Once installed in the system, Internet Security 2010 produces a variety of fraudulent messages about non-existent malware. The scare messages are designed to scam the user to purchase a subscription. These scare messages are very frequent and insistent making the computer unusable. It blocked the execution of internet browsers internet explorer, firefox and google chrome installed in the test system. This scareware executes at system start and copies itself in the Windows directory presumably to stay undetected by users.
Trying to open Windows Media Player creates a fake fatal error window with the following text:
Windows can’t play the following media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC; WAV;WMA;CDA;FLAC;M4A;MID, Update your video and sound codec to resolve this issue.
The default browser is opened and hijacked to http://vs-codec-pro .net/form.php?code=0001122 purportedly to update video and sound codecs.
The performance of the computer progressively gets worse as more malware is downloaded on certain systems and execution of most applications is blocked. The Windows administrative functions like Task Manager, Regedit, cmd etc,. are blocked. Frequent messages about Internet Explorer crashing is displayed.
Application cannot be executed. The file is infected. Please activate your antivirus software.
This scareware is relentless even in Windows Safe Mode and thwarts most attempts to remove it from the system.
A rogue security software such as Internet Security 2010 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Internet Security 2010 Aliases
This scareware is known by the following aliases:
Typical Internet Security 2010 Scare Messages
Your computer is infected!Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will download and install the most up-to-date antispyware for you.
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC. It’s highly recommended you scan your PC right now.
Your computer is being attacked from a remote machine! Block Internet access to your computer to prevent system infection.
Security Warning! Worm.win32.NetSky detected on your machine. This virus distributed via the Internet through e-mail and Active-x objects. The worm has its own SMTP engine which means it gathers e-mails from yur local computer and re-distributes itself. In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data. Viruses can damage your confidential data and work on your computer. Continue working in unprotected mode is very dangerous.
The trojan downloader is named install.exe in this instance. It is about 25600 bytes in size and is detected by 27/41 (65.85%) of the antivirus engines available at VirusTotal.
Internet Security 2010 Associated Files and Folders
- C:\Program Files\InternetSecurity2010\IS2010.exe
- C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
- C:\Documents and Settings\malwarehelp.org\Start Menu\Internet Security 2010.lnk
- C:\DOCUMENTS AND SETTINGS\MALWAREHELP.ORG\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WHQBKPMB\DFGHFGHGFJ.DLL
- C:\Program Files\InternetSecurity2010
Some of the file names may be randomly generated.
Internet Security 2010 Associated Registry Values and Keys
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit c:\windows\system32\winlogon32.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit system32\winlogon32.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (C:\WINDOWS\system32\winlogon32.exe)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
Internet Security 2010 Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://downloadavr25 .com/loads.php?code=0001122
- http://testavrdown .com/cgi-bin/get.pl?l=0001122
- http://buy-internet-security .com/buy/?code=00001122
- http://vs-codec-pro .net/form.php?code=0001122
Note: Visiting the domains mentioned above may harm your computer system.
Internet Security 2010 Removal (How to remove Internet Security 2010)
Do not restart or shutdown the computer as there are instances of this malware causing the dreaded Windows logon/logoff loop. Disconnect it from the network if you can. From a clean computer download and copy the following free applications to a USB flash drive:
Insert the flash drive into the infected computer and browse to it and run the programs in the following order:
- Dr.Web CureIt! comes in randomly named file to evade identification by malware. Click to open, Since you are supposed to use this on a home PC, Click Cancel and then click Start and OK to start a express scan. Click Yes to cure or move the infected objects. Once the scan is complete Click Yes to restart.
- Install MalwareBytes’s Anti-Malware, Open and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart to complete the removal process.
- Turn System Restore off and on.
- Install, scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
If you are unable to get rid of this scareware, you may have other malware in addition to Internet Security 2010. Please visit one of the recommended forums for malware help and post about your problem.
Internet Security 2010 Scareware — Screenshots
Internet Security 2010 Scareware — Video
Note: The Internet Security 2010 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.