How to remove Antivirus 2010 (Uninstall Instructions)
Posted by Grinler on October 7, 2008 @ 09:00 PM · Views: 138,662
What this programs does:
Antivirus 2010 is a rogue anti-spyware program from the same
family as Antivirus
2008 and Antivirus
2009. Like its previous incarnations, Antivirus 2010 is advertised through
the use of advertisements on the Web pretending to be online anti-malware scanners.
These advertisements pretend to scan your computer and then state that your
computer is infected and that you should download and install Antivirus 2010
to remove these infections. These rogues are also known to be advertised and
installed through Trojans that display fake security alerts in your Windows
taskbar stating you are infected. Once you click on one of these alerts, it
will bring you to the download page for Antivirus 2010, or even download and
install it without your permission.
Once Antivirus 2010 is installed on your computer, it will be automatically
configured to run when you logon to Windows. This is done by adding a startup
that launches the C:\Windows\System32\wingamma.exe executable. This executable
will then launch the AV2010.exe and the fake Windows Security Center. Once running,
it will scan your computer and list a variety of infections that cannot be removed
unless you first purchase the software. This infection will also randomly display
fake security alerts on your computer stating that you are infected or have
some sort of security risk. If you click on these alerts, it will prompt you
to purchase the software. These fake alerts, along with a fake Windows Security
Center that advertises Antivirus 2010, are used to further scare you into thinking
you are infected so you purchase the software.
Another new addition to these types of rogues is the creation of a fake Blue
Screen of Death. At random intervals, Antivirus 2010 will create what appears
to be a Windows crash, but in reality is just a fake screen. These fake crashes
are used to further persuade you into purchasing the software. If you receive
this crash, you can simply reboot your computer , or try pressing Alt-Tab or
Control-Alt-Delete to get out of it. The text of the crash is:
***STOP: 0x000000D1 (0x0000000, 0xF73120AE,
0xC0000008, 0xC000000)
A spyware application has been detected and
Windows has been shut down to prevent damage to your computer
SPYWARE.MONSTER.FX_WILD_0x0000000
If this is the first time you've seen this
Stop error screen, restart you [sic]
computer. If this screen appears again, follow these steps:
Click to make sure your antivirus software
is properly installed. If this is a new installation, ask you [sic]
software manufacturer for any antivirus updates you might need.
Windows detected unregistered version of Antivirus
2010 protection on your computer. If problem continue, please activate your
antivirus software to prevent computer damage and data loss.
*** SRV.sys - Address F73120AE base at C0000000,
DateStamp 36b072a3
Antivirus 2010 screen shot
For more screen shots of this infection click on the image above.
There are a total of 8 images you can view.
This guide will walk you through removing the Antivirus2010 rogue anti-spyware
program and any associated malware that may have been installed with it.
Threat Classification:
Advanced information:
View Antivirus 2010 files.
View Antivirus 2010 Registry Information.
Tools Needed for this fix:
Symptoms that may be in a HijackThis Log:
O2 - BHO: IEDefenderBHO - {FC8A493F-D236-4653-9A03-2BF4FD94F643} - C:\Windows\System32\IEDefender.dll
O4 - HKLM\..\Run: [Windows Gamma Display] C:\Windows\System32\wingamma.exe /adjustment
Guide Updates:
10/07/08 - Initial guide creation.
Automated Removal Instructions for Antivirus 2010 using Malwarebytes' Anti-Malware:
- Print out these instructions as we will need to close every window that
is open later in the fix.
- Download Malwarebytes' Anti-Malware, or MBAM, from the following location
and save it to your desktop:
Malwarebytes' Anti-Malware Download Link
- Once downloaded, close all programs and Windows on your computer, including
this one.
- Double-click on the icon on your desktop named mbam-setup.exe.
This will start the installation of MBAM onto your computer.
- When the installation begins, keep following the prompts in order to continue
with the installation process. Do not make any changes to default settings
and when the program has finished installing, make sure you leave both the
Update Malwarebytes' Anti-Malware and Launch
Malwarebytes' Anti-Malware checked. Then click on the Finish
button.
- MBAM will now automatically start and you will see a message stating that
you should update the program before performing a scan. As MBAM will automatically
update itself after the install, you can press the OK button
to close that box and you will now be at the main program as shown below.
- On the Scanner tab, make sure the the Perform
quick scan option is selected and then click on the Scan
button to start scanning your computer for Antivirus 2010 related
files.
- MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you go and do something else and periodically
check on the status of the scan. When MBAM is scanning it will look like the
image below.
- When the scan is finished a message box will appear as shown in the image
below.
You should click on the OK button to close the message box and continue with
the Antivirus2010 removal process.
- You will now be back at the main Scanner screen. At this point you should
click on the Show Results button.
- A screen displaying all the malware that the program found will be shown
as seen in the image below. Please note that the infections found may be different than what is shown in the image.
You should now click on the Remove Selected button to remove
all the listed malware. MBAM will now delete all of the files and registry
keys and add them to the programs quarantine. When removing the files, MBAM
may require a reboot in order to remove some of them. If it displays a message
stating that it needs to reboot, please allow it to do so. Once your computer
has rebooted, and you are logged in, please continue with the rest of the
steps.
- When MBAM has finished removing the malware, it will open the scan log and
display it in Notepad. Review the log as desired, and then close the Notepad
window.
- You can now exit the MBAM program.
Your computer should now be free of the Antivirus2010 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log
Associated Antivirus 2010 Files:
c:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk
Associated Antivirus 2010 Windows Registry Information:
HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"