Two Methods of removing the Rogue AV/AS called Internet Security 2010


This blog post will describe two Methods of removing the Rogue AV/AS called Internet Security 2010

Method 1 ALMOST worked for me. I want to thank you the softsailor.com who came out with the solution because the steps are very clear, concise and identify all the files associated with the IS2010 rogue AV/virus. Also bleepingcomputer.com shows precisely the list of associated files used by IS2010
The reason it did not work for me was because the rkill.com could not run and after I deleted the IS2010 files listed below I got stuck on the Windows Welcome screen. When I tried to click the administrator user profile the machine tried to open the profile and half way through it would log me off without fully opening the profile, creating this infinite loop that took me nowhere.

That is when I discovered Method 2 which follows two Microsoft KBs: Article ID: 307545 and Article ID: 309531 (This article describes how to gain access to the System Volume Information folder, if your machine is using Windows XP using the NTFS File System on a Domain, Workgroup or Standalone Computer. If your machine is using FAT32 you don’t need this article). I copied and pasted both articles, and the links, so you can see them directly from the Horse’s mouth.
Method 2 worked 100%, without a glitch, and if you have a good understand of DOS and command prompts (the Latin language of Windows IT support!) and follow the steps religiously, you will shine like a clean crystal!
Good luck!

========================================================================
Method 1
Step 1: Download Malwarebytes’ Anti-Malware for free. Save the file to your desktop. If Internet Security 2010 does not allow you to download anything, you should download the setup on another computer and use an USB stick or a CD/DVD to transfer the files needed. Remember to place the setup file on the desktop.
Step 2: Download the rkill.com file. Once the download is complete, run it. The rkill.com file will make sure the Internet Security 2010 will be closed for good so it does not interfere with the removal process.
Step 3: Close all open applications and windows. You now should be on the desktop.
Step 4: Run the Malwarebytes’ Anti-Malware setup from the desktop.
Step 5: Go with the default settings during the install. CRUCIAL: Make sure you tell the software to automatically update itself (there’s a box you need to check during the install to make that happen). In addition, make sure you tell MBAM to automatically launch itself once the install and update processes are complete.
Step 6: When Malwarebytes’ Anti-Malware loads, go to the Scanner screen, select “Perform Quick Scan” and then click the “Scan” button.
Step 7: When the scan is complete, press the Show Results button under the main “Scanner” tab.
Step 8: Check all the detected infections (so you remove both Internet Security 2010 and all related Trojans, as well as any other malware detected).
Step 9: When the removal process is complete, a log of the scan will be displayed in a Notepad window. You now have successfully removed Internet Security 2010, all related Trojans and any other infections detected by Malwarebytes’ Anti-Malware.

source: http://www.softsailor.com/how-to/13827-how-to-uninstall-remove-internet-security-2010-virus-removal-guide.html
==================================================================
Associated Internet Security 2010 Files (very precise list!)
c:\s
c:\Program Files\InternetSecurity2010
c:\Program Files\InternetSecurity2010\IS2010.exe
c:\WINDOWS\system32\41.exe
c:\WINDOWS\system32\winhelper86.dll
c:\WINDOWS\system32\winlogon86.exe
c:\WINDOWS\system32\winupdate86.exe
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
%UserProfile%\Desktop\Internet Security 2010.lnk
%UserProfile%\Start Menu\Internet Security 2010.lnk

Associated Internet Security 2010 Windows Registry Information:
HKEY_CURRENT_USER\Software\IS2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Internet Security 2010”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “winupdate86.exe

source: http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2010

===============================================================================

Method 2

Manual steps to recover a corrupted registry that prevents Windows XP from starting
The procedure that this article describes uses Recovery Console and System Restore. This article also lists all the required steps in specific order to make sure that the process is fully completed. When you finish this procedure, the system returns to a state very close to the state before the problem occurred. If you have ever run NTBackup and completed a system state backup, you do not have to follow the procedures in parts two and three. You can go to part four.
Part one
In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. When you have finished this procedure, a registry is created that you can use to start Windows XP. This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost.

To complete part one, follow these steps:
Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
When the “Welcome to Setup” screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default
Type exit to quit Recovery Console. Your computer will restart.
Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step five, and then create a text file called “Regcopy1.txt” (for example). To use this file, run the following command when you start in Recovery Console:
batch regcopy1.txtWith the batch command in Recovery Console, you can process all the commands in a text file sequentially. When you use the batch command, you do not have to manually type as many commands.
Part two
To complete the procedure described in this section, you must be logged on as an administrator, or an administrative user (a user who has an account in the Administrators group). If you are using Windows XP Home Edition, you can log on as an administrative user. If you log on as an administrator, you must first start Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition computer in Safe mode, follow these steps.

Note Print these instructions before you continue. You cannot view these instructions after you restart the computer in Safe Mode. If you use the NTFS file system, also print the instructions from Knowledge Base article KB309531. Step 7 contains a reference to the article.
Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart).
Press the F8 key.

On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu.
Use the arrow keys to select the appropriate Safe mode option, and then press ENTER.
If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER.
In part two, you copy the registry files from their backed up location by using System Restore. This folder is not available in Recovery Console and is generally not visible during typical usage. Before you start this procedure, you must change several settings to make the folder visible:
Start Windows Explorer.
On the Tools menu, click Folder options.
Click the View tab.
Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.
Click Yes when the dialog box that confirms that you want to display these files appears.
Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive.
Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder.

Note This folder contains one or more _restore {GUID} folders such as “_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}”.

