Antivirus 2010 is the name of a variety of different rogues from different malware families. This guide will focus on the latest rogue that uses this name and that is a clone of Antivirus 2010 Security Centre. Antivirus 2010 is promoted through the use of malware that will install it on to your computer without your permission or knowledge. Once running it will scan your computer and state that there are numerous infections present, but will state that it will not clean any of them until you first purchase the program. The problem is that most of the infections it detects are actually legitimate Windows programs that are not infected at all. Therefore, do not try to manually delete any of the files it states are infections as it may cause your computer to not operate correctly.
As part of its defense mechanism, Antivirus 2010 will also terminate the majority of programs that you attempt to run. When it terminates them it will also change the security permissions on the executable so that you will not be able to run the program again. You will know when Antivirus 2010 changes the permission on a program because when you attempt to launch the program you will be greeted with a Windows message that states:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
If you are greeted with this message for one of your executables you can regain access to the program by using the cacls.exe program that comes installed with Windows. Simply go to a Command Prompt and type the following command to give the Everyone group permission to use the file again:
cacls <full path to the program> /G Everyone:F
As an example, if you attempt to launch Malwarebytes' and it gives the above error, then you would type cacls "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /G Everyone:F and press enter on your keyboard. Once you enter that command and press enter, everyone on your computer will then have access to the file again. If you are using Windows Vista or Windows 7 then you will have to use an elevated command prompt, which is explained here.
As you can see, Antivirus 2010 uses false scan results to make you think your infected so that you will purchase the program. It also takes your computer hostage by disabling the use of your executables so that you can't properly use your computer. Therefore, do not purchase this program, and if you already have, please contact your credit card company and dispute the charges stating it is an computer virus. To remove Antivirus 2010 and related malware, please use the guide below.
Self Help Guide
- These instructions are for advanced users. We will not be going into great
detail on how to perform these steps and it is expected that you will understand
what to do with the information provided below. If you do not feel comfortable
performing these steps, then please do not attempt them. Instead follow the
steps in this
topic in order to receive malware removal help from one of our helpers.
- Please print out these instructions as we will be performing steps in an
environment that does not support Internet browsing.
- As the main defense mechanism of
is a rookit, we must first reboot our computer into a the XP Recovery
Console or the Windows Vista/Windows 7 Recovery Environment in order to delete
certain files that will then allow us to remove this infection while booted
into Windows normally.
With this said, if you are using Windows XP, please reboot into the Windows XP Recovery Console using the instructions found in this guide.
How to install and use the Windows XP Recovery Console
If you are using Windows 7 or Windows Vista, please use this guide to boot into the Windows Recovery Environment. Please note that the following guide was written for Vista, but applies to Windows 7 as well.
How to use the Command Prompt in the Vista Windows Recovery Environment
- Once you are in the recovery environment you must rename the following files.
You can rename them as the same filename but ending with .bad.
c:\WINDOWS\system32\drivers\vbma22b4.sys (Please note that the filename may not be exactly the same, but should start with vbma)
The reason we state you should rename them instead of deleting them, is if you delete the wrong file and Windows no longer operates correctly, you can go back into the Windows recovery environment and restore the file to get Windows working again.
- Once these two files have been renamed, please type Exit
and reboot your computer so that it enters Windows normally.
- Once you are in Windows, go into Add or Remove Programs
(Windows XP) or Uninstall a Program (Windows 7 and Vista)
in the Windows Control Panel. Once the Uninstall control panel is open, look
for Antivirus 2010 or Antivirus2010 and uninstall it.
- Now download the following reg file for your corresponding version of Windows
and run it. When it asks if you would like to merge the data, please allow
it to do so.
Windows XP Reg File
Windows Vista and Windows 7 Reg File
These reg files will restore a key that was changed by the rootkit.
- For the next steps, if you attempt to run a program and it gives a permission
denied or similar error, then please use the CACLS program to restore permissions
as described in the description of the program above.
- You can now now download Malwarebytes Anti-Malware, or MBAM, from the following
location and save it to your desktop:
Malwarebytes Anti-Malware Download Link (Download page will open in a new window)
- Once downloaded, close all programs and Windows on your computer, including
- Double-click on the icon on your desktop named mbam-setup.exe.
This will start the installation of MBAM onto your computer.
- When the installation begins, keep following the prompts in order to continue
with the installation process. Do not make any changes to default settings
and when the program has finished installing, make sure you leave both the
Update Malwarebytes Anti-Malware and Launch
Malwarebytes Anti-Malware checked. Then click on the Finish
- MBAM will now automatically start and you will see a message stating that
you should update the program before performing a scan. As MBAM will automatically
update itself after the install, you can press the OK button
to close that box and you will now be at the main program as shown below.
- On the Scanner tab, make sure the the Perform
full scan option is selected and then click on the Scan
button to start scanning your computer for
- MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you go and do something else and periodically
check on the status of the scan. When MBAM is scanning it will look like the
- When the scan is finished a message box will appear as shown in the image
You should click on the OK button to close the message box and continue with the Antivirus2010 removal process.
- You will now be back at the main Scanner screen. At this point you should
click on the Show Results button.
- A screen displaying all the malware that the program found will be shown
as seen in the image below. Please note that the infections found may be different
than what is shown in the image.
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
- When MBAM has finished removing the malware, it will open the scan log and
display it in Notepad. Review the log as desired, and then close the Notepad
- You can now exit the MBAM program.
- As many rogues and other malware are installed through vulnerabilities found
in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here:
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the Antivirus2010 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes Anti-Malware to protect against these types of threats in the future.