Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Internet Security 2010 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Once installed in the system, Internet Security 2010 produces a variety of fraudulent messages about non-existent malware. The scare messages are designed to scam the user to purchase a subscription. These scare messages are very frequent and insistent making the computer unusable. It blocked the execution of internet browsers internet explorer, firefox and google chrome installed in the test system. This scareware executes at system start and copies itself in the Windows directory presumably to stay undetected by users.

Trying to open Windows Media Player creates a fake fatal error window with the following text:

Windows can’t play the following media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC; WAV;WMA;CDA;FLAC;M4A;MID, Update your video and sound codec to resolve this issue.

The default browser is opened and hijacked to http://vs-codec-pro .net/form.php?code=0001122 purportedly to update video and sound codecs.

The performance of the computer progressively gets worse as more malware is downloaded on certain systems and execution of most applications is blocked. The Windows administrative functions like Task Manager, Regedit, cmd etc,. are blocked. Frequent messages about Internet Explorer crashing is displayed.

internet security 2010 desktop 590x318 Internet Security 2010 Analysis and Removal

Desktop hijacked by Internet Security 2010

Applications including MalwareBytes’s Anti-Malware and SuperAntiSpyware cannot be installed. They are blocked from opening if already installed and the following error message is displayed:

Application cannot be executed. The file is infected. Please activate your antivirus software.

This scareware is relentless even in Windows Safe Mode and thwarts most attempts to remove it from the system.

A rogue security software such as Internet Security 2010 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Internet Security 2010 Aliases

This scareware is known by the following aliases:

  • Trojan-Downloader.Win32.FraudLoad!IK
  • Trojan.FakeAv.ABH
  • Trojan-Downloader:W32/FraudLoad.JP
  • W32/FraudLoad.GIE!tr.dldr
  • Trojan-Downloader.Win32.FraudLoad.gie
  • TrojanDownloader:Win32/Fakeinit
  • Win32/TrojanDownloader.FakeAlert.AED
  • Adware.CWSIEFeats
  • TROJ_FAKEAV.MCS

Typical Internet Security 2010 Scare Messages

scare messages1 590x420 Internet Security 2010 Analysis and Removal

Internet Security 2010 scare messages

Your computer is infected!Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will download and install the most up-to-date antispyware for you.

Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

Intercepting programs that may compromise your privacy and harm your system have been detected on your PC. It’s highly recommended you scan your PC right now.

Your computer is being attacked from a remote machine! Block Internet access to your computer to prevent system infection.

Security Warning! Worm.win32.NetSky detected on your machine. This virus distributed via the Internet through e-mail and Active-x objects. The worm has its own SMTP engine which means it gathers e-mails from yur local computer and re-distributes itself. In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data. Viruses can damage your confidential data and work on your computer. Continue working in unprotected mode is very dangerous.

The trojan downloader is named install.exe in this instance. It is about 25600 bytes in size and is detected by 27/41 (65.85%) of the antivirus engines available at VirusTotal.

Internet Security 2010 Associated Files and Folders

  • C:\Program Files\InternetSecurity2010\IS2010.exe
  • C:\WINDOWS\system32\smss32.exe
  • C:\WINDOWS\system32\winlogon32.exe
  • C:\WINDOWS\system32\41.exe
  • C:\WINDOWS\system32\helper32.dll
  • C:\WINDOWS\Prefetch\SMSS32.EXE-1EEDAC52.pf
  • C:\WINDOWS\Prefetch\IS2010.EXE-19036254.pf
  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Internet Security 2010.lnk
  • C:\DOCUMENTS AND SETTINGS\MALWAREHELP.ORG\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WHQBKPMB\DFGHFGHGFJ.DLL
  • C:\Program Files\InternetSecurity2010

Some of the file names may be randomly generated.

Internet Security 2010 Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit c:\windows\system32\winlogon32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit system32\winlogon32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (C:\WINDOWS\system32\winlogon32.exe)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
  • HKEY_CURRENT_USER\SOFTWARE\IS2010

Internet Security 2010 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://downloadavr25 .com/loads.php?code=0001122
  • http://testavrdown .com/cgi-bin/get.pl?l=0001122
  • http://buy-internet-security .com/buy/?code=00001122
  • http://vs-codec-pro .net/form.php?code=0001122

Note: Visiting the domains mentioned above may harm your computer system.

Internet Security 2010 Removal (How to remove Internet Security 2010)

Do not restart or shutdown the computer as there are instances of this malware causing the dreaded Windows logon/logoff loop. Disconnect it from the network if you can. From a clean computer download and copy the following free applications to a USB flash drive:

Insert the flash drive into the infected computer and browse to it and run the programs in the following order:

  • Dr.Web CureIt! comes in randomly named file to evade identification by malware. Click to open, Since you are supposed to use this on a home PC, Click Cancel and then click Start and OK to start a express scan. Click Yes to cure or move the infected objects. Once the scan is complete Click Yes to restart.
  • Install MalwareBytes’s Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process.
  • Turn System Restore off and on.
  • Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

If you are unable to get rid of this scareware, you may have other malware in addition to Internet Security 2010. Please visit one of the recommended forums for malware help and post about your problem.

Internet Security 2010 Scareware — Screenshots

Internet Security 2010 Scareware — Video

Note: The Internet Security 2010 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 16 comments… read them below or add one }

Anonymous January 16, 2010 at 8:21 AM

I used AVAST and it found it. Would not let Mcafee work. I needed to remove all files from Mcafee then download again after removing Avast. I might go back to Avast is Mcafee fails me agin

Reply

Jeff January 17, 2010 at 8:22 AM

Ran DrWebcureit and found nothing. Trying the avast to see if it finds it. ugh!

