How to remove the IE-Security Rogue (Uninstall Instructions)

Posted by Grinler on January 26, 2009 @ 08:26 PM · Views: 2,081

Add to Favorites!    Print Guide!

What this programs does:

IE-Security is a rogue anti-spyware program from the same family as WinDefender 2009. This program is categorized as a rogue because it makes false claims about its product and awards, and when scanning your computer, will display false-positives in order to scare you into thinking you are infected. When a new rogue is released, in order to see what family of rogues it belongs to sometimes requires a bit of research. The coders of IE-Security, though, were sloppy enough to lend us a hand this time. When examining the Windows Registry changes this program performs on your computer, I noticed that it created this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE-Security "DisplayName"
Type: REG_SZ
Data: WinDefender 2009

This Windows Registry key creates an entry into the Add or Remove Programs control panel and gives the entry a DisplayName of WinDefender 2009. You may find it strange that the developers would have given the uninstall entry the same name as another rogue program. In fact, this is not strange at all, just sloppy, because IE-Security is a clone of WinDefender with just a different graphical user interface. What the sloppy programmers forgot to do was to change this program to use the proper DisplayName of IE-Security instead.

Another interesting feature of this rogue is the details they provide when you double-click on a found malware. For the first time that I have seen, this rogue actually provides links to legitimate sites where they explain what the particular malware does. Sites that I saw as part of the found malware details are SpywareGuide, VirusList, and Doxdesk, all of which are legitimate security sites. Thankfully, BleepingComputer didn't make the cut.

If IE-Security is installed on your computer it will be configured to start automatically when you logon to Windows. Once running, it will scan your computer and list a variety of malware such as XupiterToolbarLoader.cab, Wonderland, Whazit, and SpyBlast that cannot be removed unless you first purchase a license of the software. In reality, though, none of these infections actually exist on your computer and IE-Security is only showing them to scare you into purchasing the software. It goes without saying that you should not do so and should instead use the free removal guide outlined below.

IE-Security screen shot
For more screen shots of this infection click on the image above.
There are a total of 6 images you can view.

This guide will walk you through removing the IE-Security program and its associated malware for free.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View IE-Security files.
View IE-Security Registry Information.

Entries for this program found in the Add or Remove Programs control panel:

WinDefender 2009

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [IE-Security] C:\Program Files\IE-Security\wdscan.exe

Guide Updates:

01/26/09 - Initial guide creation.

Automated Removal Instructions for IE-Security using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for IE-Security related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the IE-Security removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the IE-Security program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated IE-Security Files:

c:\Program Files\IE-Security
c:\Program Files\IE-Security\ies.s1
c:\Program Files\IE-Security\ies.s2
c:\Program Files\IE-Security\ies.s3
c:\Program Files\IE-Security\ies.s4
c:\Program Files\IE-Security\iescan.exe
c:\Program Files\IE-Security\uninstall.exe
%UserProfile%\Desktop\IE-Security.lnk
%UserProfile%\Start Menu\Programs\IE-Security.lnk

Associated IE-Security Windows Registry Information:

HKEY_CURRENT_USER\Software\IE-Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE-Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "IE-Security"