My career in technology

I’m not a malware hunter by trade, but I have been called on from time to time to do a little extermination.

This one was on my own system!  I was surfing around, looking at some movie reviews and I got a pop-up ad that wasn’t an ad – it was a hijacker.

I got a window that said it was a program called “Internet Security” with the tagline “Designed to Protect”.  It wanted to scan my system.  Of course, I know this scam.  “Internet Security” is not “Microsoft Security Essentials”, it is not a program I have installed on my system.  And I know that if I run the scan it will “find” all sorts of nasties (that I don’t actually have) on my system, and then probably want me to install the full version (for a price), and when I do it will probably install all kinds of trojans and backdoors all while telling me that it has cleaned the nasties off my system.  But that wasn’t the end of the tricks from this particular nasty…

Suddenly everything started shutting down.  IE shut down, and as I was trying to click on it, Microsoft Security Essentials disappeared from my system tray.  I started to get a bunch of messages from my system tray that this program and that program was infected by W32.Blaster.Worm.  When I tried to restart IE, a pop-up said it couldn’t start because the file had been infected, and I needed to scan my system with “Internet Security”.  The same thing happened when I tried to launch Task manager, and even System Restore.  It even put a shortcut on my desktop in case I couldn’t see the constant stream of messages in the system tray.

Since I couldn’t open IE to do research on what had bitten my system and how to remove it I was stuck, right?  Ha.  Welcome to the 21st century, where every phone is internet-enabled, and a second computer is required because no one wants to wait for their spouse to stop surfing before they got a turn.

I simply turned to my wife’s computer and started browsing for a solution.

I will give the authors of this fake antivirus some credit, the name “Internet Security” with the tagline “designed to protect” are the very same phrases that appear on every antivirus site on the planet, 70 million blogs about internet security, and on and on.  1.56 million results on Google.

I found one site, though, that got me close.  KingsOfSecurity.com had an entry on “XP Internet Security 2012”.  It wasn’t the same thing as I had, exactly, but one thing it said to do was check the C:\Users\%username%\AppData\Local\Temp folder.  There were a couple of recent files in the folder when I sorted by date, so I highlighted them and deleted them.

One of the files refused to delete, because it was in use by isecurity.exe.

Gotcha.

So I Googled for a way to kill a windows process from Start >> Run (Windows Logo Key + R also launches Run).  taskkill /IM (Thank you, tech-recipes.com!)

taskkill /IM isecurity.exe

And my system was released from the control of the nasty hijacker.

For good measure I did a system restore, then, once my system had rebooted, updated my Microsoft Security Essentials and rescanned, and searched for any files named isecurity.exe on my hard drive or in my registry, and everything came back clean.

Hopefully my experience will help you with resolving your issue, please feel free to leave a comment if you need further assistance or if something I wrote was unclear, and I will do what I can to help.

Death to viruses, trojans, and spyware! Death to malware!

Jim Adcock makes a living as a SharePoint Administrator, and makes a difference as Vice President of Launch Pad Job Club, an organization in Austin, Texas, whose mission is help people who have lost their jobs to get the skills they need to land their next job, and to help them cope with the interim between jobs. Check out his career-related posts or check out some of the other content on the site.

Advertisements

Comments on: "Death to Malware: Protecting You From “Internet Security (Designed To Protect)”" (47)

  1. This saved a lot of my time. My friend’s notebook got infected during a browsing session. It is a superbly done fake that probably only IT people can tell the difference.

    Thanks for this post!

    • You’re welcome, I was glad to do it (though not so glad to have had the experience to be able to write it!). My goal for my blogging has always been to help other people get through challenges I’ve faced with the experience I have gained.

  2. Man! You are a genius!!… Thanks!!

  3. Jim
    Thanks for the info.. just booting in the safe mode, searching for and deleting the isecurity file worked to fix a friends pc with this rotten malware..

    Thanks
    Tom S

  4. Thanks Jim

    Saved me a lot of time figuring out which .exe to kill

  5. I haven’t found isecurity anywhere on my comp, but the dang scan is still on the screen. Any other possible solutions, pretty please?

    • Two things… First, there was no file isecurity.exe on the hard drive as far as I know, that was the name of the process running in memory, probably the file in the Temp directory. It sounds to me like you are trying to look for a file with that name, but I think looking for a file called isecurity is a dead end. Try killing the processes called isecurity.exe instead.

