Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antispyware Win 7 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Antispyware Win 7 is one of the recent rogue security software being installed by Trojan FakeRean. This trojan chooses randomly from a list of names each time it is installed. It has the following list of names for Windows 7:

Win 7 Security, Win 7 Defender, Win 7 Defender Pro, Total Win 7 Security, Win 7 Smart Security 2010, Win 7 Internet Security, Win 7 Security Tool, Win 7 Antimalware, Antispyware Win 7.

A rogue security software such as Antispyware Win 7 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.

antispyware win 7 scareware 590x387 Antispyware Win 7 Analysis and Removal

Antispyware Win 7 Scareware

Antispyware Win 7 executable

The trojan dropper identified as SHA1:91b06687c5ef5ce690e7e0048843c4ee0d27b692 was about 204288 bytes in size. It is detected by over 75% of the antivirus engines available at VirusTotal.

This trojan drops a file named “ave.exe” with hidden and system attributes in the “local” folder in %appdata% folder. The file ave.exe in turn drops a file without extension named “y7V11” in various system folders. You may need to enable “Show hidden files, folders and drives” and disable “hide protected operating system files” in Folder Options control panel to view these files.

The trojan modifies the Windows registry so that:

  • ave.exe is executed whenever a .exe file is run, it’s a devious way to start with Windows and restart the trojan if it is killed via Task Manager.
  • Sets Internet Explorer as the default browser and sets itself to start whenever IE is started.
  • Hijacks Internet Explorer to display a fake security alert when run.
  • Creates fake Windows Action Center and suppresses genuine Windows Action Center alerts.
  • Disables Windows Firewall

Antispyware Win 7 Aliases

This scareware is known by the following aliases:

  • Win32/FakeRean
  • