How to remove Antivirus 2010 (Uninstall Instructions)

  • October 7, 2008

Antivirus 2010 is the name of a variety of different rogues from different malware families. This guide will focus on the latest rogue that uses this name and that is a clone of Antivirus 2010 Security Centre. Antivirus 2010 is promoted through the use of malware that will install it on to your computer without your permission or knowledge. Once running it will scan your computer and state that there are numerous infections present, but will state that it will not clean any of them until you first purchase the program. The problem is that most of the infections it detects are actually legitimate Windows programs that are not infected at all. Therefore, do not try to manually delete any of the files it states are infections as it may cause your computer to not operate correctly.

  • Antivirus 2010 Screen shot
  • Scanning screen
  • Scan results

As part of its defense mechanism, Antivirus 2010 will also terminate the majority of programs that you attempt to run. When it terminates them it will also change the security permissions on the executable so that you will not be able to run the program again. You will know when Antivirus 2010 changes the permission on a program because when you attempt to launch the program you will be greeted with a Windows message that states:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

If you are greeted with this message for one of your executables you can regain access to the program by using the cacls.exe program that comes installed with Windows. Simply go to a Command Prompt and type the following command to give the Everyone group permission to use the file again:

cacls <full path to the program> /G Everyone:F

As an example, if you attempt to launch Malwarebytes' and it gives the above error, then you would type cacls "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /G Everyone:F and press enter on your keyboard. Once you enter that command and press enter, everyone on your computer will then have access to the file again. If you are using Windows Vista or Windows 7 then you will have to use an elevated command prompt, which is explained here.

As you can see, Antivirus 2010 uses false scan results to make you think your infected so that you will purchase the program. It also takes your computer hostage by disabling the use of your executables so that you can't properly use your computer. Therefore, do not purchase this program, and if you already have, please contact your credit card company and dispute the charges stating it is an computer virus. To remove Antivirus 2010 and related malware, please use the guide below.

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
  1. These instructions are for advanced users. We will not be going into great detail on how to perform these steps and it is expected that you will understand what to do with the information provided below. If you do not feel comfortable performing these steps, then please do not attempt them. Instead follow the steps in this topic in order to receive malware removal help from one of our helpers.

  2. Please print out these instructions as we will be performing steps in an environment that does not support Internet browsing.

  3. As the main defense mechanism of Antivirus2010 is a rookit, we must first reboot our computer into a the XP Recovery Console or the Windows Vista/Windows 7 Recovery Environment in order to delete certain files that will then allow us to remove this infection while booted into Windows normally.

    With this said, if you are using Windows XP, please reboot into the Windows XP Recovery Console using the instructions found in this guide.

    How to install and use the Windows XP Recovery Console

    If you are using Windows 7 or Windows Vista, please use this guide to boot into the Windows Recovery Environment. Please note that the following guide was written for Vista, but applies to Windows 7 as well.

    How to use the Command Prompt in the Vista Windows Recovery Environment

  4. Once you are in the recovery environment you must rename the following files. You can rename them as the same filename but ending with .bad.

    c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
    c:\WINDOWS\system32\drivers\vbma22b4.sys     (Please note that the filename may not be exactly the same, but should start with vbma)

    The reason we state you should rename them instead of deleting them, is if you delete the wrong file and Windows no longer operates correctly, you can go back into the Windows recovery environment and restore the file to get Windows working again.

  5. Once these two files have been renamed, please type Exit and reboot your computer so that it enters Windows normally.

  6. Once you are in Windows, go into Add or Remove Programs (Windows XP) or Uninstall a Program (Windows 7 and Vista) in the Windows Control Panel. Once the Uninstall control panel is open, look for Antivirus 2010 or Antivirus2010 and uninstall it.

  7. Now download the following reg file for your corresponding version of Windows and run it. When it asks if you would like to merge the data, please allow it to do so.

    Windows XP Reg File
    Windows Vista and Windows 7 Reg File

    These reg files will restore a key that was changed by the rootkit.

  8. For the next steps, if you attempt to run a program and it gives a permission denied or similar error, then please use the CACLS program to restore permissions as described in the description of the program above.

  9. You can now now download Malwarebytes Anti-Malware, or MBAM, from the following location and save it to your desktop:

    Malwarebytes Anti-Malware Download Link (Download page will open in a new window)


  10. Once downloaded, close all programs and Windows on your computer, including this one.

  11. Double-click on the icon on your desktop named mb3-setup-1878.1878-3.0.6.1469.exe. This will start the installation of MBAM onto your computer.

  12. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware checked. Then click on the Finish button.

  13. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.


    MalwareBytes Anti-Malware Screen

  14. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus 2010 related files.

  15. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.


    MalwareBytes Anti-Malware Scanning Screen

  16. When the scan is finished a message box will appear as shown in the image below.


    MalwareBytes Anti-Malware Scan Finished Screen

    You should click on the OK button to close the message box and continue with the Antivirus2010 removal process.

  17. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

  18. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.


    MalwareBytes Scan Results


    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

  19. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

  20. You can now exit the MBAM program.

  21. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Antivirus2010 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes Anti-Malware to protect against these types of threats in the future.

View Associated Antivirus 2010 Files

Current Antivirus 2010 Files: c:\Documents and Settings\All Users\Application Data\.wtav c:\WINDOWS\system32\mswmqnei.dll c:\WINDOWS\system32\us?rinit.exe c:\WINDOWS\system32\drivers\vbma22b4.sys Old Antivirus 2010 Files: c:\Program Files\AV2010 c:\Program Files\AV2010\AV2010.exe c:\Program Files\AV2010\svchost.exe c:\WINDOWS\system32\IEDefender.dll c:\WINDOWS\system32\wingamma.exe c:\Documents and Settings\All Users\Desktop\AV2010.lnk c:\Documents and Settings\All Users\Start Menu\Programs\AV2010 c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

View Associated Antivirus 2010 Registry Information

Current Antivirus 2010 Files: HKEY_CLASSES_ROOT\Interface\{35c95ec8-f789-9a3a-375c-bdb89a3684fd} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFBCFDBA HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit Old Antivirus 2010 Files: HKEY_CURRENT_USER\Software\AV2010 HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68} HKEY_CLASSES_ROOT\AppID\IEDefender.DLL HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643} HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1 HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9} HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Gamma Display"

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

search guides
Latest Guides
Removal Tool Guides
Threat Descriptions

Login

Sign in with Twitter button Sign in with Twitter

Not a member yet? Register Now