Internet Security 2010 (InternetSecurity2010) Virus Removal Guide

Internet Security 2010, or InternetSecurity 2010, is a fake antivirus program, known as a rogue security application. The program is bundled with other forms of malware, including Advanced Virus Remover, winlogon86.exe, and winupdate86.exe. Internet Security 2010 is a copy of Advanced Virus Remover, which is also a fake antivirus program. Internet Security 2010 hopes to trick the user into thinking that it is a real program by using various tactics, such as creating fake virus scans and having a professional look to the program. Also, Internet Security 2010 hopes to scare the user into purchasing the program by displaying fake virus scan results.

Internet Security 2010 will tell the user that their computer is infected and will use tactics to convince the user to purchase it. It will also use other tactics, such as the use of pop ups to warn the user. However, the program itself doesn’t work to remove viruses. It has a website which it uses to advertise the fake program.

The following messages are used by Internet Security 2010 to scare the user into purchasing the program.

“System warning!
Continue working in unprotected mode is very
dangerous. Viruses can damage your condifential data
and work on your computer. Click here to protect your
computer.”

“System warning!
Intercepting programs that may compromise your
privacy and
harm your system have been detected on your PC.
It’s highly recommended your scan your PC right now.”

Common symptoms and characteristics of Internet Security 2010 and other rogue security programs include:
1. Internet Security 2010 is generally installed without user permission through a trojan horse.
2. Internet Security 2010 uses pop ups and fake virus scans to scare the user.
3. Internet Security 2010 website is unprofessional, with fake testimonials and fake awards.
4. The payment website for Internet Security 2010 looks suspicious.
5. Various antivirus and system programs on the user’s computer will stop functioning.

Virus Type: Rogue Security Application
Threat Level: 8 / 10

Below is our recommended removal tool for Internet Security 2010. The removal tool has been rated 5 cows out of 5 by Tucows and was previously CNET’s Editor’s Choice. Feel free to download it below.

If you are unable to run the removal tool, or are unable to run any programs in general, you may need to stop the processes associated with Internet Security 2010 with task manager. If task manager has been blocked by Internet Security 2010, try using Process Explorer.

Manual Internet Security 2010 Removal – In order to manually remove Internet Security 2010, the processes associated with Internet Security 2010 must be stopped, the files associated with the processes must be removed, and the registry entries must be corrected to the previous state before Internet Security 2010 entered the computer.

Note: Internet Security 2010 has multiple versions; therefore, the files created by Internet Security 2010 may vary.

Stop Internet Security 2010 Processes (Learn How To Do This)
IS2010.exe

Remove Internet Security 2010 Files (Learn How To Do This)
C:\Program Files\InternetSecurity2010\
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\WINDOWS\system32\winlogon86.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\system32\AVR10.exe
C:\WINDOWS\system32\winhelper86.dll
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\IS15.exe
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe

Remove Internet Security 2010 Registry Keys (Learn How To Do This)
HKEY_CURRENT_USER\Software\IS2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security 2010

Remove Internet Security 2010 Startup Entry (Learn How To Do This)
IS2010.exe
winupdate86.exe

Block Internet Security 2010 Related Websites (Learn How To Do This)
buy-internet-security.com
downloadavr30.com

Common Questions -
1. What is a computer virus? (Click Here To View)
2. How did I get this computer virus? (Click Here To View)
3. What common symptoms show that my computer may be infected? (Click Here To View)
4. What is a rogue security application? (Click Here To View)
5. What are some antivirus and antispyware programs which I can use to remove viruses and spyware? (Click Here To View)

If you have any questions or comments, please don’t hesitate to comment below. We recommend that you follow our safety tips so that you can keep your computer clean. Please Click Here to View Our Safety Tips.

Posted in: Malware Removal | Follow Us On Twitter

This entry was posted on Thursday, December 10th, 2009 at 2:32 am and is filed under Malware Removal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

29 Responses to “Internet Security 2010 (InternetSecurity2010) Virus Removal Guide”

IS2010.exe Virus Removal | Virus Removal Guru December 10th, 2009 at 3:11 am

[...] Security 2010, a fake antivirus program. For removal help with Internet Security 2010, please click here to view our official guide to remove Internet Security [...]

Julien (from France) December 22nd, 2009 at 10:15 pm

Thank you very much for your help!
The IS2010 virus is now deleted of my computer.

