How To Remove Internet Security 2010 and other Rogue/Fake Antivirus Malware
If you have a PC infected with Internet Security 2010, you’re probably reading this article so you can understand how to get rid of it. Thankfully we’ve got the instructions to help you get rid of this awful thing.
Internet Security 2010 is just one of many fake antivirus applications like Antivirus Live, Advanced Virus Remover, and others that hold your computer hostage until you pay their ransom money. They tell you that your PC is infected with fake viruses, and prevent you from doing anything to remove them.
Note: If you just want the instructions to get rid of it, you’ll want to scroll down a bit.
Anatomy of an Infection
Normally these infections start with a popup message like this one, coming from a rogue site or malvertisement—and they are often served up from porn sites, though these viruses are not exclusively from there.
IMPORTANT NOTE
If you’re a regular How-To Geek reader, you’re probably savvy enough to know how to avoid actually installing these things, but there’s a good chance that your mom isn’t. If you’ve got a relative that doesn’t know what they are doing, here’s what you should tell them to do when they get a popup like this one:
HOLD DOWN THE POWER BUTTON FOR 10 SECONDS!
Seriously. If they really are infected with a real virus, powering off won’t be any worse. Some of these things are tricky and will try and install themselves no matter which way you click, and they look just like a real Windows error message. Powering off is just the simplest and best option for non-tech-savvy users. And yes, this is exactly what I tell my mom to do.
Moving Forward…
Once you click the popup message, you’ll be presented with a page that looks like your My Computer view, telling you that your PC is infected. Nevermind that no real antivirus looks like this, regular PC users don’t know any better.
After a few seconds of this, you’ll be presented with a popup dialog in the web page that says your PC is infect, and you can click the button to Remove all. The dialog looks real, and can even be dragged around the page—in my research, this seems to be the point where most regular users get confused.
Once you’ve clicked it, you’ll be prompted to run an installer—which you might note has a number of warnings.
As soon as the installer is able to execute, you are infected.
You won’t be able to open up any applications…
And you can’t remove it from Control Panel.
Removing Rogue Fake Antivirus Infections (General Guide)
There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:
- Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
- If that doesn’t work, reboot your PC into safe mode with networking (use F8 right before Windows starts to load)
- Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
- Reboot your PC and go back into safe mode with networking.
- If that doesn’t work, and safe mode is blocked, try running ComboFix. Note that I’ve not yet had to resort to this, but some of our readers have.
- Install MalwareBytes and run it, doing a full system scan. (see our previous article on how to use it).
- Reboot your PC again, and run a full scan using your normal Antivirus application (we recommend Microsoft Security Essentials).
- At this point your PC is usually clean.
Those are the rules that normally work. Note that there are some malware infections that not only block safe mode, but also prevent you from doing anything at all. We’ll cover those in another article soon, so make sure to subscribe to How-To Geek for updates (top of the page).
Let’s Get to Removing Internet Security 2010
The first thing we’ll want to do is kill the virus that’s currently running on the system, and there’s a really easy way to kill Internet Security 2010 without downloading any special software just to kill it (we’ll still need to download something to clean it, however).
Open up the Start menu, click the Run button (or use the Win+R shortcut key), and then type in the following:
taskkill /f /im is2010.exe
Hit the Enter key, and the main virus window should go away. After you’ve done that, you’ll want to quickly execute the following commands:
taskkill /f /im winlogon86.exe
taskkill /f /im winupdate86.exe
At this point the virus isn’t currently running on your system—but it’s still lurking in the shadows, but you can actually run any malware removal tools that you’d like.
Use SUPERAntiSpyware to Clean the Malware
Now that we’ve killed off all those processes, we’ll get to removing the actual malware from the system by downloading SUPERAntiSpyware and installing it. You should be able to grab the full version, or you can use the portable variety that we’ve already recommended.
If you grabbed the full version, make sure to use the Check for Updates button, and then click the Scan Your Computer button… make sure to perform a Complete Scan, and select all of your drives.
It should easily find and kill all of them. You’ll probably note that on this particular machine that I was using in the screenshot, there was a lot of other bad stuff that it caught as well. Woot!
Once it’s done, it’ll let you remove them all in a click, and then prompt you to reboot… you shouldn’t reboot yet. Job isn’t done, however!
Install Malwarebytes and Scan
Next you’ll want to install MalwareBytes and run it, making sure to run a full scan. The main reason to do this is because there’s no way a single malware removal tool can know about every single piece of malware out there, and you may as well make sure your system is clean.
