Internet Security 2011 is a rogue anti-spyware program from the same family as Antivirus 2010. This rogue is promoted through the use of malware that installs it automatically onto your computer and through web sites that pretend to be online anti-malware scanners. Once installed it will scan your computer and state that there are numerous threats present on your computer. but will not allow you to remove any of these so-called threats until you first purchase the program. This is a scam because all of the files it states are infections are in fact legitimate Microsoft files. Therefore, do not manually delete any of the files it detects as it may cause Windows to not operate properly.
This rogue is extremely difficult to remove as it is bundled with a rootkit that terminates and then denies future access to any program that scans a particular process. When a program is terminated, the rootkit will change the security permissions on the executable so that you will not be able to run the program again. You will know when Internet Security 2011 changes the permission on a program because when you attempt to launch the program you will be greeted with a Windows message that states:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
If you see this message when you attempt to run an executable you can regain access to the program by using the cacls.exe program that comes installed with Windows. Simply go to a Command Prompt and type the following command to give the Everyone group permission to use the file again:
cacls <full path to the program> /G Everyone:F
As an example, if you attempt to launch Malwarebytes' and it gives the above error, then you would type cacls "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /G Everyone:F and press enter on your keyboard. Once you enter that command and press enter, everyone on your computer will then have access to the file again. If you are using Windows Vista or Windows 7 then you will have to use an elevated command prompt, which is explained here. It should be noted that if the rootkit disables a particular program, then running it again will cause the same issue to occur again. Therefore, It is important to first remove the rootkit before attempting to run any programs that scan your computer's processes or files.
While running, Internet Security 2011 will also display fake security alerts on your computer. These alerts are designed to make you think your computer has a serious computer problem. The text of some of these alerts include:
Attention! Network attack detected!
Your computer is being attacked from remote host. Attack has been classified as Remote code execution attempt.
Attention! Threat detected!
NOTEPAD.EXE is infected with Trojan-BNK.Keylogger.gen
Private data can be stolen by third parties including card details and passwords.
It is strongly recommended to perform threat removal on your system.
Windows Security Alert
Your computer is making unauthorized copies of your system and Internet files.
You should immediately run full scanning of your system to prevent any unauthorized access to your data.
Click YES to run Antivirus scanner right now.
Without a doubt, Internet Security 2011 was designed to scare you into thinking your computer was infected so that you will then purchase it. For no reason should you purchase this program, and if you have, please contact your credit card company and dispute the charges stating it is an computer virus. For those who are infected with this malware, we strongly suggest that you follow the steps in our Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help topic in order to receive help removing this infection. For those who want to attempt to delete it manually, I have outlined the steps you must take to remove this infection. Please perform these steps only if you are an advanced user as doing it improperly could cause your computer to not operate properly or even boot up.
Self Help Guide
If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
- These instructions are for advanced users. We will not be going into great
detail on how to perform these steps and it is expected that you will understand
what to do with the information provided below. If you do not feel comfortable
performing these steps, then please do not attempt them. Instead follow the
steps in this
topic in order to receive malware removal help from one of our helpers.
- Please print out these instructions as we will be performing steps in an
environment that does not support Internet browsing.
- As the main defense mechanism of
Internet Security 2011
is a rookit, we must first reboot our computer into a the XP Recovery
Console or the Windows Vista/Windows 7 Recovery Environment in order to delete
certain files that will then allow us to remove this infection while booted
into Windows normally.
With this said, if you are using Windows XP, please reboot into the Windows XP Recovery Console using the instructions found in this guide.
How to install and use the Windows XP Recovery Console
If you are using Windows 7 or Windows Vista, please use this guide to boot into the Windows Recovery Environment. Please note that the following guide was written for Vista, but applies to Windows 7 as well.
How to use the Command Prompt in the Vista Windows Recovery Environment
- Once you are in the recovery environment you must rename the following files.
You can rename them as the same filename but ending with .bad.
c:\WINDOWS\system32\drivers\vbma22b4.sys (Please note that the filename may not be exactly the same, but should start with vbma)
The reason we state you should rename them instead of deleting them, is if you delete the wrong file and Windows no longer operates correctly, you can go back into the Windows recovery environment and restore the file to get Windows working again.
- Once these two files have been renamed, please type Exit
and reboot your computer so that it enters Windows normally.
- Once you are in Windows, go into Add or Remove Programs
(Windows XP) or Uninstall a Program (Windows 7 and Vista)
in the Windows Control Panel. Once the Uninstall control panel is open, look
for Antivirus 2010 or Internet Security 2011 and uninstall it.
- Now download the following reg file for your corresponding version of Windows
and run it. When it asks if you would like to merge the data, please allow
it to do so.
Windows XP Reg File
Windows Vista and Windows 7 Reg File
These reg files will restore a key that was changed by the rootkit.
- For the next steps, if you attempt to run a program and it gives a permission
denied or similar error, then please use the CACLS program to restore permissions
as described in the description of the program above.
- You can now now download Malwarebytes Anti-Malware, or MBAM, from the following
location and save it to your desktop:
Malwarebytes Anti-Malware Download Link (Download page will open in a new window)
- Once downloaded, close all programs and Windows on your computer, including
- Double-click on the icon on your desktop named mb3-setup-1878.1878-220.127.116.119.exe.
This will start the installation of MBAM onto your computer.
- When the installation begins, keep following the prompts in order to continue
with the installation process. Do not make any changes to default settings
and when the program has finished installing, make sure you leave both the
Update Malwarebytes Anti-Malware and Launch
Malwarebytes Anti-Malware checked. Then click on the Finish
- MBAM will now automatically start and you will see a message stating that
you should update the program before performing a scan. As MBAM will automatically
update itself after the install, you can press the OK button
to close that box and you will now be at the main program as shown below.
- On the Scanner tab, make sure the the Perform
full scan option is selected and then click on the Scan
button to start scanning your computer for
Internet Security 2011
- MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you go and do something else and periodically
check on the status of the scan. When MBAM is scanning it will look like the
- When the scan is finished a message box will appear as shown in the image
You should click on the OK button to close the message box and continue with the Internet Security 2011 removal process.
- You will now be back at the main Scanner screen. At this point you should
click on the Show Results button.
- A screen displaying all the malware that the program found will be shown
as seen in the image below. Please note that the infections found may be different
than what is shown in the image.
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
- When MBAM has finished removing the malware, it will open the scan log and
display it in Notepad. Review the log as desired, and then close the Notepad
- You can now exit the MBAM program.
- As many rogues and other malware are installed through vulnerabilities found
in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here:
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the Internet Security 2011 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes Anti-Malware to protect against these types of threats in the future.