files, combofix also removes virtumonde)
1.  Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

2.  download ComboFix to your Desktop, from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Author Comment

ID: 21857076

I have run SDFix, but after pressing a kay to start rebooting the pc looks rather unresponsive since about half an hour... What I have on screen now is just the black background from the safe mode Windows desktop and a dos-command window show 'press a key to continue... (which I did), without a cursor now. How long should I wait?

Author Comment

ID: 21858035
I shut down the system after another 2 hours.

Here's the Report.txt from SDFix.exe

Virtumonde is still present uptill now (Panda just popped up reporting having removed it again). Now I'm going to run ComboFix...
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 21858581
Here's the log from ComboFix

Author Comment

ID: 21858617
What is a HJT log?

Expert Comment

ID: 21858679
Download Hijackthis from : http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis and install, once installed, run and do a system scan and save a log file. Post that log file here. This log is also known as a HJT log.

Author Comment

ID: 21858684
Here's the HJT log...

Author Comment

ID: 21858877
It looks better to me now.

What do the logs say, all gone?
LVL 47

Expert Comment

ID: 21861775
There are bad services there that has been stopped(their files are already gone), just the reg entries need removing, also some leftover files.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
C:\Program Files\IE Extensions\cj.v5.dll


[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B552B8A4-76AC-4e8c-A469-C1585B111116}]


3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

LVL 47

Expert Comment

ID: 21861841
RE: Hijackthis log.

You can fix these entries in Hijackthis:(after fixing the 023 entries you can also delete them in Hijackthis > Misc.Tools > Delete an NT Service)
Fixing them in Hijackthis only disables/stops them.
O21 - SSODL: CDRam - {c785349e-9c7b-4df8-b2a6-9086a954b79d} - C:\WINDOWS\Resources\CDRam.dll (file missing)
O23 - Service: Event Log EventlogLmHosts (EventlogLmHosts) - Unknown owner - ð%¬|x .exe (file missing)
O23 - Service: Network DDE NetDDETapiSrv (NetDDETapiSrv) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Smart Card SCardSvrSENS (SCardSvrSENS) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Print Spooler SpoolerRemoteAccess (SpoolerRemoteAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: Volume Shadow Copy VSSSharedAccess (VSSSharedAccess) - Unknown owner - ð%¬|x .exe (file missing)  
O23 - Service: WebClient WebClientSpooler (WebClientSpooler) - Unknown owner - ð%¬|x .exe (file missing)

OR: instead of fixing the entries in Hijackthis, you can stop and delete them using sc.exe.
Go to Start Menu > Run > type


Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop EventlogLmHosts
sc delete EventlogLmHosts
sc stop NetDDETapiSrv
sc delete NetDDETapiSrv
sc stop SCardSvrSENS
sc delete SCardSvrSENS
sc stop SpoolerRemoteAccess
sc delete SpoolerRemoteAccess
sc stop VSSSharedAccess
sc delete VSSSharedAccess
sc stop WebClientSpooler
sc delete WebClientSpooler

LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21867577
After you finish running what suggested above, Please download Spybot search and destroy.

Install and Scan after updating definitions.

instructions on how to use it.

Author Closing Comment

ID: 31470137
You're great, thanks!
LVL 47

Expert Comment

ID: 21870950
Glad to know it's been resolved.
You can then uninstall combofix.
From the Start menu > Run > and copy and paste next command in the field:

ComboFix /u

Thank you.

For future reference:
In case you're not aware, you can also distribute points to more than one expert by clicking the "Accept Multiple Solutions" button, thanks.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question