      Second, if I have misunderstood and you are not having success killing the process called isecurity.exe because the process is not running, find any recent files in the temp directory I wrote about, delete the recent files, and see if you get a message that one file cannot be deleted because it is in use by processname, you will have found the process name to kill.

      If that doesn’t work, feel free to reply again, and I’ll try to help, though, since the malware is off my system, I have limited ability to test possible solutions.

  6. Jim, found your blog in safe mode after I got tagged last night. A couple of things I found that others might find helpful. The website “trojan-killer” dot net (associated with PC Tools software, I believe) indicated running the same taskkill you mentioned and I cleaned out all files in the temp folder that were modified on the date of my infection.

    “trojan-killer” dot net instructs visitors to delete the scareware by running the command “%appdata%\isecurity.exe” from the start–>run menu. This revealed the isecurity.exe location, and I simply deleted it (by the way, if you click “run,” isecurity.exe will then run in safe mode and you will have to reboot + F8 again and feel like a total dork… don’t ask me how I know this to be true!) The second time around, I simply deleted the isecurity.exe from the “App Roaming” folder.

    Anyway, after that escapade, I searched the registry (start–>run–>regedit) and searched (edit–>find or simply CTRL-f) for “isecurity” registry entry. The registry item it was hidden under was named “NAME,” the search string “isecurity” found it. Also, I went through the registry trees for ALL users and machine settings, and found it hidden in two places. As always, just be cautious with the delete commands in your registry. I was fairly cavalier with anything that contained the “isecurity” tag, and haven’t had any issues thus far.

    By the way, I didn’t have to buy the software from “trojan-killer” dot net, so I am not endorsing them in any way, just giving them credit for a great explanation and set of steps to beat this virus. Hope it comes in handy for someone else. From start to finish, it took roughly 20 minutes, a cup of coffee, and one “doh!” moment for clicking “run” on the scareware file itself.

    Cheers, and good luck.

  7. breakyerself said:

    Thanks for saving me a bunch of time. You rock.

  8. Just wanted to say thanks! My work computer got pinched while I was surfing the web. You saved me from having to crawl to the IT dept!

  9. David Hahn said:

    Thanks so much for the simple explanation, It is greatly appreciated!
    Your solution worked perfectly.

  10. For those that care about such things, the rate of infection by “Internet Security” seems to have dropped dramatically. I wrote this post less than three weeks ago, toward the end of a calendar week.

    The next full week, there were nearly 800 page views from people like yourselves, trying to remove the nastyware. Last week, the number dropped to about 400 page views.

    So, for the mathematically challenged, I was geting over 100 hits per day the first week, over 50 the second. So far today, only two people have dropped by for a solution, and I just checked my Google rankings for the page and they haven’t changed, so the conclusion I feel relatively safe in drawing is that the worst of the infection seems to have passed.

    • Gah. Looks like this problem has respawned – Last week I was getting about six hits a day, but yesterday the numbers jumpped up again, into the 60’s.

  11. I have this on my computer and I did the taskkill /IM and my computer blue screened and nothing changed and I still don’t have access to my programs and I don’t know what to do now any tips?

    • Phillip –

      Check out Chris’s coment, he gave some pretty specific instructions that should help. Failing that, ask again, and I’ll see what I can do.

  12. I think I found another way, if you crash your computer, run it in safe mode rather then starting normally and you can system restore once in safe mode, and I plan on re-installing windows later so hopefully I will not need to do anything my, thanks for the help Jim.

  13. sharona said:

    I am now scanning my dad’s laptop in safe mode. I used the normal virusscanner that is installed, I hope this will solve the problem. If not, what should I do? I cannot find the file actually, and I am afraid to delete his important files (I will make a back-up later)!

    • Deleting the most recent Temp files should cause you no problem.

      As long as isecurity.exe isn’t running and hasn’t been added to the registry, you should be clear if the scanner comes back clean.

      As I said in my post, for me the file isecurity.exe didn’t actually exist on the file system, it was only running in the active memory.

      Good luck, and don’t hesitate to ask if you run into problems. (Today is going to be a pretty busy day, so my response time may be longer than usual, I apologize in advance)

      • Dear Jim,

        The virusscanner has not found the program. I am still not able to find the Temp files.
        The virus has now come to a stage where it indeed starts shutting down the programs we want to start. It will not install a new, recommended, scanner, neither will it start Internet Explorer nor Firefox.

        Could you tell me exactly where to find the Temp files? I am afraid I am not quite that handy with computers.

        If it will not work, we will bring the computer to an expert and hope he can fix this.

