How to remove Antivirus 2010 (Uninstall Instructions)

Posted by Grinler on October 7, 2008 @ 09:00 PM · Views: 138,662

Add to Favorites!    Print Guide!

What this programs does:

Antivirus 2010 is a rogue anti-spyware program from the same family as Antivirus 2008 and Antivirus 2009. Like its previous incarnations, Antivirus 2010 is advertised through the use of advertisements on the Web pretending to be online anti-malware scanners. These advertisements pretend to scan your computer and then state that your computer is infected and that you should download and install Antivirus 2010 to remove these infections. These rogues are also known to be advertised and installed through Trojans that display fake security alerts in your Windows taskbar stating you are infected. Once you click on one of these alerts, it will bring you to the download page for Antivirus 2010, or even download and install it without your permission.

Once Antivirus 2010 is installed on your computer, it will be automatically configured to run when you logon to Windows. This is done by adding a startup that launches the C:\Windows\System32\wingamma.exe executable. This executable will then launch the AV2010.exe and the fake Windows Security Center. Once running, it will scan your computer and list a variety of infections that cannot be removed unless you first purchase the software. This infection will also randomly display fake security alerts on your computer stating that you are infected or have some sort of security risk. If you click on these alerts, it will prompt you to purchase the software. These fake alerts, along with a fake Windows Security Center that advertises Antivirus 2010, are used to further scare you into thinking you are infected so you purchase the software.

Another new addition to these types of rogues is the creation of a fake Blue Screen of Death. At random intervals, Antivirus 2010 will create what appears to be a Windows crash, but in reality is just a fake screen. These fake crashes are used to further persuade you into purchasing the software. If you receive this crash, you can simply reboot your computer , or try pressing Alt-Tab or Control-Alt-Delete to get out of it. The text of the crash is:

***STOP: 0x000000D1 (0x0000000, 0xF73120AE, 0xC0000008, 0xC000000)

A spyware application has been detected and Windows has been shut down to prevent damage to your computer

SPYWARE.MONSTER.FX_WILD_0x0000000

If this is the first time you've seen this Stop error screen, restart you [sic] computer. If this screen appears again, follow these steps:

Click to make sure your antivirus software is properly installed. If this is a new installation, ask you [sic] software manufacturer for any antivirus updates you might need.

Windows detected unregistered version of Antivirus 2010 protection on your computer. If problem continue, please activate your antivirus software to prevent computer damage and data loss.

*** SRV.sys - Address F73120AE base at C0000000, DateStamp 36b072a3

 

Antivirus 2010 screen shot
For more screen shots of this infection click on the image above.
There are a total of 8 images you can view.

This guide will walk you through removing the Antivirus2010 rogue anti-spyware program and any associated malware that may have been installed with it.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View Antivirus 2010 files.
View Antivirus 2010 Registry Information.

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O2 - BHO: IEDefenderBHO - {FC8A493F-D236-4653-9A03-2BF4FD94F643} - C:\Windows\System32\IEDefender.dll
O4 - HKLM\..\Run: [Windows Gamma Display] C:\Windows\System32\wingamma.exe /adjustment

Guide Updates:

10/07/08 - Initial guide creation.

Automated Removal Instructions for Antivirus 2010 using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Antivirus 2010 related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the Antivirus2010 removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the Antivirus2010 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated Antivirus 2010 Files:

c:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

Associated Antivirus 2010 Windows Registry Information:

HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"