I think you should add a post to explain how to change the “userinit data” with the Registry Editor because (in my case) with this virus and after have restarted my computer, the user account could not start anymore… same thing with the administrator account.

The userinit data was replaced by:
c:\windows\system32\winlogon86.exe
instead of
c:\windows\system32\userinit.exe,

So the only solution was to use another CLEAN computer, connect the infected hard disk in slave mode and modified the data of userinit.

I will try to explain how to do that:

1 – After have connected your infected hard disk on a CLEAN computer (be sure this one is detected as removable disk) click START on the taskbar then select RUN…
2 – When the run box comes up, type regedit.exe and select OK.
3 – Make a left click on HKEY_LOCAL_MACHINE (HKLM), select File then Load Hive…
4 – At the top of the window, select the letter set by windows for your removable disk (infected hard disk).
5 – Go to “?:\windows\system32\config”
(The ? correspond at the letter of your removable disk set by windows)
6 – Select the file SOFTWARE.
7 – Give it a name (”YourName” for exemple or another one).
8 – It now appears in the HKLM folder of regedit.
9 – Go to the directory:
“YourName”\Microsoft\WindowsNT\CurrentVersion\Winlogon
10 – Make a double click on the userinit file and change the value by:
?:\windows\system32\userinit.exe,
/!\ do not forget the , and select OK.
11 – Make a left click on the “YourName” folder, select File then Unload Hive…
12 – Select yes to save the modification and close the Registry Editor.
13 – Turn off the computer and disconnect your hard disk.
14 – See if now you can start again your user account and follow all the explanations to delete the IS2010 virus.

I hope you’ve been helped. Best Regards

Julien

Julien (from France) December 22nd, 2009 at 10:58 pm

Another thing,

If you can’t have access to the Task Manager to stop the processus, it’s because the IS2010 virus has changed a value in the registry.

Follow these steps to solve the problem:
(only test on windows XP)

1 – Click START on the taskbar then select RUN…
2 – When the run box comes up, type regedit.exe and select OK.
3 – Go to the directory:
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\policies\System
4 – Double click on the Disable TaskMgr file and change the value data “1″ by “0″.

I hope you’ve been helped again.

Julien

Zach December 24th, 2009 at 6:52 am

found a loop around the infection by restoring my computer to the day before it was infected (obviously you would have to sacrifice anything saved after the restore time)….IS2010 also blocks the restore….here is away around it….

search files: system restore (usually in c:\WINDOWS\system32)

right click on rstrui.exe, copy and paste in restore folder

rename “copy of rstrui.exe” to something witty like IS2010eatspoop, then double click on it

this allowed me to run system restore undetected by the lame program … I restored to the day before to see if I could locate the malicious files before they start

surprised the dumb kids didn’t see this loophole

good luck

Rinoa December 31st, 2009 at 8:24 am

With HKCU we need to configure policies in HKLM

charly December 31st, 2009 at 12:04 pm

Julien, comment connecter un pc en slave mode ?

Mung January 2nd, 2010 at 4:35 am

Julien, it looks like I have the same login problem that you did. The virus infected my laptop and I don’t have another computer to connect the hard drive to. Do you (or anyone else) know of a way to fix the login issue without having another PC?

Marco January 2nd, 2010 at 4:59 pm

Salve dopo che il virus internet security 2010 è entrato nel mio computer, ho riavviato il computer ma adesso si riavvia all’infinito……non permetendomi di accedere a windows…….cosa devo fare per eliminarlo????

Marco January 2nd, 2010 at 5:03 pm

My computer reboot itself continuously! I don’t to access windows…..what I can doing???? Help me Please…!!!!

Guru January 2nd, 2010 at 9:23 pm

If you are unable to log into Windows, please view the comments on the pages listed below since your computer may be infected with Winlogon86.exe and Winupdate86.exe –

http://www.virusremovalguru.com/?p=4713
http://www.virusremovalguru.com/?p=4710

JULIEN (FROM FRANCE) January 3rd, 2010 at 1:18 pm

Hi everybody,

I don’t have solution to solve the problem without to use another clean computer or clean hard disk if you are unable to log your windows account.

Connect your hard disk infected in slave mode means it must be recognized as a removable memory on the clean computer like a USB key.
The easy way is to have an external hard disk enclosure and connect it on a USB port.

