Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Internet Security 2010 (is2010) Malware

Created: 19 Jan 2010 • Updated: 05 Sep 2010 | 16 comments

Is there a guide to harden the enterprise security policies that are deployed to managed client machines to avoid infections by this malware?  So far I've had 4 PC's that had SEP with the latest definitions be infected by this software after the user clicked on false security warning while surfing and installed IS2010.exe on their machines.  After a reboot, it effectively took over the machine and would not allow scans or other software to run.

Thanks.

Comments 16 CommentsJump to latest comment

Rafeeq's picture

Refer this discussion you should able to fix the issue

https://www-secure.symantec.com/connect/forums/internet-security-2010
block is2010.exe by using application and device control
How to configure Application Control in Symantec Endpoint Protection 11.0
http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/7049d06ba3c9e86f802573620054d9c2?OpenDocument

ray_psi's picture

IS2010 can be stopped using run msconfig start up tab disable all and exit and restart Then delete the folder for IS2010,exe under programfiles then empty trash bin.

the desktop will still be messed up. you has to use regedit to delete the disable regedit and  disable taskman. once you reboot you can do system restore.

it will not let you run any virus scan as most essential programmes has been disabled, including any virus scanners. i tried downloading a virus scanner but that was disabled also.

i was lucky i did a restore point the night before,  upon restore then i  was able to do a virus scan that quarentined the virus.

i did a google to restore desktop settings to find the files to restore the desktop once there in regedit  i had seen disable regedit and taskman where upon i deleted 'em

cha ching all better

Vikram Kumar-SAV to SEP's picture

This one says virusdoctor but it is for IS2010
https://www-secure.symantec.com/connect/forums/virusdoctor

Make sure you edit the userinit in the registry. 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

ray_psi's picture

to edit it's buried deep in HKEY_CURRENT_USER at least to get the taskman.exe back i deleted the disable regedit and disable taskman under desktop and was able to do a restore. before that restore was disabled.

Grant_Hall's picture

 For future reference this is a good article to keep the threat from spreading:

How to create custom policies in SEPM to prevent a threat from spreading

Http://service1.symantec.com/SUPPORT/ent-security....

Cheers
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

fzaleta's picture

Safe more has worked for me.  But the most effective has been use a previous restore point.  This gave me a bit of problems with the AV.  It was slowing the computer down to a crawl.  So I uninstalled and reinstalled it and it fixed it.

If restore points are not endabled on the machine, a combination of malwarebytes and spybot S&D did it for me.

ray_psi's picture

wit this malware IS2010.EXE it disables regedit so system restore won't worky. even in the safemode you can't do anything.

i  got IS2010 just this morning my virus scanner didn't catch it. because IS2010.EXE was running i couldn't delete it. i used msconfig to disable and it shut down on reboot, then i deleted it and emptied the trash.

buh bye IS2010.EXE

P_K_'s picture

Run a full scan on the machine in safe mode with the latetest defintion

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

ray_psi's picture

IS2010.EXE disables any and all attempts to use a virus scanner even with windows in the safe mode.

zeelimit@optonline.net's picture

IS 2010 took over my wife's machine and disabled Task Manager and Outlook Express (among other problems). It infected the machine notwithstanding that NIS 2009 was running with the latest updates. Doing a full scan did not help. NIS did not find the presence of any malicious software.

I was only able to get rid of it, by finding websites that instructed me to download free malware software. This found all of the instances of IS 2010 and removed it.

This is the second time this year that a machine of mine went down this year where NIS was no help.

Not very happy.

ray_psi's picture

any time i went to  a googled site to remove IS2010,EXE it blocked access to that page.

i found IS2010.EXE in msconfig under the startup tab and i disabled it in msconfig, upon reboot IS2010 DID NOT install.  all the damage it did was still there.

you would still has to do a system restore even when the scanner found it

RussC's picture

I just would like to know what we are paying for when the AV software still allows a system to be infected and won't even clean it. To top it off there are FREE programs that will clean it after the fact. I've had systems with up to date SEP defs and they still get infected with things like "Antivirus Soft” “Internet security 2010". I'm just getting tired of having to manually or use other software to fix these so called protected systems with SEP.

Vikram Kumar-SAV to SEP's picture

 Its all the same with all softwares no one is good and no one is bad. Don't go by the name there would be hundreds of variants of Av2010 or Antivirus soft out of which any given Av vendor would catch 60-70% and none of the AV vendors catch the same 60-70%.
So go for a long term solution of submitting the files once rather than removing them everytime.

https://submit.symantec.com/gold

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Grant_Hall's picture

 
@ Russ Here is the official Symantec position on your concerns:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not
http://service1.symantec.com/SUPPORT/ent-security....

Really what this boils down to is the fact that NO anti-virus software is 100% effective. The best thing you can do is to submit the files like Vikram has stated. That way future users won't get hit by the same strain you did. Even some of the tools you are describing like Malwarebytes or some of the other free "after the fact" options don't always clean a specific fake av. However is you submit the file you WILL get a rapid release that will erradicate the virus. 

I hope this helps,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

riva11's picture

Thanks Grant for the interesting info (Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://service1.symantec.com/SUPPORT/ent-security.... )