I already wrote this guide for another forum I frequent, but figured I might as well post it here.
Gonna put this out short; but within the last months, someone has come up with a pretty well done scam to trick millions of computer users into paying for an anti-virus protection/security guard that is fake.
The first part of this guide contains information and screenshots of the virus. If you want to instantly get help removing it, please scroll down to the end of the second spoiler tag in this post.
The malware has been produced as several names, but it is mostly known as:
XP Internet Security 2010
Antivirus Vista 2010
Win 7 Antispyware 2010
If you get this on your computer - DO NOT PURCHASE ANY ITEMS FROM THEIR STORE. It is all a scam, no matter how real and well done this seems. But don't worry, this guide will help you to get rid of it.
Please keep it mind: It can and will appear with a different name.
Other names it can be found as:
This virus is rather well done considering a few things. First of all, it will download and install itself with the name most suitable for the operating system on your computer.
The first thing it will do is to turn off your firewall. No matter how many anti virus programs you are running, it might bypass them and install itself as it's a pretty tricky trojan.
When your firewall has been turned off - it will execute a false Windows Security Center.
Apologize for the foreign language - this screenshot is taken from the false one.
Here's a picture of my real one after a clean-up and reboot. See the difference?
If you extend the top option for Firewall, there's an 'Recommendation' option (the one named Anbefalinger in my screenshot) to turn it on. You can't find that on the false one.
As you can see, it claims I don't have any anti-virus program running which is not true. It also claims my firewall is off, which is true as that's one of the things it did so far.
Other things it might display and do to your computer:
(Note: All these pictures contain false warnings and none of them should be taken seriously other than in the regard of them having malicious purposes.)
Screenshots of the virus
False Security Warning:
False virus scan including claimed malware on your computer:
An option to purchase a false anti-virus from their store.
Do not go there and give them your information, this is the actual scam of the program.
The virus will also display a bunch of false bubbles from the icon running in your system tray. This is the part where they try to make it seem like you're running out of time to get your computer fixed.
Another thing it will do: It will hijack your internet browser so you won't be able to access any websites until you purchase their anti-virus program (which you are NOT going to do).
If you still have internet access,
After giving you a little insight on how it acts and works, I'll now guide you on how to remove this from your system.
First of all, copy this guide into Notepad.
If you still have access to websites (seeing as you're reading this thread), download Malwarebytes' Anti-Malware and FixExe.reg. Without this file, you will have problems running the Anti-Malware program because the virus will prevent it from running.
If you don't have access to do that - download them from another computer and transfer them to your infected one through a flash drive.
Now. Turn off your Internet, close your Internet browser and make sure all your regular programs are not running anymore. But before you start - make sure the Internet Security 2010 virus is running because it gives Malwarebytes Anti-Malware a higher chance to find it.
If you disabled the Internet Security 2010 virus (It will run as av.exe in your task manager), launch any program that will trigger the virus to start. (Your browser for instance)
Now, open and run FixExe.reg so you're able to launch the Malwarebytes' Anti-Malware installer. Install and do a FULL SCAN. Do not mess with the default options.
Let it scan and go do other stuff until it's done.
Your final results will look something like this:
Click the remove now option and agree to reboot your computer.
When you turn it back on, the virus should be gone. If you happens to get it again - it might come as one of the other names. HOW you got it on your computer is rather unimportant. It can happen to the best of us no matter how careful we are. Remember to turn your firewall back on once your computer is clean. For more advanced options/information, check the spoiler tag below.
Any questions, feel free to PM me or preferably ask them in this thread.
Other relevant information:
Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Files:
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\AppData\Local\av.exe <In Antivirus Vista 2010 & Win 7 Antispyware 2010>
%UserProfile%\AppData\Local\WRblt8464P <In Antivirus Vista 2010 & Win 7 Antispyware 2010>
Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Windows Registry Information:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
Gonna put this out short; but within the last months, someone has come up with a pretty well done scam to trick millions of computer users into paying for an anti-virus protection/security guard that is fake.
The first part of this guide contains information and screenshots of the virus. If you want to instantly get help removing it, please scroll down to the end of the second spoiler tag in this post.
The malware has been produced as several names, but it is mostly known as:
XP Internet Security 2010
Antivirus Vista 2010
Win 7 Antispyware 2010
If you get this on your computer - DO NOT PURCHASE ANY ITEMS FROM THEIR STORE. It is all a scam, no matter how real and well done this seems. But don't worry, this guide will help you to get rid of it.
Please keep it mind: It can and will appear with a different name.
Other names it can be found as:
This virus is rather well done considering a few things. First of all, it will download and install itself with the name most suitable for the operating system on your computer.
The first thing it will do is to turn off your firewall. No matter how many anti virus programs you are running, it might bypass them and install itself as it's a pretty tricky trojan.
When your firewall has been turned off - it will execute a false Windows Security Center.
Apologize for the foreign language - this screenshot is taken from the false one.
Here's a picture of my real one after a clean-up and reboot. See the difference?
If you extend the top option for Firewall, there's an 'Recommendation' option (the one named Anbefalinger in my screenshot) to turn it on. You can't find that on the false one.
As you can see, it claims I don't have any anti-virus program running which is not true. It also claims my firewall is off, which is true as that's one of the things it did so far.
Other things it might display and do to your computer:
(Note: All these pictures contain false warnings and none of them should be taken seriously other than in the regard of them having malicious purposes.)
Screenshots of the virus
False Security Warning:
False virus scan including claimed malware on your computer:
An option to purchase a false anti-virus from their store.
Do not go there and give them your information, this is the actual scam of the program.
The virus will also display a bunch of false bubbles from the icon running in your system tray. This is the part where they try to make it seem like you're running out of time to get your computer fixed.
Another thing it will do: It will hijack your internet browser so you won't be able to access any websites until you purchase their anti-virus program (which you are NOT going to do).
If you still have internet access,
After giving you a little insight on how it acts and works, I'll now guide you on how to remove this from your system.
First of all, copy this guide into Notepad.
If you still have access to websites (seeing as you're reading this thread), download Malwarebytes' Anti-Malware and FixExe.reg. Without this file, you will have problems running the Anti-Malware program because the virus will prevent it from running.
If you don't have access to do that - download them from another computer and transfer them to your infected one through a flash drive.
Now. Turn off your Internet, close your Internet browser and make sure all your regular programs are not running anymore. But before you start - make sure the Internet Security 2010 virus is running because it gives Malwarebytes Anti-Malware a higher chance to find it.
If you disabled the Internet Security 2010 virus (It will run as av.exe in your task manager), launch any program that will trigger the virus to start. (Your browser for instance)
Now, open and run FixExe.reg so you're able to launch the Malwarebytes' Anti-Malware installer. Install and do a FULL SCAN. Do not mess with the default options.
Let it scan and go do other stuff until it's done.
Your final results will look something like this:
Click the remove now option and agree to reboot your computer.
When you turn it back on, the virus should be gone. If you happens to get it again - it might come as one of the other names. HOW you got it on your computer is rather unimportant. It can happen to the best of us no matter how careful we are. Remember to turn your firewall back on once your computer is clean. For more advanced options/information, check the spoiler tag below.
Any questions, feel free to PM me or preferably ask them in this thread.
Other relevant information:
Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Files:
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\AppData\Local\av.exe <In Antivirus Vista 2010 & Win 7 Antispyware 2010>
%UserProfile%\AppData\Local\WRblt8464P <In Antivirus Vista 2010 & Win 7 Antispyware 2010>
Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Windows Registry Information:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
