Technical @ Updates

How To Remove Internet Security 2010 and other Rogue/Fake Antivirus Malware

If you have a PC infected with Internet Security 2010, you’re probably reading this article so you can understand how to get rid of it. Thankfully we’ve got the instructions to help you get rid of this awful thing.
Internet Security 2010 is just one of many fake antivirus applications like Antivirus Live, Advanced Virus Remover, and others that hold your computer hostage until you pay their ransom money. They tell you that your PC is infected with fake viruses, and prevent you from doing anything to remove them.



Note: If you just want the instructions to get rid of it, you’ll want to scroll down a bit.


Anatomy of an Infection


Normally these infections start with a popup message like this one, coming from a rogue site or malvertisement—and they are often served up from porn sites, though these viruses are not exclusively from there


IMPORTANT NOTE


If you’re a regular How-To Geek reader, you’re probably savvy enough to know how to avoid actually installing these things, but there’s a good chance that your mom isn’t. If you’ve got a relative that doesn’t know what they are doing, here’s what you should tell them to do when they get a popup like this one:


HOLD DOWN THE POWER BUTTON FOR 10 SECONDS!


Seriously. If they really are infected with a real virus, powering off won’t be any worse. Some of these things are tricky and will try and install themselves no matter which way you click, and they look just like a real Windows error message. Powering off is just the simplest and best option for non-tech-savvy users. And yes, this is exactly what I tell my mom to do.
Moving Forward…
Once you click the popup message, you’ll be presented with a page that looks like your My Computer view, telling you that your PC is infected. Nevermind that no real antivirus looks like this, regular PC users don’t know any better.


After a few seconds of this, you’ll be presented with a popup dialog in the web page that says your PC is infect, and you can click the button to Remove all. The dialog looks real, and can even be dragged around the page—in my research, this seems to be the point where most regular users get confused.

Once you’ve clicked it, you’ll be prompted to run an installer—which you might note has a number of warnings.

As soon as the installer is able to execute, you are infected.

You won’t be able to open up any applications…

And you can’t remove it from Control Panel.

Removing Rogue Fake Antivirus Infections (General Guide)

There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:

--> Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
If that doesn’t work, reboot your PC into safe mode with networking (use F8 right before Windows starts to load)
--> Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
Reboot your PC and go back into safe mode with networking.
--> If that doesn’t work, and safe mode is blocked, try running ComboFix. Note that I’ve not yet had to resort to this, but some of our readers have.
--> Install MalwareBytes and run it, doing a full system scan. (see our previous article on how to use it).
--> Reboot your PC again, and run a full scan using your normal Antivirus application (we recommend Microsoft Security Essentials).
--> At this point your PC is usually clean.

Those are the rules that normally work. Note that there are some malware infections that not only block safe mode, but also prevent you from doing anything at all. We’ll cover those in another article soon, so make sure to subscribe to How-To Geek for updates (top of the page).

Let’s Get to Removing Internet Security 2010

The first thing we’ll want to do is kill the virus that’s currently running on the system, and there’s a really easy way to kill Internet Security 2010 without downloading any special software just to kill it (we’ll still need to download something to clean it, however).

Open up the Start menu, click the Run button (or use the Win+R shortcut key), and then type in the following:

Start --> RUN --> Type "taskkill /f /im is2010.exe"

Hit the Enter key, and the main virus window should go away. After you’ve done that, you’ll want to quickly execute the following commands:

taskkill /f /im winlogon86.exe
taskkill /f /im winupdate86.exe

At this point the virus isn’t currently running on your system—but it’s still lurking in the shadows, but you can actually run any malware removal tools that you’d like.

Use SUPERAntiSpyware to Clean the Malware

Now that we’ve killed off all those processes, we’ll get to removing the actual malware from the system by downloading SUPERAntiSpyware and installing it. You should be able to grab the full version, or you can use the portable variety that we’ve already recommended.

If you grabbed the full version, make sure to use the Check for Updates button, and then click the Scan Your Computer button… make sure to perform a Complete Scan, and select all of your drives.

It should easily find and kill all of them. You’ll probably note that on this particular machine that I was using in the screenshot, there was a lot of other bad stuff that it caught as well. Woot!

Once it’s done, it’ll let you remove them all in a click, and then prompt you to reboot… you shouldn’t reboot yet. Job isn’t done, however!

Install Malwarebytes and Scan

Next you’ll want to install MalwareBytes and run it, making sure to run a full scan. The main reason to do this is because there’s no way a single malware removal tool can know about every single piece of malware out there, and you may as well make sure your system is clean.

Install Microsoft Security Essentials

You should definitely install Microsoft Security Essentials and run another full scan once you’re done.

Note: If you used a thumb drive at any point during this process, you should make sure and scan that as well—I’ve had viruses hop over to the thumb drive, ready to infect the next machine.
Sidebar Note

Here’s an interesting fact for you—the two processes that we killed earlier are actually from Advanced Virus Remover, another awful malware we’ve previously told you how to get rid of. Clearly they are both developed by the same jerk.

The winlogon86.exe seems to be mostly used to show messages like this one:

While winupdate86.exe is responsible for blocking you from opening other apps, and re-launching the main Internet Security 2010 window.

Note: Robert, one of our excellent readers, wrote in mentioning that you can often just leave this window open, and then continue to install any malware removal tools you like. Here’s what he had to say:
There is one little trick that you missed, that I mentioned on a different post that was similar to this one. When it pops up with the error message saying; “Application cannot be executed. File is infected.” ..etc… Simply *MOVE* that message box to the corner of the screen, and you can install SuperAntiSpyware just fine.
There appears to only be one instance of that “error message” that will run at any given time. You will get multiple errors, you won’t get that obnoxious sound that computer makes when it tells you that you can’t do that…. Now, if you hit “OK” you’re just asking for a headache.
Great tip Robert, and thanks for helping out the cause! I’ve tested this out, and it appears to be the case depending on which virus you are infected with—some of them are smarter and shut you down all the way.