That way you will can access to all your files and you can copy them on the clean hard disk to be sure to do not lost them before to procede at the elimination of the IS2010 virus or before to format your infected hard disk if it’s the last solution.

Good luck !!! Best Regards

Julien

JerryB January 10th, 2010 at 4:17 pm

Excellent info, Julien! I don’t know where else that info could be found. I might have used it, but got very lucky, instead.
I did an Image backup with Ghost14 when I installed Macrium Reflect just 2 weeks ago. I was able to copy 13 files from System32/Config from that backup – and was able to logon to Windows again. Here is an excellent example of why one should not use an administrator account for everyday use – except that Windows would allow a malicious program to make Registry changes at the admin level, ANYWAY. I found that all other fallback systems failed: I could not start Win in any Safe mode – BSOD; I could not boot to the “Rescue” partition on my WinXPMCE Dell e520; the Windows Setup “Repair” did nothing but give me a command prompt (which was probably more useful than the simple file “manager” provided by the Ghost14 boot disc environment). After logon, I tried to restore the Registry from a few days ago, and System Restore was unable to restore the 2 System Checkpoints made in the last week. All these “protections” are WORSE than useless, when they provide a FALSE sense of security. Thank goodness I did not trust any one system.
I suppose that I will reinstall WinXP and hope that will fix my ability to start Safe Mode and System Restore.
I guess the lesson for me is, If you don’t like to Format & Start from Scratch, use TRIPLE Redundancy in your backup strategy. It is terribly ironic to me that I never worry about my DATA – the Valuables that backup systems are designed to protect — I just move data files OFF my machine, onto external drives, and never worry about That. My Entire Backup Strategy is consumed protecting my Operating System. I cannot segregate all the customization and applications that I have added to Windows and back them up separately, so I am Forced to consume tons of storage mirroring Windows repeatedly. Worse, I haven’t found a good program for that yet – next up, CloneZilla (OMG). Ghost, though it saved my skin this time, I find, is a terrible implementation – on another occasion, I found that 5 out of 6 Ghost images I had made would Not restore.
I bought a Mac recently, trying to avoid Windows’ failings – to no avail – There is no good, free system backup for OSX, either, that I have found.

Bobby January 14th, 2010 at 11:43 pm

If you can not logon to windows (logs in then out) you will want to download Winternals Erd Commander 2007 with a torrent. Then burn it to a CD. This will allow you to edit your registry without the chance of infecting another computer.

Once you do… go to:
HKLM/SOFTWARE/MICROSOFT/WINDOWS NT/CURRENT VERSION/WINDOWS/WINLOGON
Change: UserInit from:
c:\windows\system32\winlogon86.exe
To:
c:\windows\system32\userinit.exe,

Then you should be able to logon to windows.

Helper32.dll (Helper32) Trojan Virus File Removal | Virus Removal Guru January 17th, 2010 at 3:21 pm

[...] Trojan Virus (Click Here To Learn More) Related To: Internet Security 2010 Location: C:WINDOWSsystem32Helper32.dll (Click Here To Learn How To Locate) Risk Level: Moderate [...]

IS15.exe (IS15) Trojan Virus File Removal | Virus Removal Guru January 17th, 2010 at 3:40 pm

[...] Trojan Virus (Click Here To Learn More) Related To: Internet Security 2010 Location: C:WINDOWSsystem32IS15.exe (Click Here To Learn How To Locate) Risk Level: Moderate [...]

Worm.Win32.NetSky Removal | Virus Removal Guru January 17th, 2010 at 9:53 pm

[...] signals that the computer may be infected with either a fake antivirus program (specifically Internet Security 2010 or Advanced Virus Remover) or a fake antivirus alert, which provides the alert to scare the user [...]

Hannah January 19th, 2010 at 2:23 am

I tried copying the system restore file and it worked until i tried to choose a date and the virus wont let me…at a total loss…

Brandon January 20th, 2010 at 10:58 pm

I have downloaded Winternals Erd Commander 2007 with a torrent. Then burned it to a CD. But how do I access the program in order to change the UserInit from

Bobby January 22nd, 2010 at 7:23 am

Just open the registry with a boot disk, follow my instructions above for what to change. then boot to safe mode and run Combofix from bleepingcomputer and malwarebytes. Your system will be clear of Internet Security 2010.