Reply

Phil January 17, 2010 at 11:01 AM

I came accross this website to late. I got caught with the loop of logging in/ logging off. How do I fix this problem or just get the computer to log on and stay logged on.

Reply

Steve January 18, 2010 at 10:48 PM

To Phil. When it starts logging off pull the plug out of the wall and then back in and turn computer on and it will hard boot and let you back on. Download PCTools Spyware Doctor and let it scan and remove all the threats and infections. This will allow you to go to restore and restore to an earlier date before the infection. Worked for me.

Reply

PO'd January 19, 2010 at 10:52 PM

Here is one for everyone out there. My desktop (using laptop for this) was infected with the lovely IS2010. After the many suggestions seen on the internet for Spyware Doctor and other “free” spyware removal tools, programs or whatever they’re called, I downloaded Spyware Doctor and ran a scan. It did in fact locate IS2010 along with other garbage and to my shock (sarcastic) in order to have it removed I have to pay…what happened to the “free” removal. Now that my computer is totally disabled I am beginning to think that the J-O’s that advertise their “free” removal tools, programs and such are the same tools that are creating the havoc in the first place. To the creator of spyware, malware and future ware’s not yet named I have four numbers for you to figure out…7625!

Reply

Percy January 22, 2010 at 8:19 AM

Hi just wanted to thank you for your advice/solution to ridding my computer of this dreaded is2010 bug. Whew!
I was not able to download the DrWeb Cureit! onto my computer, but once I installed and ran the Malwarebytes’- AntiMalware the problem was gone. As an added measure I also ran the CCleaner software, too. Now my computer is working as it was before.
I know you recommended installing this software onto a clean computer and then transferring them to the infected computer, but I was able to install the software (except for the first one) directly onto the infected computer and they worked wonderfully. I only have one usable computer.
Thank you, thank you, thank you. Now I can send the money that I would most likely have spent trying to fix said problem to the Haitian Relief Effort.
Blessings to you

Reply

Amy January 23, 2010 at 1:36 AM

It worked!!!!
Thank you so much for this information….you saved my computor and my husband from having to start from scartch. I really did not think I could do it, but you step by step info was very helpful and easy to follow.
Sincerely,

Reply

Alex January 25, 2010 at 11:22 AM

Downloaded Dr.WebCureIt along with HiJack This. IS2010 had disabled task manager, so HiJack This allowed me to kill the IS2010 program and delete it manually then used DrWebCureIt to get rid of the remaining files. HiJack This is an awesome program for getting rid of some of the hard to find and kill programs. But be careful if you don’t know what your doing with it you can do more harm than good.

Reply

Shawn January 27, 2010 at 1:17 AM

My wife some how downloaded this program at her work last week. Her IT people were able to find it and take care of the problem. BUT this weekend when she accessed her work e-mail from our home laptop… as soon as she opened her e-mail… it loaded to our laptop.
Avast immediately found it but would not let me get rid of it because “It was being used by another process” so the next choice through Avast was to delete it upon restart…. I chose that option and am not stuck with the loop described above. Anyone know how to Hard Boot a Laptop as described above so I can get rid of the problem? Please let me know!

Reply

Shawn January 27, 2010 at 1:28 AM

PS to the above…. I figured out how to Hard Boot my Laptop… but we have 2 seperate login’s on my laptop (1 for me & 1 for my wife) I tried to Hard Boot after clicking on my ICON but I still have the loop…. Is there anything I can do / what should I do?

Reply

Andy January 29, 2010 at 1:01 AM

Shawn,
I presume you figured to remove the battery and the power cord from the laptop to get a hard boot. After pressing power button keep tapping F8 until a list of various boot options comes on, try choosing the one called “last known good configuration” this should use the setup from the last time you were logged in successfully. Alternatively use the system administrator logon which may have to be done using “safe mode” (from the F8 startup screen)

Reply

Mick Cosme January 30, 2010 at 11:01 PM

You must remove sptd.sys from your Windows directory it is found in your windows drivers folder , Also, helper32.dll will keep messing you up and that needs to go too. Keep in mind that Malwarebytes, does not remove helper32dll also the sptd.sys file is corrupted it is not a virus Hope this helps also Hijackthis will remove helper32.dll. Also you must get rid of all your internet temporary files and cookies or you will just end up getting infected again. Also, you want to keep your active x security on don”t allow automatic downloads, that is how you got infected in the first place. Plus, Torrents are notorious for having trojans, and other crap hidden in them. GOODLook. SYSTERNALS HAVE ROOTKIT FINDERS AND OTHERS .DONT GO MESSING WITH YOUR REGISTRY IF YOU DON’T KNOW EXACTLY WHAT YOU ARE DOING.

Reply

Sal February 11, 2010 at 9:17 AM

I just found that my laptop has the IS 2010 virus. It had been acting up for several weeks, so I just ran Malwarebytes and it would work fine for a while. But now its just not doing anything.

When i turn it on, it takes me straight to the screen where I have to choose \Safe Mode\, \safe mode with networking\ etc. But no matter what I select, it brings me back to the same screen. Took it to Geek Squad, but they want $200 to remove it. Any suggestions on how I can get pass this screen and go into Windows to try to fix this.

Thanks.

Reply

Shanmuga February 11, 2010 at 10:10 AM

Sal, if you are unable to boot into Safe Mode, try anti-virus rescue disk. If that fails try a Repair Install Windows XP, Vista and Windows 7.

You may also visit one of the recommended forums for malware help and post about your problem.

J. D. February 13, 2010 at 11:33 AM

cannot log on , even go F8 ,still cannot get on

Reply

aaron February 19, 2010 at 3:47 AM

For the dreaded Windows logon/logoff loop go here and follow the steps. I fix this problem for me (cookbook steps). http://www.logicnest.com/archives/90

Reply

Leave a Comment

Previous post:

Next post: