Helping people with computers... one answer at a time.

Antivirus 2010 and similar are malware that tries to fool you into installing viruses or spyware, and then charges you for the promise of removal.

We're seeing a rash of Internet Antivirus 2010 and Security Center malware installations in customer computers. Do you have any information concerning where these infections are most likely coming from (email, web browsing, etc) and what are the best recommendations for catching infection attempts before they wreak havoc?

-

Hi Leo, Can you please tell me what is this "Vista Spyware 2010". It seems like an unwanted program and shows me messages every now and then claiming my system is infected and I should subscribe their software.

What they are is pretty easy: malware.

As these two questioners point out, there's been a rash of infections related to both of these two. In fact, it's looking like an annual event, since we seem to have seen an "antivirus 20xx" every year for the last few years.

The good news is that they're fairly easy to prevent with a little diligence on your part, and several reputable anti-malware tools will also remove them.

These forms of malware typically arrive due to clicking on a misleading popup window or advertisement while browsing the web.

"I'll repeat that: the popup lies - your machine is not infected. Yet."

That misleading message is using something along the lines of "a virus infection has been detected, click here to download a free removal tool". That popup is simply a web page and nothing more. It also lies: no scan was performed, and no infection was detected at all.

I'll repeat that: the popup lies - your machine is not infected. Yet.

The whole point, of course, is to fool you into clicking on the popup to download the so-called removal tool. That removal tool is just the opposite: running it is what infects your machine. (I use the example "removal tool", but in fact the popup could refer to just about anything that might entice you to click on it. The result is the same: infection.)

Prevention

Prevention is actually pretty straightforward: don't click on anything that claims to be a malware alert unless you're certain that it's from the software you have installed on your machine.

That implies, of course, that you know your anti-malware software, and learn to recognize its messages. Any anti-malware tool is going to include its name in any message that it displayed. If that name is not present, then it's very possible that the message isn't from your installed software at all, but a malicious popup.

Naturally, it's important to have anti-malware software running so that - hopefully - that software can catch the attempted infection even if you do click on the link. The problem here is that not all anti-malware software will catch all malware, and malware is constantly changing and evolving so as to avoid detection. The best defense is your own good understanding.

(Normally I'd also say to make sure that your browser is configured to block pop-up windows, but in fact most are by default, and even so there are popup technologies that are often quite difficult to block.)

Knowing You're Infected

Being infected looks a lot like the scenario that got you infected in the first place.

Typically, the malware will present you with repeated pop-ups telling you that you're infected (which by now you are). The messages will indicate that in order to remove the infection you need to purchase a specific program. Naturally, that specific program will likely not work at all, but you won't find that out until you've spent the money, or worse, handed over your credit card information.

Don't do it.

It's a simple as that. If your machine is infected, don't follow the instructions of the virus. You'll only make things worse - possibly much, much worse.

Removal

If you search the web for things like "Antivirus 2010 removal" you'll find several sites that have explicit step by step removal instructions.

However, there's a good chance that those are unnecessary. Naturally, since this is a fairly common infection, many of the major anti-malware tools are racing to keep up. In particular, MalwareBytes Anti-malware has a pretty good reputation for being able to remove these pests.

So that's the path I would take:

  • Avoid getting infected in the first place

  • Make sure your anti-malware software is up-to-date, and run complete scans - it may remove the infection.

  • Use a tool like MalwareBytes Anti-malware to attempt to remove the infection

  • Search the web for specific removal instructions and follow them carefully.

  • Finally, if all else fails, there's my prior article: How do I remove a virus?

Article C4209 - March 10, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

29 Comments
Jeffrey
March 10, 2010 4:52 PM

I get this question all the time as a tech support rep for major extended warranty plans. I also had it happen to my wife's computer. she was playing a trusted online game, and the game admin posted a link to online radio, also trusted. The second day, the host for the online radio station was infected, so when my wife went to see what the admin was playing she got anti-virus 2010. We suspected the radio site was hacked because a number of players got the same thing...beware of presumably trusted sites as well, if they get attacted, they can then attack you.

kptech
March 10, 2010 5:50 PM

I've removed a number of these from client's systems over the last few years and I would simply add a warning about the pop-up windows that accompany these rogue AntiVirus/AntiSpyware programs.

