Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Sunday, December 19, 2010

How to Remove Internet Security 2011 (Uninstall Guide)

Tell your friends:
Internet Security 2011 is a fake anti-virus program that purposely reports false system security threats to make you think that your computer is infected with trojans, spyware and other malicious software. It pretends to scan your computer for malware and flags legitimate Windows system files as malcode, e.g. Worm.Win32.Kido, Trojan.Rootkit.drv, AdWare.Redirect.xt. Internet Security 2011 will prompt you to pay for a full version of the program to remove the threats. First of all, do not purchase it. It's a scam. Secondly, do not attempt to remove supposedly found viruses manually. Otherwise, you may delete important system files. This may cause windows to become unstable. If you have this rogue security program on your computer then please follow the removal instructions below to remove Internet Security 2011 and any related malware for free.

Windows XP


Windows Vista & Windows 7


Internet Security 2011 is from the same family as Antivirus 2010. Usually, such rogue programs have to be manually installed but they may come bundled with other malicious software or through software vulnerabilities as well. The scammers use fake online scanners and misleading social engineering methods to distribute such dreaded security programs as Internet Security 2011. Once installed, this rogue program displays fake security alerts and fake error messages saying that certain programs are infected with Trojan BNK.Keylogger.gen or that someone is making unauthorized copies of your files.
Attention! Network attack detected!
Your computer is being attacked from remote host. Attack has been classified as Remote code execution attempt.

Attention! Threat detected!
[program_name].exe is infected with Trojan-BNK.Keylogger.gen
Private data can be stolen by third parties including card details and passwords.
It is strongly recommended to perform threat removal on your system.


What is more, Internet Security 2011 denies access to nearly all programs on your computer stating that you may not have permission to access them. The fake error message contains the following text:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.


In order to regain access to the program you will have to open a Command Prompt and use the following command to give the Everyone group permission to the file:

cacls [full path to the program] /G Everyone:F

Example:
cacls "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" /G Everyone:F

NOTE: If you are using Windows Vista or Windows 7 then you will have to run Command Prompt as administrator.

Unfortunately, if the Internet Security 2011 comes bundled with other malware, usually, rootkits, then it will be very difficult to remove the rogue program from your computer manually. First of all, you will have to remove rootkits and then the rogue program with related malware. So, I'm afraid you won't find any "one-click-fix" solution to this problem. Thankfully, we've got the removal instructions to help you to remove Internet Security 2011 from the system using legitimate tools and anti-malware programs. Please follow the removal instructions below. Also, if you have already purchased Internet Security 2011 then please contact your credit card provider and dispute the charges. If you have any questions regarding to Internet Security 2011 removal, please leave a message using the contact form below. Good luck and be safe online!


Internet Security 2011 removal instructions:

1. Open C:\Windows\System32 in Windows Explorer. There will be two userinit.exe files in this directory. The legit one is the usual generic executable file icon. The fake one has a shield icon like an antivirus product would or a globe icon as shown in the image below.

Rename the fake userinit.exe extension to userinit.vxe

NOTE: configure Windows to show extensions of known file types in order to correctly change the extension of the fake userinit.exe file. For more information, please read Show File Extension in Windows XP and Show File Extension in Windows Vista and Windows 7.

2. Open Device Manager. How do I get into Windows Device Manager?
Expand "System Devices".
Right click "[cmz vmkd] Virtual Bus", choose "Disable".



Click "Yes" when it asks if you would like to disable it.

3. Open C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\ in Windows Explorer.



Rename shsvcs.dll to shsvcs.dl_



4. Open Windows Registry Editor (regedit.exe).


Browse to HKLM\System\CurrentControlSet\Services\vbma[random characters].

Right click the vbma[random characters] key (e.g. vbmaf492 ) and click "Permissions".



Click "Advanced".



Check both "Inherit from parent...." and "Replace permission entries....". Click "OK". Click "Yes" when it asks if you wish to continue.



Double click the "Start" value



Change the value from "3" to "4" to disable the service. Click "OK".



Browse to HKLM\System\CurrentControlSet\Services\Userinit



Double click the "Start" value.
Change the value from "3" to "4" to disable the service.

5. Restart your computer.

6. Create a folder on the desktop labeled "Malware".
Move the following files to your malware folder on the desktop:
  • c:\windows\system32\Userinit.vxe (the fake one)
  • c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dl_
  • c:\windows\System32\Drivers\vbma[random characters].sys (e.g. vbmaf492.sys)


7. Delete the following keys from the registry:
  • HKLM\System\CurrentControlSet\Services\vbma[random characters]
  • HKLM\System\CurrentControlSet\Services\Userinit


8. Open Device Manager.
Expand "System Devices"
Right click "[cmz vmkd] Virtual Bus" choose "Uninstall". Click "OK" to confirm device removal.



9. Download TDSSKiller. Double-click to launch it. Scan your computer and remove found rootkits (if exist).
10. Download and scan your computer with recommend anti-malware software to remove the leftovers of this virus from your computer.

It's possible that an infection is blocking STOPzilla from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

11. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Internet Security 2011 associated files and registry values:

Files:
  • C:\Documents and Settings\All Users\Application Data\.wtav
  • C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\
  • C:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
  • C:\WINDOWS\assembly\GAC\__AssemblyInfo__.ini
  • C:\WINDOWS\system32\exefile.exe
  • C:\WINDOWS\system32\mswmqnei.dll
  • C:\WINDOWS\system32\us?rinit.exe (not userinit.exe file which is in the same folder)
  • C:\WINDOWS\system32\drivers\vbma22b4.sys
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbma22b4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiSpywareOverride" = '1'
Share this information with other people:

10 comments:

Badger said...

Hi,

This really helped for me, went through another uninstall on bleepingcomputer.com but to no avail. I must say that ESET let this malware through :(

Anonymous said...

I picked up this malware when visiting www.goal.com (which is a soccer news website). I assume their server was unintentionally hosting this nasty infection. As reported by "Badger", ESET NOD32 popped up a few infection related messages but let the infection through.

As soon as I visited the goal.com website (Using Opera v11.01 browser) a Java 6 splash screen loaded and Internet security 2011 popped up and started to install itself. (I did not perform any action to cause this, it was totally automatic which is why these infections are so dangerous). My immediate reaction was to close the browser and look for a solution to this infection. I did not reboot my computer at this stage in case doing so might make matters worse.

I also tried a solution offered by Bleepingcomputer.com which involved the use of an application called "rkill". This solution was relatively ineffective.

Using google I then came across the solution here at http://www.deletemalware.blogspot.com and I am most grateful as it was possible to remove the malware by following the instructions posted here and running Malwarebytes antimalware afterwards. Thank you very much for this helpful article.

I would like to make a few comments which may help visitors to this page when following the procedure to remove this malware. My comments are as follows :-

In the section dealing with registry key HKLM\System\CurrentControlSet\Services\Userinit my "Start" value was 2 (not 3 as stated in your instructions). I nevertheless changed this value to 4 as per your instructions and this seems to be OK.

I could only find one copy of the userinit.exe file in my C:\windows\system32 folder. This made sense to me as it is theoretically not possible to have two files carrying identical names in the same folder. However, later I became aware of another file which appeared to carry the name us?rinit.exe but carried the same datestamp as the legitimate file making it hard to find. This latter file was part of the malware infection although it can be difficult to find owing to the small but significant name difference.

Anyway, many thanks to the author who saved my bacon....

Nigel Winterbottom

Admin said...

Nigel, I am pleased to hear your problem has been fixed. Thank you very much for your kind words. I'm sure this will help other visitors as well.

Anonymous said...

Sir I cant seem to find the other userinit.exe?What should I do?

Nigel Boss

Anonymous said...

I cant seem to find the file [cmz vmkd] Virtual Bus in system devices...please reply

Admin said...

Look for a virtul bus with other name, it's not nesseceraly [cmz vmkd]. Besides, the rogue program may come without a rootkit ([cmz vmkd]) which makes the removal procedure easier.

Anonymous said...

I can't find the userinit.exe? Where is the us?rinit.exe?

Anonymous said...

Same problem. i dont find the double userinit.exe.Only one authored by windows. do you have any idea?

Admin said...

I'm afraid I don't. Cybercriminals have probably changed the way this malware runs on the infected computer. If you can't find the double userinit.exe then just skip that part. And scan your computer with Hitman Pro. Good luck!

Nigel Winterbottom said...

I might be mistaken but I seem to recollect using a Command Prompt window to locate the double userinit.exe

In XP you can find the command prompt using the start menu in Programs, Accessories

dir/s C:\u*init.exe

Note to Admin

Your blog should carry an about section showing at least a fictitious name (say Dragonslayer or similar). That way we could easily reference you as a "White Hat" deserving some luv... which is well earned.

Nigel Winterbottom