Install Microsoft Security Essentials
You should definitely install Microsoft Security Essentials and run another full scan once you’re done.
Note: If you used a thumb drive at any point during this process, you should make sure and scan that as well—I’ve had viruses hop over to the thumb drive, ready to infect the next machine.
Sidebar Note
Here’s an interesting fact for you—the two processes that we killed earlier are actually from Advanced Virus Remover, another awful malware we’ve previously told you how to get rid of. Clearly they are both developed by the same jerk.
The winlogon86.exe seems to be mostly used to show messages like this one:
While winupdate86.exe is responsible for blocking you from opening other apps, and re-launching the main Internet Security 2010 window.
Note: Robert, one of our excellent readers, wrote in mentioning that you can often just leave this window open, and then continue to install any malware removal tools you like. Here’s what he had to say:
There is one little trick that you missed, that I mentioned on a different post that was similar to this one. When it pops up with the error message saying; “Application cannot be executed. File is infected.” ..etc… Simply *MOVE* that message box to the corner of the screen, and you can install SuperAntiSpyware just fine.
There appears to only be one instance of that “error message” that will run at any given time. You will get multiple errors, you won’t get that obnoxious sound that computer makes when it tells you that you can’t do that…. Now, if you hit “OK” you’re just asking for a headache.
Great tip Robert, and thanks for helping out the cause! I’ve tested this out, and it appears to be the case depending on which virus you are infected with—some of them are smarter and shut you down all the way.
What About You? Had any Virus-Killing Experiences?
Have you had any experience lately killing this virus, or other similar ones? Let us know in the comments, or feel free to email into the tips line at tips@howtogeek.com with your best method for killing these viruses. We’d love to hear your expert feedback!
Update
Looks like there might be some stronger versions of this thing out there – I would advise not rebooting after you run the initial SUPERAntiSpyware scan, and installing and running MalwareBytes right away. Also, you should check out the advice from all the readers in the comments below.
Two days ago I had to clean my sister’s computer from Internet Security 2010. My first try was the system restore, which surprisingly helped (I was sure it wouldn’t). Afterword I too installed security essentials, which I like a lot, to find the infected file that started all this.
This is good info. I noticed the similarity between this and Antivirus Live immediately. I’m just glad I read that article the day before!
One thing, though, on the machine I encountered this on. It messed up the networking. It wasn’t until I tried opening IE and chose the Diagnose link that it started working correctly. However, I’m still suspicious that there weren’t some permission problems as well.
Thanks you, I have only recently changed `puter from XP to Win7. Had a huge learning curve to climb. Thanks to you lads it has been made so much easier. The ability to look up those little tricks and the “how too” section is really great. Many thanks again.
This thing is the devil. I never executed it from that website as it got in somehow through a security hole of some sort. I ran everything on the version I had and nothing (NOTHING) was able to get rid of it. I eventually had to go back to a restore point. I think what I had may have gotten into the kernel layer since every tool I used it would come back. It disables anti-virus programs as well… I was using Avast at the time and it would disable that software completely.
this guide is no longer valid. I just ran into IS2010 today on a customers machine and attempted to remove it using SAS portable, it seemed like it was working, up until the reboot, now it does an instant-logout on any login attempts, and it appears that safemode has been blocked. I thought it might be another virus until I got a call from another customer with the same exact symptoms. ideas?
Thank you for this write-up. I am tech savvy and it did not get on my computer, but once it got on a friends I got a phone call. I had tried everything i could find through Google searching, and am not sure why I didn’t think to check here (I read howtogeek most days).
The computer in question wouldn’t do anything but show the IS2010 window in a normal boot and while I could still boot into safe mode I still could not run anything. I think the taskkill commands were the key to allow me to get through enough of a scan. One thing I did have to do was once SUPERAntiSpyware had found a large number or infections I clicked next to stop the scan and clean what it had found. If I let it try to finish the computer would lock up and I would have to start over again.
I am in the process of running full scans with Malwarebytes, then onto a full virus scan, but I am actually making progress after beating my head on my desk for the last day.
Thanks howtogeek!
actually now i’m reading that this only happens with the “weaker” malware removal tools such as super anti spyware and spybot S&D. according to everything i’m reading you’re supposed to use malwarebytes. So basically i’m screwed on this one, but you guys might be able to save other computers if you warn them not to run SAS or spybot S&D
Sam, that was one of the problems I had. It was such a problem, I blogged an article about it on my own blog. Therefore, I give permission to myself to copy and paste the post-cleaning steps I took.
At any rate, the following may or may not help you or anyone else:
One tip-off that it was either a permission or corrupted file/registry entry was that it kept complaining that svchost.exe had an application error upon startup. This occurred before login.
In order:
1. Tried to use the wizard to setup a new network connection. It seemed to work OK, even asked to reboot, but it still was “Acquiring network address” after a reboot.
2. Removed and re-added the network card. Same symptoms.
3. Tried doing an “update” of Windows XP over Windows XP using an install CD. This got rid of the initial svchost.exe error, but then it complained that Windows needed activating. It would ask if I wanted to activate Windows, and of course it couldn’t because the network wasn’t working, so either way it would just stay logged off.
4. Did a restore of the post-virus clean system (I did a backup as soon after cleaning it as I could). I still think this is what really fixed it, as it probably forced permissions to be correct. Same symptoms appeared afterwards, but now at least it seemed that changes were being saved.
5. This time, I tried to bring up IE in spite of the fact that the network wasn’t working, and I did a Diagnose. It brought up some more dialog boxes (it was about 3 am, so sorry I don’t remember which ones), and it asked to reboot. Voila!
If it was a permission issue, it would explain a lot of the problems, including why “updating” XP over itself did not work. Otherwise, I’m still in the dark as to what the root cause of the post-cleaning issues are.
@all
I’m going to do some more testing – it’s possible there’s multiple varieties of this thing? I think if you run both SUPERAntiSpyware and MalwareBytes without rebooting, should be able to get through it fine?
during my research I ran into a guy who experienced the problem and may have found a fix, I haven’t tried it yet, but at least its something.
linkupsuper:
“XP Auto logging off problem Solved.
This problem occurs after virus clean up Internet Security 2010 fake program
I had this same problem and it sounds like the common solution is to copy a new userinit.exe file to wsaupdater.exe. In my case, the registry key for userinit.exe was not pointing to wsaupdater.exe, it was pointing somewhere else entirely. The only way I was able to log in again was to edit the registry and change key string to Under KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
to read ; C:\WINDOWS\system32\userinit.exe
In order to edit this, I downloaded and created a BartPE boot disk. After the file is downloaded installed it on a working computer running windows XP only .The downloaded file scan any XP only computer and build a bootable CD. After the boot CD is created, boot the affected machine from the bootable CD and follow these steps.
1. Click the icon in the lower left corner and select Run
2. Type Regedit
3. Highlight HKEY_USERS
4. Click the File menu and select Load Hive
5. Navigate to C:\Windows\System32\Config\Software (pick software and open)
Tip! if no sub folders is seen under windows make sure the file name field is blank or click in the
file name field and press enter you may repeat a few times until sub folders is seen
6. Name the hive something like MyHive
7. Open MyHive folder under HKEY_USERS
8. Navigate to KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
right click on (userinit ) choose modify next change the value of Userinit to
C:\WINDOWS\system32\userinit.exe
9. After you have made this change, it is important to unload the hive
10. Highlight the MyHive, click on the file menu, and select unload hive.
This should fix your log on problems.”
Sam, that userinit value should have a comma at the end of it as well. Another thing I’d recommend every check on is the date and/or digital signature of the storage drivers. In the C:\Windows\System32\Drivers folder sort the files out by date and look for iaStor.sys, atapi.sys, nvstor.sys, or nvgts.sys with a recent date. If it’s roughly the same age as the infection (or is missing manfucturer information in the file properties) then it is infected and you need to replace it. If a scanner did find these and remove them, you’re probably now getting a 0×7B BSOD. I emailed The Geek yesterday with a little more detailed explanation of these two hang ups and from a note he made in the Security Tools article I believe he’s going to do an write up on solving these issues (and more?) if you run into them.
Another option I’ve used for scanning.
Grab a Ubuntu Live CD, boot into linux. Head to http://www.avast.com, download and install the linux version. You’ll have to activate it, but that’s free and hey at least Avast is legit.
All this can be down without rebooting, which would kill the Avast install, since it’s a live cd session.
Then you can scan and clean your drive.
@wolfman544
That’s an awesome idea! I’m going to write that one up. Like, right now.
I spent yesterday evening removing a variation of this trojan from a machine. Nothing would install and nothing would run from a thumb drive. At last I noticed that the pop-ups didn’t start immediately when XP loaded and I was able to use that 30 or 40 seconds to iniate a MWB scan. Upon completion of MWB I rebooted and ran SAS. Once the scans were in progress, the infections were powerless to iterrupt them.
Ultimately, I ran a few more tools and got the machine clean. But it seemed essential to initiate the scans as quickly as possible after XP loaded and before the trojan had.
Sam/Nolan: I have followed the instructions for the XP Auto logging off problem, but, after 6 tries, it didn’t take. Since pulling my hair out, I managed to find a fix for the userinit value that works. We are now logged in and are following the above steps (using SUPERAntiSpyware & Malwarebytes, etc..) to get the job done. Will keep you posted on the outcome! Fingers crossed!!
Here are the steps to fix the login problem:
1.Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible, as shown in Figure 1.
2.Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
3.From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\
4.Select the file named SOFTWARE (the file without any extensions), and click Open
5.Type a name for the hive that you’ve loaded now. (Example: MyXPHive)
6.Now the SOFTWARE hive is loaded, and present under the HKEY_USERS base hive.
7.In order to fix the Userinit value in the loaded hive, navigate to the following location:
HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
8.Double-click Userinit and set it’s value correctly. Example: Set it’s data as follows:
C:\Windows\System32\Userinit.exe,
(Include the trailing comma also. The above assumes that Windows is installed in C:\Windows, and Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.)
9.After entering the correct data, you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It’s important to note that you’ll need to select the MyXPHive branch first, before unloading it.
10.Quit BartPE and restart Windows. See if you’re able to logon to your profile.
this internet security 2010 is really bad. Not only is the person that wrote this junk a complete jerk! They really should be put in jail. Enough ranting for now. Not only has it reinstalled itself on my computer after running Malwarebytes, Windows Defender, and Spybot…it has added windows\system32\drivers\etc\hosts, windows\system32\lwinlogon32.exe, smss32.exe and helper 32.dll to the PERMITTED items on Windows Defender AND I can’t get to the page to manage allowed items! Any ideas?
I too can’t log on to my laptop. I can’t go into safe mode, nothing. It just logs me right back off again no matter what I do. Someone please give me some advice, I can’t afford to spend $200 to get it fixed! I have fixed all other viruses myself, but this one has wrecked my computer in a matter of a few hours. Please help!!!
I happened to be visiting my parents a few weeks back. I was using their PC searching for info on adoption of the Haiti orphans, hit a link to a page and got infected. Luckily I had SAS, Malwarebytes and ComboFix with me. This was one tough fix. System Restore was gone. After running scans with SAS and MWB and cleaning what they found, I then booted into Safe Mode with networking and then ran ComboFix. ComboFix found that System Restore was missing and asked if I wanted to go to MS to download and reinstall. When it was all said and done, it took me over 8 hours to get the PC clean…
My computer was infected with this IS2010 and I used my Avira, SuperAntiSpyware, and Malwarebytes. The virus still seems to find its way back onto my computer. Also, it has broken all of the file paths for my apps. Everytime I try to open Word or Firefox or anything, it asks which program I want to open it with. I choose the program and it either works or it says file path not found. How do keep these paths from being jacked up and keep this stupid virus at bay??
Also when i try to Run taskkill /f /im winlogon86.exe etc., it says program not found.
I have the same problem with out log off. i tried to create a BartPE CD but don’t know how to create it. I downloaded PE bulder but once it scans it tells me that there are no intallation files. can some one tell me how to create a boot disk so I can fix my computer.
Can not even log on only blue screen Help Please
None of the above really helped me at all unfortunately. I have no idea what i was doing the entire time because I’m not even barely computer savvy. But i got it off finally by using different methods. The first thing i had to do was un-disable my taskmanager. I kept getting a pop up saying it was disabled by the administrator. I had not done that so i assume it was the virus. So i googled how to do that. It guided me to where the disable taskmanager file was and i deleted it. It worked and i was able to run my task manager and end the virus pop up managers long enough to run rkill.com. I was then able to run superantispyware and malwarebytes but when i rebooted security essentials was still on my computer ug! And i couldn’t remove it with add/remove programs so i googled how to remove things without it. I found a link to revo uninstaller pro.(before i did any of this though i had to repeat the taskmanager/ rkill.com steps) I used the hunt option and moved the hover button over the security essentials 2010 icon on my desktop. It found it and all the connecting files. It did not choose which files to delete on its own which is a good thing. You must be careful with this program and only click the files that are se2010 and only them. This program will delete needed folders if you accidently select them or are unaware that they are important so be careful. I only selected the files that had the name security essentials 2010 in the name, and no folders. seemed a bad idea to do that to me. anyway now my computer is totally fine and my mom is not allowed to use it ever again =] hope this helps someone. and btw i had no idea what i was doing the entire time i did this, i even called a computer software helper guy to get helped and only did all this after he gave up and told me it wasnt worth it and to just take it to get wiped clean. haha to him. and i hate whoever was stupid and lifeless enough to make such a thing as this virus. ug ug ug
i managed to get online went to wiondows onecare safety scanner that removed the main problem after that i installed malwarebytes anti-malware a cleaned up the rest of the infections pc works good now
The only way to remove spyware safely: reformat your hard drive.
While this definitly will not help everyone, I have found that most of these install into the local profile on the computer. At work, users are not local admins, but the software installs anyway. That’s because users can install stuff to their profile. So to clean the system, we have been able to blow away the users profile and when they log into the Domain the next time, the local profile gets recreated. Of course they lose any Favorites and stuff under “my documents” but they are suppose to be saving all their files to the network drive.
I read your article on How to remove Internet Security 2010, what exactly do you mean by Hold down the power button for ten seconds.
My laptop got infected yesterday with this virus. Thanks to Malwarebytes, now it is completely removed and my laptop is functioning good. But when it was attacked Windows 7 didn’t let me go online. So basically I had to go to main computer and download Malwarebytes to my flashdrive. Then I simply got it to my laptop.
Here is a picture of the nasty trojans which Malwarebytes found :http://www.shareapic.net/content.php?id=22210390&owner=divineforever
I couldn’t install SUPERAntispyware because my Rogue/Fake Antivirus Malware (AntiSpyware Soft) wouldn’t let me install it, even with it’s unique name. The best trick I found somewhere else to temporarily kill the spyware so I could load it was to reboot and hit Ctrl-Alt_Delete immediately after logging in. That allowed me to go in and find the spyware in the Processes and kill it so I could then install. I then installed SUPERAntispyware and have just finished the full scan. On to the next steps. Thank you. . .
I had this version once. I opened in F8 ’safety mode.’ I went to the control program and deleted it from there. I went to start for ‘All programs’ and deleted it from there. I did a search,for the specific title, still in safety mode, two folders were shown; I deleted each of those. Then I went to “System Restore” and set the computer back about three weeks. That seemed to do the trick. Note, I didn’t go into the Registry, being apprehensive about that and not at all certain of what to look for. As you also indicate, turning your computer off immediately upon notification of this virus, seems to be the best; but if your new to computer viruses, the person may not even be aware of what the monster is. In the end, it seemed advisable to subscribe to a good antivirus program and since then, I have been protected; the small price seems to be worth the expense.
I got this virus in the beginning of 2009, and had to pay a PC repair guy $70 to fix it. Good thing is I found a great PC repair guy in my area, bad news, I lost some data and some money.
You wrote a great article though, and I am sharing it with some of our customers at AtNetPlus. Keep up the good work!
the fake antivirus would not let me go onlin what should i do? im using my friends computher irght now
It’s so sad that people are having these problems. If they just used the right stuff and stayed away from the wrong websites they would not be infected. I have a friends computer right this minute that I’m fixing, plagued with Malware, viruses and no telling what. Couldn’t do anything on the thing. It will be fine and I hope it is a lesson learned for him. Run your AV and use Malwarebytes, Superspyware and a good firewall like Comodo.
F8 – safe mode
then go to accessories-system-system restore
pick a point a day before you got the virus.
bingo – virus is gone – you should not need to do all the steps above.
Malwarebytes scan will confirm the virus is gone.
Once you have a clean system again save the restore point as ‘Clean system’ so you know you can always get back to the state easily
Hey guys, i got the virus on my PC around february this year, no idea how it got there as i was in the showerbefore work when my friend was using it to check her emails, then when i came home frome work it was there, spybot ran and claimed to have gotten rid of some stuff so i restarted, then when i pressed enter to log on (i dont have a password) i got a blue screen and it went back to the log on, i’ve tried using a USB converter, plugged it into another pc with norton on it, i even downloaded malwarebytes, ran scans, nothing, i cant even access my documents that are on the drive that way, unless they’re in programme files, its doing my head in now, ive been trying to sort it for months! i’m on a low income and cant afford the £75 to get rid of it just now, any help would be greatly appreciated, i have no idea how others overcame the logging off problem as there’s nothing to click to get anything else to run!
Yours Faithfully
Jamie
-x-