Not only should you not click on the "Yes" or "OK" button, but you shouldn't click on ANY PART of the pop-up window. Not even the "Cancel" button or the "X" in the upper-right corner of the window. In many cases, no matter what part of the window you click, you will be infected and taken to a website to purchase their worthless software. In other words, the entire pop-up window is often one big "YES" button.

Instead, right-click on the Windows task bar and select "Task Manager". When Task Manager starts, select the "Processes" tab and locate the "iexplore.exe" process, highlight it, right-click on it and select "End Process". Do this for every instance of "iexplore.exe" in the list.

If you don't feel comfortable with this, the other alternative is to simply shutdown/restart Windows. In either case, you terminate all instances of Internet Explorer and hopefully prevent the infection.

Bob
March 11, 2010 1:26 AM

I had this happen to my partner's laptop a couple of years ago.
Even with a lot of dilligence and hard work (which, if I am truly honest, would have been prevented had I took images and backups of her laptop - TRUST Leo when he says "Backup Backup Backup") it took me about six months of periodic checking to remove the infection completely.
It all started because the "free" 3-month trial of the pre-installed anti-virus / anti-malware expired, and shut down all protection after one warning which my partner had passed over in ignorance.

Michael Horowitz
March 11, 2010 9:43 PM

In my opinion, the safest approach, when confronted with a phony "your infected" message is to restart Windows.

Also, you can't necessarily trust the removal instructions you find online. The bad guys know full well people will Google for "remove product x" and they may seed the search results with phony removal instructions. Or, something like download this removal tool which may just infect you worse.

I use Web Of Trust (mywot.com) to separate out good websites from bad. Its not perfect, nothing can be, but you are safer obeying its ratings than not.

The Internet needs a user guide for non-techies running Windows. Not having one just drives more and more people to Macs.

Mary
March 14, 2010 1:22 AM

A few weeks ago a friend's computer was infected with one of those "2010" malware scams. She wound up calling Microsoft Product Support Services at 866-PCSAFETY. They, in turn, charged her $99 to remove the malware. They used their own Malicious Software Removal Tool, and then the free products from MalwareBytes Anti-malware and SUPERAntiSpyware. Guess those free products must be good if Microsoft relies on them :-)

http:/ /www.microsoft. com/security/malwareremove/default.aspx

steven
March 15, 2010 4:22 PM

Unless my Trackball button is broken, I did not click on any popup. I was wondering if the popup can be activated by the pointer just going over the popup without clicking? Anyone here have that happen? Today, I cleaned out the replacement computer. It replaced a disabled computer that I did not restore, yet at work.

Nancy Oliver
March 16, 2010 8:27 AM

I was looking at something on the web, but not clicking on anything when Antivirus 2010 was suddenly on my computer. This program has something built into it that puts code in your registry to prevent Malwarebytes from running or even opening. I finally found instructions on the web for making a small program in notepad, and renaming it reg.clean that took that line out of the registry so Malwarebytes would run. After that, getting rid of the program was really easy.

Me
March 16, 2010 8:28 AM

My name for these fake antiviruses are "rogueware."

MalwareBytes used to have a program RogueRemover (I used it to remove various rogueware from my mother's computer -- no matter how many times I tell her not to click on those popups, she does) but now it's within the MalwareBytes Anti-Malware. Nice program, even if you have to pay for some features.

The one and only malware I ever got on one of my computers was a rogueware. I didn't know about MBAM at the time so I ended up having to reinstall. That sucked.

John Henderson
March 16, 2010 8:38 AM

I have used Malwarebytes before for the 2010 malware virus and it works. It takes awhile but it works.

Packrat1947
March 16, 2010 9:12 AM

You do not have to click on anything to get these lastest infections. Just visiting an innocent "poisoned" site will get you.

Many times Malwarebytes will be blocked from installing or running. Download Rkill.com to the Desktop and run it. It will give you a brief respite to install, update and run MB. If the ".com" version didn't work try the .pif, .scr versions.

Rkill stops malicious processes instantly, but does not remove the infection.

Packrat1947

WordsMyth43
March 16, 2010 10:15 AM

The questions/indications from others that the various forms of this malware/rogueware ("Antivirus 2010" et al) do NOT require clicking on any pop-up to infect a system are very worrying.

I was nailed by "Internet Security 2010" in late January 2010 while surfing the web. I did not click on/through any pop-up and, since I knew the fake "alert" did not originate from any of my antivirus or other antimalware programs, I didn't fall for the bait. But ... my system was still infected by the trojan "Vundo.H" which corrupted 20 files and one registry key. Over the next two days my system slowed and crashed.

I ended up having a local computer shop find and remove all the infections (they used "Avira Premium" and "Malware Bytes" in combination to do so).

So this sounds particularly dangerous. If simply visiting a website (that may be infected/carrying/spreading the malware unknowingly) can infect users ... we're kinda screwed.

Leo: What do you think of "Packrat1947's" recommendation about downloading Rkill.com and running it and Malware Bytes whenever you suspect such an attack? What can you tell us about Rkill.com?

A really excellent article! I'm going to share it with my friends at Arundel Computers.

I've not used RKill myself, but it has a good reputation for fixing things so that you can run other anti-malware tools once again. Here's one write up.
Leo
17-Mar-2010

Mike
March 16, 2010 10:33 AM

I consider myself pretty savvy, but last week, color me Stupid. I was a victim of a drive-by infection. My various security programs detected the intrusion, but were unable to prevent it from installing.

And herein lies my Stupid gene. Vista's insufferable User Account Control (UAC) which checks EVERYHING for EVERYTIME you try to use it. It's such a nuisance that I turned it off. It would have prevented the infection. Now I've turned UAC back on and suffer its constant nagging.

Oh, and Malwarebytes (out of many) was the ONLY solution to removing the rogueware. Even then, I still had to use a few levels of troubleshooting just to get partial control of my computer in order to finally run Malwarebytes and remove the infection entirely.

For Vista and later, make use of the UAC. It's similar to the protection provided for Mac and Linux users. If you're still running XP or older, you're stuck with buying the real-time protection of the software.

bzak
March 16, 2010 10:41 AM

Recently dealt with Antivirus 2010. It successfully blocked the installation of Malwarebytes. It blocked attempts to start up Regedit and RKill. I was only able to remove it by booting into safe mode and putting REGEDIT.exe into the 'startup' folder along with TASKMGR. So these two apps were launched before AV2010 started. Only by following detailed steps to edit the registry and continually squashing two processes was I able to stop it enough and later did a cleanup with Malwarebytes. None of this is for the faint of heart...
I now use the paid version of Malwarebytes.

Jeff Burns
March 16, 2010 11:47 AM

Malwarebytes runs perfectly in Safe Mode. If you are able to boot into Safe Mode, choose the "with Networking" option and you can download, install, and run it from there. I also carry the newest version of Malwarebytes on a flash drive. If I am being blocked by the infection, I can usually install it from the flash drive. Even though it's not 100% up to date, running the Quick Scan is often enough to catch and remove enough of the infection to boot normally and continue working.

Frank
March 16, 2010 12:27 PM

I'm presently running all programs (browsers, emai clients etc.)that access then internet sandboxed with Sandboxie.

If anything bad tries to infect my machine it can't get out of the sandbox unless I let it.
I have instructed Sandboxie to delete the sandbox
when I close all sandboxed programs.

This approach still depends on my vigilance however.

Sandboxie is available in a free version or the paid version for ~$38.00 US.
The paid version is a lifetime license and can be used on any number of computers you own.

The free version will start mildly nagging you once each boot (only when you open the first Sandboxed program).

The only difference between the free and paid version is the free version doesn't have the "Force Sandbox" feature.

Ming
March 16, 2010 3:24 PM

I got hit with AV2010 and it's pretty vicious, pops up every few seconds reminding me of the detected infections. I can't use Task Manager, Regedit, Run command, or install anything not to mention MalwareBytes. Safemode boot freezes midway. Eventually, I had to bootup on my original media CDs to repair Windows files. Luckily it seems to work otherwise I would have format my drive!

Tom R.
March 16, 2010 4:19 PM

An important point that Leo didn't mention is that these malware warning pop-up windows that are activated while web surfing are programmed to start the malware installation if you simply click anywhere within the window, even on that little x at the top right-hand corner of the window. Don't click anywhere on the pop-up window. First thing to do is unplug your modem's power cord or data cable to stop all internet activity. After that, click on the x contained in the main browser window to close the whole browser program. If the browser won't close then push and hold the PC power button to force the PC to shut down. These measures will help prevent being infected with these very devious programs.

John Lenihan
March 16, 2010 7:04 PM

SUPERAntiSpyware Portable Scanner works the best
on a USB flash drive...
http://www.superantispyware.com/portablescanner.html

Stuart
March 16, 2010 10:21 PM

As others have mentioned, it's very easy to get infected with these noxious programs. Just visiting an infected site, or being redirected to one, can infect your computer. When it happened to me last week, I immediately re-booted into Safe Mode and then used System Restore. It worked like a charm!

rien
March 17, 2010 4:44 AM

I had roughly the same experience as Ming (Vista spyware 2010); also IE hyjacked and .exe file association gone; still managed to openIE and had trend micro housecall do a initial scan + cleanup; after that my installed cleaning programs were accessible again and I could continue cleaning (incl malwarebytes)
Took me 2 evenings to be back to normal!

Me
March 17, 2010 6:12 AM

Mozilla Firefox + AdBlock Plus. Haven't had a single infection on my mom's computer since installing those, plus it gets rid of annoying flashing banner ads. (If you're really nervous, you can also use NoScript, but I don't use it myself.)

Terry Hollett
March 17, 2010 7:21 AM

I've had some experience removing these types of infections. I've written my own guide here:

http://hitanykey.webs.com/removefake.htm

Most of the computers I'm cleaning out these days seem to be one version or another of these fake programs.

Gary Michaels
March 17, 2010 8:30 PM

It would have been nice to have read this article last Sunday (3/14,) as my daughter called me and frantically told me that the "XP Antivirus 2010" had taken over her computer. I had the ZoneAlarm Internet Security product installed on her computer, was running Mozilla with AdBlock plus (really wouldn't have helped here,) and had other security measures in place. I had previously told her to not click on links that she didn't trust, and not to go on sites that were not rated "green" by Web of Trust. Other than that, you really can't tell a 26-year-old college student to not use her computer for social networking, music downloads, college coursework, etc. But this insidious virus still managed to get on her computer (AV.EXE) and was the most evil virus I have seen in 27 years of using personal computers. Any time that I tried to modify the system, (such as System Restore,) the virus would reload and pop up again. I had her kill the AV process in task manager and tried to do several things - tried a system restore (failed,) checked what was installed in the RUN key of the registry (there was a weird file UZBINE--.DLL in there, I wasn't sure what it was, but renamed the DLL anyway,) that didn't stop it. I tried ZoneAlarm's scan to remove it, that didn't work (although, later, I found out on their ZoneLabs forum that I should have run an "ultra deep scan." Note: the ZA program did pop up and mention that AV.EXE wanted to run, she said "DENY" but it ran anyway. Bottom line was, I noticed one of the "gurus" in the ZA forum mentioned Malwarebytes.org and the MBAM program. The instructions were great, EXCEPT that the first step of the clean process (to run a registry MERGE using a .REG file from their site) did NOT work because the evil AV.EXE program had modified the system to not accept registry merges (at least not by double-clicking on the file, or right-click, merge.) I finally figured out I could just select "File, Import" in REGEDIT and merge their file into the registry. And then, finally, the Malwarebytes program purged the nasty AV program (and 151 of its infected associates.) I had spent five hours at home researching this virus, and then another four hours at her house trying to get the infection off. The Microsoft Malware Removal tool that I downloaded did not work at all. So thankfully, the Malwarebytes program did. One last thing -- one of the ZA "gurus" had mentioned about "restarting in Safe Mode." I'm well aware of this, but do these "techies" realize how difficult it is to step someone into Safe Mode by phone, and then run commands? I did it for her by running the same commands myself (except for ZA scan.) Why can't the all-powerful MS come up with a "magic CD" that a user could boot from which would automatically scan, remove all rootkits, viruses, and any other unsecure thing from the computer, and, while we're at it, optimize the computer so it would run much faster and more efficiently? Kind of a real "computer tune up." (Not the software product with a similar name.)

Rob W
March 17, 2010 11:23 PM

There is a pretty large list of malware types and removal guides here- http://www.bleepingcomputer.com/forums/forum55.html

sirpaul1
March 23, 2010 1:29 PM

Gary, even the best anti-malware programs only catch about 98% of the malware. Most popular AV programs only catch 80% to 95% of the malware thrown at it.
Malwarebytes is good but SuperAntiSpyware always catches a few more. Mainly ad-tracking cookies. If I run them in reverse order, Malwarebytes finds nothing.
If you have an unwanted piece of malware that's extremely hard to get rid of and won't let you run your anti-malware program, just rename the anti-malware .exe to something ridiculous like "breadandbutter.exe" Malware won't stop a program named something like that, but it will shut down well known AV programs (along with other ways to make it run - Internet, Task Manager, Run, etc.)

steven richards
April 14, 2010 6:40 PM

I finally got rid of XP antivirus 2010(for FREE!)
First I downloaded and updated combofix. Unlike the last 10 times, I did not accept my computer was clean, it wasn't. You need to run Malwarebytes antimalware quick scan or full scan. That will remove the network startup entry super antispyware does not catch this one.
If your internet is not working, just uncheck the proxy settings under the IE properties. restart after done.

Yuli
April 26, 2010 5:57 PM

I had the same virus on the family computer about a month ago, got rid of it after much research on my personal laptop, the problem is that now its asking for an activation code, i lost the sticker that came with the disc, and the original box with the code on the back is no longer there. the 1800 number is no help, what should i do? i dont want to get rid of it, its an awesome family computer.

AdoAnnie
November 24, 2010 5:33 AM

AntiVirus "Suite" 2010 has evolved. I had read about this on Ask Leo and knew what not to do, but my husband came in late from work a few nights ago, tired and bleary, just wanted to read his email and the next thing I hear him yelling and screaming at the computer. I glanced over his shoulder and knew what had happened. In his tiredness he'd simply clicked the wrong button and within seconds 2010 was full blown. Several of the comments above and Leo say to download a program from the net - no way, this latest iteration simply will not let you go to the net without redirecting you to its site to buy and download its malware. We simply closed down his computer. Next AM after he'd left for work I called the company tech center and we walked a landmine route two steps forward, one step back till we could get to a point where he could take over the computer. Thank goodness they have a program in place for this horror show, but it took literally hours (multiple scan searches to detect and then to make sure everything was clear) to clean this thing off my husband's computer and restore settings. Leo, you might want to make a comment that this malware is getting more malevolent.

Tom Campanelli
December 8, 2010 5:32 AM

RE: AdoAnnies' comment on malware pretending to be an antivirus program.
I had this problem a few months ago. It literally took over my machine. I got rid of it by booting up in safe mode and going back to an earlier restore point. I don't know if this always works but it did this time.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.