Desktop Security 2010 (DesktopSecurity2010) Virus Removal Guide | Virus Removal Guru January 23rd, 2010 at 4:38 pm

[...] Desktop Security 2010 is one of many fake antivirus programs, including Malware Defense and Internet Security 2010. Desktop Security 2010 hopes to trick the user into thinking that it is a real program by using [...]

woodyintx January 23rd, 2010 at 7:07 pm

I caught this Internet Security 2010 bug and it has me stumped. Can’t log in, boot to safe or anything – can’t seem to create a working rescue disk either. I copied NTloader, boot.ini and the other NT file but it still wouldn’t boot. I’ve seen bits and pieces about this – can someone give me some good step by step info on how to fix this?

zenithltd January 25th, 2010 at 2:45 am

Internet 2010 Virus attack happened when I switched to Norton Internet 2010 from AVG. Norton did find it but it did not kill it completely. I shut down the machine and I could not log on since XP would log me out as soon as I logged on. I used Windows Console and I was able to log on. Now I ended with blue screen on start.

Stop 0×0000007B or INACCESSIBLE_BOOT_DEVICE

I went to the site below and prepared a boot CD with a lot of utilities. I prepared 9 other boot CD without luck since most were like Windows Console with no REGEDIT on it to clean up the registry.
//www.ubcd4win.com/howto.htm
Also shut off your virus protection since McAfee complained (in my second computer) and it would not produce a good boot disk. After I used the boot disk, there are many utilities available. I used the regedit and changed registry entries as outlined below.

http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2010
http://www.virusremovalguru.com/?p=4918

Using the tool I could copy my data using explorer.exe under run CMD.

Finally I used reedit and restored my registry to previous week using UBCD utility.
That fixed the issue with Internet 2010.

KusanagiShiro February 8th, 2010 at 7:23 pm

I’ve tried everything, but av.exe disabled my browser; I cannot connect to any website, and all my exe files when opened give me an “Open With” window. Someone please make a fix to this!

Quake_Sinatra February 15th, 2010 at 2:30 am

Internet Explorer typically gets set to use a proxy with the newer infections. Go to IE – internet options – connections tab – Lan settings – uncheck the use proxy. Ensure you are clean before connecting the machine to the internet, these blended threat type infections usually are multiple “smaller” parts that can undo most of your cleaning in a matter of minutes when connected to a live feed.

Win 7 Antispyware 2010 (Win7 Antispyware 2010) Virus Removal Guide | Virus Removal Guru February 15th, 2010 at 9:34 am

[...] 7 Antispyware 2010 is one of many fake antivirus programs; other fake antivirus programs include Internet Security 2010 and XP Guardian. Win 7 Antispyware 2010 hopes to trick the user into thinking that it is a real [...]

Security Essentials 2010 (SecurityEssentials2010) Virus Removal Guide | Virus Removal Guru February 15th, 2010 at 6:15 pm

[...] Essentials 2010 is one of many fake antivirus programs; other fake antivirus programs include Internet Security 2010 and XP Guardian. Security Essentials 2010 hopes to trick the user into thinking that it is a real [...]

Security Central (SecurityCentral) Virus Removal Guide | Virus Removal Guru February 18th, 2010 at 5:24 pm

[...] Security Central is one of many fake antivirus programs; other fake antivirus programs include Internet Security 2010 and Security Essentials 2010. Security Central hopes to trick the user into thinking that it is a [...]

Greg March 3rd, 2010 at 3:40 pm

I hate to state the obvious here (again) but as long as you use free programs, you won’t get quite as much protection or removals as with other programs. AVG isn’t going to stop any Malware, especially Security Antivirus or XP Antivirus. If you’re happy with it, that’s great but it just isn’t going to protect your computer. I’ve used AVG, Spybot, Ad-Aware, etc for years and only after I registered Spy Sweeper and Nod32 did I find that I never was fully protected.

You also have to be smarter than the things you’re clicking on. Warez sites, torrent sites, Adult sites and especially Limewire are sure fire ways to get something on your computer that will be a complete headache.

Dr. Guard (DrGuard) Virus Removal Guide | Virus Removal Guru March 3rd, 2010 at 11:44 pm

[...] and a clone of Paladin Antivirus. Dr. Guard is one of many fake antivirus programs, which include Internet Security 2010 and XP Antispyware 2010. The program is generally installed through the use of a trojan horse; [...]