Remove Internet Security 2011 (Uninstall Guide)

  • December 18, 2010

Internet Security 2011 is a rogue anti-spyware program from the same family as Antivirus 2010. This rogue is promoted through the use of malware that installs it automatically onto your computer and through web sites that pretend to be online anti-malware scanners. Once installed it will scan your computer and state that there are numerous threats present on your computer. but will not allow you to remove any of these so-called threats until you first purchase the program. This is a scam because all of the files it states are infections are in fact legitimate Microsoft files. Therefore, do not manually delete any of the files it detects as it may cause Windows to not operate properly.

  • Internet Security 2011 screen shot
  • Scanning screen
  • Fake web alert
  • Fake Web scanner
  • Threat detected alert
  • Network attack alert
  • Fake security alert

This rogue is extremely difficult to remove as it is bundled with a rootkit that terminates and then denies future access to any program that scans a particular process. When a program is terminated, the rootkit will change the security permissions on the executable so that you will not be able to run the program again. You will know when Internet Security 2011 changes the permission on a program because when you attempt to launch the program you will be greeted with a Windows message that states:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.


Access Denied.

If you see this message when you attempt to run an executable you can regain access to the program by using the cacls.exe program that comes installed with Windows. Simply go to a Command Prompt and type the following command to give the Everyone group permission to use the file again:

cacls <full path to the program> /G Everyone:F

As an example, if you attempt to launch Malwarebytes' and it gives the above error, then you would type cacls "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /G Everyone:F and press enter on your keyboard. Once you enter that command and press enter, everyone on your computer will then have access to the file again. If you are using Windows Vista or Windows 7 then you will have to use an elevated command prompt, which is explained here. It should be noted that if the rootkit disables a particular program, then running it again will cause the same issue to occur again. Therefore, It is important to first remove the rootkit before attempting to run any programs that scan your computer's processes or files.

While running, Internet Security 2011 will also display fake security alerts on your computer. These alerts are designed to make you think your computer has a serious computer problem. The text of some of these alerts include:

Attention! Network attack detected!
Your computer is being attacked from remote host. Attack has been classified as Remote code execution attempt.

Attention! Threat detected!
NOTEPAD.EXE is infected with Trojan-BNK.Keylogger.gen
Private data can be stolen by third parties including card details and passwords.
It is strongly recommended to perform threat removal on your system.

Windows Security Alert
Your computer is making unauthorized copies of your system and Internet files.
You should immediately run full scanning of your system to prevent any unauthorized access to your data.
Click YES to run Antivirus scanner right now.

Without a doubt, Internet Security 2011 was designed to scare you into thinking your computer was infected so that you will then purchase it. For no reason should you purchase this program, and if you have, please contact your credit card company and dispute the charges stating it is an computer virus. For those who are infected with this malware, we strongly suggest that you follow the steps in our Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help topic in order to receive help removing this infection. For those who want to attempt to delete it manually, I have outlined the steps you must take to remove this infection. Please perform these steps only if you are an advanced user as doing it improperly could cause your computer to not operate properly or even boot up.

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
  1. These instructions are for advanced users. We will not be going into great detail on how to perform these steps and it is expected that you will understand what to do with the information provided below. If you do not feel comfortable performing these steps, then please do not attempt them. Instead follow the steps in this topic in order to receive malware removal help from one of our helpers.

  2. Please print out these instructions as we will be performing steps in an environment that does not support Internet browsing.

  3. As the main defense mechanism of Internet Security 2011 is a rookit, we must first reboot our computer into a the XP Recovery Console or the Windows Vista/Windows 7 Recovery Environment in order to delete certain files that will then allow us to remove this infection while booted into Windows normally.

    With this said, if you are using Windows XP, please reboot into the Windows XP Recovery Console using the instructions found in this guide.

    How to install and use the Windows XP Recovery Console

    If you are using Windows 7 or Windows Vista, please use this guide to boot into the Windows Recovery Environment. Please note that the following guide was written for Vista, but applies to Windows 7 as well.

    How to use the Command Prompt in the Vista Windows Recovery Environment

  4. Once you are in the recovery environment you must rename the following files. You can rename them as the same filename but ending with .bad.

    (Please note that the filename may not be exactly the same, but should start with vbma)

    The reason we state you should rename them instead of deleting them, is if you delete the wrong file and Windows no longer operates correctly, you can go back into the Windows recovery environment and restore the file to get Windows working again.

  5. Once these two files have been renamed, please type Exit and reboot your computer so that it enters Windows normally.

  6. Once you are in Windows, go into Add or Remove Programs (Windows XP) or Uninstall a Program (Windows 7 and Vista) in the Windows Control Panel. Once the Uninstall control panel is open, look for Antivirus 2010 or Internet Security 2011 and uninstall it.

  7. Now download the following reg file for your corresponding version of Windows and run it. When it asks if you would like to merge the data, please allow it to do so.

    Windows XP Reg File
    Windows Vista and Windows 7 Reg File

    These reg files will restore a key that was changed by the rootkit.

  8. For the next steps, if you attempt to run a program and it gives a permission denied or similar error, then please use the CACLS program to restore permissions as described in the description of the program above.

  9. You can now now download Malwarebytes Anti-Malware, or MBAM, from the following location and save it to your desktop:

    Malwarebytes Anti-Malware Download Link (Download page will open in a new window)

  10. Once downloaded, close all programs and Windows on your computer, including this one.

  11. Double-click on the icon on your desktop named mb3-setup-1878.1878- This will start the installation of MBAM onto your computer.

  12. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware checked. Then click on the Finish button.

  13. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

    MalwareBytes Anti-Malware Screen

  14. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Internet Security 2011 related files.

  15. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

    MalwareBytes Anti-Malware Scanning Screen

  16. When the scan is finished a message box will appear as shown in the image below.

    MalwareBytes Anti-Malware Scan Finished Screen

    You should click on the OK button to close the message box and continue with the Internet Security 2011 removal process.

  17. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

  18. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

    MalwareBytes Scan Results

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

  19. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

  20. You can now exit the MBAM program.

  21. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Internet Security 2011 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes Anti-Malware to protect against these types of threats in the future.

View Associated Internet Security 2011 Files

c:\Documents and Settings\All Users\Application Data\.wtav c:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\ c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll c:\WINDOWS\assembly\GAC\__AssemblyInfo__.ini c:\WINDOWS\system32\exefile.exe c:\WINDOWS\system32\mswmqnei.dll c:\WINDOWS\system32\us?rinit.exe (Do not delete the C:\Windows\System32\userinit.exe file) c:\WINDOWS\system32\drivers\vbma22b4.sys

View Associated Internet Security 2011 Registry Information

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D} HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbma22b4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiSpywareOverride" = '1'

This is a self-help guide. Use at your own risk. can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

search guides


Remember Me
Sign in anonymously