      • Sharona –

        OK, I have finished my meetings for the day, a can put some focus on trying to help you.

        In my post, I say to look in C:\Users\%username%\AppData\Local\Temp folder. Where i wrote %username%, look for your username.

        This path is valid in Windows Vista and Windows 7. In XP it is under C:\Documents and Settings\ if I remember correctly.

        You may have to right-click on the username folder, choose properties, go to the advanced tab and put a check in the box to show hidden files and folders.

        Again, the scanner you are using may not actually find a file names isecurity.exe, as the file may not actually exist on your system, it may just reside in memory. To explain – if you had a diary and wrote down someone’s name and number, you would be able to retrieve that information at any time, as long as you had it filed somewhere you could find it, say, under their name, or on a page you specifically set aside for that information. Think of that as your hard drive. If someone were to just verbally tell you their number, it would reside in your memory (until you forgot it). Think of the verbal instruction as the temp file. That verbal instruction may not use the name Jane Smith on the outside, but it contains the name Jane Smith and the phone number, both of which were loaded into your memory.

        In the case of this malware, it is like a really bad song that you have stuck in your head because someone hummed the tune as they walked by you (don’t you just hate it when that happens?). It is in your memory and displacing other things you should be thinking about (the other programs that should be running). You have to unload it from your memory in order to get your brain back on track.

        Click on start, then Run, then run the command from the post, taskkill /IM isecurity.exe to remove it from memory.

        Then do a system restore (I am not in front of my desktop computer right now, but if I remember correctly, it is one of the options in the control panel) to make sure that instructions aren’t saved there that would reload the code after you reboot.

        Hopefully this will help get you on your way.

  14. Your trick worked perfectly! Thank you immensely.

    Thankfully my teenager came to get me when she saw the “scan”. Both of us noticed that two of the ‘infected files’ included porn in their names — great way to freak parents out instantly. I know too many people who would have fallen for it!

  15. This happened to me last night while surfing the web on how to make cake decorations and I freaked out. Luckily my boyfriend went on his desktop and found your site instantly! I did exactly what you said to do then followed it up with the searches Chris talked about and so far so good! I’ve done a few more scans to be absolutely sure and all have come back clean. Thanks so much!! 🙂

  16. Josef Nordin said:

    Thanks man, you really saved my day:)
    /Josef in Sweden

  17. Andreas said:

    So, what bugs me the most about this, and what i’d really like to know, is how this crap got into my computer in the first place..? I’m really strict about what i allow to get installed on my computer and not, and the last thing i installed(yesterday), was Google SketchUp, which i believe comes from a pretty safe source… before that i haven’t installed things for months..

    • As near as I can tell, some advertisement or web page was infected with an exploit, code that takes advantage of security flaws (or even features) of the browsers and operating systems. That infection could be the result of hacking and not be known by the proprietor of the site or ad, or a deliberate add-on by the advertiser (who would be the hacker themselves).

      This code resided in the temp files, and some software on your computer (the browser, the operating system itself, java, something else, I don’t know exactly which) allowed the code from the internet to get loaded into the temp folder and then get executed.

      “The only way to win is not to play.” Which means choose safety and no internet connection (abstinence only), or minimizing your risk (as you seem to be doing) and still occasionally risk being attacked by clever people with bad intentions. If you choose the latter, just have some familiarity with how to solve issues or how to find solutions to issues, which it sems you did.

  18. Hi, I would appreciate any help! The Internet Security junk has removed my run option from the start menu. Any advice on how to get this killerware off my laptop? Thanks

    • Damn, whoever created this has figured out how we’re stopping them.

      I don’t have an answer offhand, but I’ll try to do some research this morning.

      Try starting your computer in safe mode (as described by some of the commenters on this post) in the mean time.

      • College kid said:

        Have you figured anything out about how to get around the Internet security because I have a so many essays for finals due and I can research! Please help me Jim!!

      • Follow the directions in the post – go to your AppData\Local\Temp folder and find out what won’t delete and what process is holding onto the file, then kill the file using Windows Logo Key + R, and type in taskkill /IM processname.

        Unless they changed the design of the virus (which is always possible), that should help you to regain control of your system.

        Good luck!

  19. […] Naturally, this period included my biggest week to date, by a huge margin, thanks in part to some malware that I learned how to exterminate the hard way.  But my difficulties made the lives of others […]

  20. […] Protecting You From “Internet Security (Designed To Protect)” […]

  21. […] Protecting You From “Internet Security (Designed To Protect)” (Malware Removal) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: