Sunday, 19 December 2010

How to Remove Internet Security 2011 (Uninstall Guide)

Internet Security 2011 is a fake anti-virus program that purposely reports false system security threats to make you think that your computer is infected with trojans, spyware and other malicious software. It pretends to scan your computer for malware and flags legitimate Windows system files as malcode, e.g. Worm.Win32.Kido, Trojan.Rootkit.drv, AdWare.Redirect.xt. Internet Security 2011 will prompt you to pay for a full version of the program to remove the threats. First of all, do not purchase it. It's a scam. Secondly, do not attempt to remove supposedly found viruses manually. Otherwise, you may delete important system files. This may cause windows to become unstable. If you have this rogue security program on your computer then please follow the removal instructions below to remove Internet Security 2011 and any related malware for free.

Windows XP

Windows Vista & Windows 7

Internet Security 2011 is from the same family as Antivirus 2010. Usually, such rogue programs have to be manually installed but they may come bundled with other malicious software or through software vulnerabilities as well. The scammers use fake online scanners and misleading social engineering methods to distribute such dreaded security programs as Internet Security 2011. Once installed, this rogue program displays fake security alerts and fake error messages saying that certain programs are infected with Trojan BNK.Keylogger.gen or that someone is making unauthorized copies of your files.
Attention! Network attack detected!
Your computer is being attacked from remote host. Attack has been classified as Remote code execution attempt.

Attention! Threat detected!
[program_name].exe is infected with Trojan-BNK.Keylogger.gen
Private data can be stolen by third parties including card details and passwords.
It is strongly recommended to perform threat removal on your system.

What is more, Internet Security 2011 denies access to nearly all programs on your computer stating that you may not have permission to access them. The fake error message contains the following text:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

In order to regain access to the program you will have to open a Command Prompt and use the following command to give the Everyone group permission to the file:

cacls [full path to the program] /G Everyone:F

cacls "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" /G Everyone:F

NOTE: If you are using Windows Vista or Windows 7 then you will have to run Command Prompt as administrator.

Unfortunately, if the Internet Security 2011 comes bundled with other malware, usually, rootkits, then it will be very difficult to remove the rogue program from your computer manually. First of all, you will have to remove rootkits and then the rogue program with related malware. So, I'm afraid you won't find any "one-click-fix" solution to this problem. Thankfully, we've got the removal instructions to help you to remove Internet Security 2011 from the system using legitimate tools and anti-malware programs. Please follow the removal instructions below. Also, if you have already purchased Internet Security 2011 then please contact your credit card provider and dispute the charges. If you have any questions regarding to Internet Security 2011 removal, please leave a message using the contact form below. Good luck and be safe online!

Internet Security 2011 removal instructions:

1. Open C:\Windows\System32 in Windows Explorer. There will be two userinit.exe files in this directory. The legit one is the usual generic executable file icon. The fake one has a shield icon like an antivirus product would or a globe icon as shown in the image below.

Rename the fake userinit.exe extension to userinit.vxe

NOTE: configure Windows to show extensions of known file types in order to correctly change the extension of the fake userinit.exe file. For more information, please read Show File Extension in Windows XP and Show File Extension in Windows Vista and Windows 7.

2. Open Device Manager. How do I get into Windows Device Manager?
Expand "System Devices".
Right click "[cmz vmkd] Virtual Bus", choose "Disable".

Click "Yes" when it asks if you would like to disable it.

3. Open C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\ in Windows Explorer.

Rename shsvcs.dll to shsvcs.dl_

4. Open Windows Registry Editor (regedit.exe).

Browse to HKLM\System\CurrentControlSet\Services\vbma[random characters].

Right click the vbma[random characters] key (e.g. vbmaf492 ) and click "Permissions".

Click "Advanced".

Check both "Inherit from parent...." and "Replace permission entries....". Click "OK". Click "Yes" when it asks if you wish to continue.

Double click the "Start" value

Change the value from "3" to "4" to disable the service. Click "OK".

Browse to HKLM\System\CurrentControlSet\Services\Userinit

Double click the "Start" value.
Change the value from "3" to "4" to disable the service.

5. Restart your computer.

6. Create a folder on the desktop labeled "Malware".
Move the following files to your malware folder on the desktop:
  • c:\windows\system32\Userinit.vxe (the fake one)
  • c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dl_
  • c:\windows\System32\Drivers\vbma[random characters].sys (e.g. vbmaf492.sys)

7. Delete the following keys from the registry:
  • HKLM\System\CurrentControlSet\Services\vbma[random characters]
  • HKLM\System\CurrentControlSet\Services\Userinit

8. Open Device Manager.
Expand "System Devices"
Right click "[cmz vmkd] Virtual Bus" choose "Uninstall". Click "OK" to confirm device removal.

9. Download TDSSKiller. Double-click to launch it. Scan your computer and remove found rootkits (if exist).
10. Download and scan your computer with recommend anti-malware software (STOPzilla) to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

11. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Internet Security 2011 associated files and registry values:

  • C:\Documents and Settings\All Users\Application Data\.wtav
  • C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\
  • C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
  • C:\WINDOWS\assembly\GAC\__AssemblyInfo__.ini
  • C:\WINDOWS\system32\exefile.exe
  • C:\WINDOWS\system32\mswmqnei.dll
  • C:\WINDOWS\system32\us?rinit.exe (not userinit.exe file which is in the same folder)
  • C:\WINDOWS\system32\drivers\vbma22b4.sys
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbma22b4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiSpywareOverride" = '1'
Share this information with other people:

No comments:

Post a Comment