Note You may receive the following error message:
C:\System Volume Information is not accessible. Access is denied. If you receive this message, see the following Microsoft Knowledge Base article to gain access to this folder and continue with the procedure:
309531 (http://support.microsoft.com/kb/309531/ ) How to gain access to the System Volume Information folder
Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with “RPx under this folder. These are restore points.
Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:
C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot
From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder:
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM
Rename the files in the C:\Windows\Tmp folder as follows:
Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM
These files are the backed up registry files from System Restore. Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time.

The current system configuration is not aware of the previous restore points. You must have a previous copy of the registry from a previous restore point to make the previous restore points available again.

The registry files that were copied to the Tmp folder in the C:\Windows folder are moved to make sure that the files are available under Recovery Console. You must use these files to replace the registry files currently in the C:\Windows\System32\Config folder. By default, Recovery Console has limited folder access and cannot copy files from the System Volume folder.

Note The procedure described in this section assumes that you are running your computer with the FAT32 file system. For more information about how to access the System Volume Information Folder with the NTFS file system, click the following article number to view the article in the Microsoft Knowledge Base:
309531 (http://support.microsoft.com/kb/309531/ ) How to gain access to the System Volume Information folder
See this article pasted further below; this is necessary if you use NTFS
Part Three
In part three, you delete the existing registry files, and then copy the System Restore Registry files to the C:\Windows\System32\Config folder:
Start Recovery Console.
At the command prompt, type the following lines, pressing ENTER after you type each line:
del c:\windows\system32\config\sam

del c:\windows\system32\config\security

del c:\windows\system32\config\software

del c:\windows\system32\config\default

del c:\windows\system32\config\system

copy c:\windows\tmp\software c:\windows\system32\config\software

copy c:\windows\tmp\system c:\windows\system32\config\system

copy c:\windows\tmp\sam c:\windows\system32\config\sam

copy c:\windows\tmp\security c:\windows\system32\config\security

copy c:\windows\tmp\default c:\windows\system32\config\default Note Some of these command lines may be wrapped for readability.
Type exit to quit Recovery Console. Your computer restarts.
Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step two, and then create a text file called “Regcopy2.txt” (for example). To use this file, run the following command when you start in Recovery Console:
batch regcopy2.txt
Part Four
Click Start, and then click All Programs.
Click Accessories, and then click System Tools.
Click System Restore, and then click Restore to a previous RestorePoint

source: http://support.microsoft.com/kb/307545
===========================================================================

Method 2 continuation (only needed if you use NTFS partition on your computer)
How to gain access to the System Volume Information folder

To gain access to the System Volume Information folder, use the steps in the appropriate section.
Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer
Click Start, and then click My Computer.
On the Tools menu, click Folder Options.
On the View tab, click Show hidden files and folders.
Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
Clear the Use simple file sharing (Recommended) check box.
Click OK.
Right-click the System Volume Information folder in the root folder, and then click Properties.
Click the Security tab.
Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. Click OK, and then click OK again.
Double-click the System Volume Information folder in the root folder to open it.

NOTE: The System Volume Information folder is now accessible in normal mode to users of Windows XP Home Edition.
***
Windows XP Professional Using the NTFS File System on a Domain
Click Start, and then click My Computer.
On the Tools menu, click Folder Options.
On the View tab, click Show hidden files and folders.
Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
Click OK.
Right-click the System Volume Information folder in the root folder, and then click Sharing and Security.
Click the Security tab.
Click Add, and then type the name of the user to whom you want to give access to the folder. Choose the account location if appropriate (either local or from the domain). Typically, this is the account with which you are logged on. Click OK, and then click OK again.
Double-click the System Volume Information folder in the root folder to open it
***
Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer
Click Start, and then click My Computer.
On the Tools menu, click Folder Options.
On the View tab, click Show hidden files and folders.
Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
Clear the Use simple file sharing (Recommended) check box.
Click OK.
Right-click the System Volume Information folder in the root folder, and then click Properties.
Click the Security tab.
Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. Click OK, and then click OK again.
Double-click the System Volume Information folder in the root folder to open it.

NOTE: The System Volume Information folder is now accessible in normal mode to users of Windows XP Home Editio
***
Using CACLS with Windows XP Home Edition Using the NTFS File System
In Windows XP Home Edition with the NTFS file system, you can also use the Cacls tool, which is a command-line tool, to display or modify file or folder access control lists (ACLs). For more information about the Cacls tool, including usage and switches, search the Help and Support Center for “cacls.”
Click Start, click Run, type cmd, and then click OK.
Make sure that you are in the root folder of the partition for which you want to gain access to the System Volume Information folder. For example, to gain access the C:\System Volume Information folder, make sure that you are in the root folder of drive C (at a “C:\” prompt).
Type the following line, and then press ENTER:
cacls “driveletter:\System Volume Information” /E /G username:FMake sure to type the quotation marks as indicated. This command adds the specified user to the folder with Full Control permissions.
Double-click the System Volume Information folder in the root folder to open it.
If you need to remove the permissions after troubleshooting, type the following line at a command prompt:
cacls “driveletter:\System Volume Information” /E /R usernameThis command removes all permissions for the specified user.

The following steps also work if you restart the computer to Safe mode because simple file sharing is automatically turned off when you run the computer in Safe mode.
Open My Computer, right-click the System Volume Information folder, and then click Properties.
Click the Security tab.
Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on.
Click OK, and then click OK again.
Double-click the System Volume Information folder to open it.

source: http://support.microsoft.com/kb/309531/
==================================================================================

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: