5 Replies Latest reply: Mar 20, 2012 10:36 AM by Ex_Brit RSS

    iSecurity malware




      On Thursday, the iSecurity malware basically took over my laptop (installed a desktop icon and ran without any prompting).  I ran McAfee full scan, but it didn't find it (and it didn't stop it from loading-I have the firewall on).  Additionally in safemode, McAfee, Spybot and SuperAntiSpyware did not find it.  I finally ran Norton Power Eraser and that took care of the problem.  I don't see anything on McAfee about this malware.  So my question is, why didn't McAfee find it and why didn't my firewall keep it from coming in? 

      Do I need to reload McAfee?  I'm wondering if it is corrupted.



        • 1. Re: iSecurity malware



          That's unfortunate I know and believe me, I'm willing to bet that Norton's regular antivirus wouldn't detect it either.  None of the major antivirus applications are any good against these things.   McAfee has it's own tool - Stinger.  It and several other tools are listed here:  https://community.mcafee.com/docs/DOC-2168


          iSecurity is like so many fake anti-malware pests out there, it requires the user to click on something bad to activate it and the way they work isn't detectable by regular antivirus.


          If your SecurityCenter is green and says it's protecting when you open it then you are OK.

          • 2. Re: iSecurity malware
            KatherineYH Hayes

            In order to the delete the files associated with the virus, you will need to stop the processes of security tool in task manager.

            • 3. Re: iSecurity malware

              KatherineYH Hayes wrote:


              In order to the delete the files associated with the virus, you will need to stop the processes of security tool in task manager.

              Who mentioned security tool?


              The OP already stated that the problem had been dealt with,   Posting a one-liner like you do in many threads I've observed and not explaining how to do what you are saying is at best useless and certainly isn't very helpful..

              • 4. Re: iSecurity malware

                I recently had to remove a couple of these from laptops.


                Supposedly the reason that the normally installed virus tools like Symantec and McAfee let isecurity through is because the user clicks on something (sometimes even to dismiss the window) and that click is considered an acknowledgement to, shall we say, "attack". (OK, maybe install is a better word.)


                On the machines I've removed these from, (all having Symantec with firewall), clicking on the Symantec Endpoint Protection logo displays the window for a second and then it's killed. Many other programs are also killed, like TaskMgr, Start->Run->Command, etc.


                Our users do not have admin priviledges so it only affects the non-admin user or users (we only have one user per laptop), so if one can log in as Admin they can remove the isecurity.exe file and that usually gets them far enough along to continue more removal.


                One removal was from a remote user. We couldn't log in because the user couldn't VPN to corporate for us to PCAnywhere to his laptop.


                Booting into "Last Know Good Configuration" contained the isecurity malware, so I had him boot into Safe Mode with Command Prompt (F8 prior to windows XP loading). As soon as the command prompt is available, continue:


                Change Directory to the places isecurity.exe is usually placed, and delete them... %CommonAppData%\ and/or %AppData%\ . Possibly also C:\Documents and Settings\<current user>\Desktop. Delete any links (.lnk) too which look like "Internet Security".


                One machine had a couple of <numbers>.exe files (like 70394524.exe) which I deleted too, but I don't know if they were isecurity.exe reinstalls of what. They were just too suspicious.


                I also had him edit the registry, to remove the Run entry which starts iscurity at booting, but with it removed, that likely didn't matter. I think you have to be Admin to remove the real key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <any thing that looks like "Internet Security">. Also check RunOnce and remove if found there.


                Clean the Temp files and browser history, cookies, etc. (I won't bore you with the details of this - look it up.)


                The key was to find "isecurity.exe" and hard-delete it... do not move to the recycle bin! Shift-delete when selected does hard-delete when in a windows mode. I believe DEL from the command prompt normally does a hard-delete. Please correct me if I'm wrong on that! Many of the write-ups on this malware (I used www.bleepingcomputer.com/virus-removal/remove-internet-security-2012) recommend the use of their tool for removal, but our users don't have install priviledges, so I just used the removal instructions as a guide.


                There, no one-liners (many one-liners, each of which may be dissected)!

                • 5. Re: iSecurity malware

                  Thanks for posting.   That could help a lot of people.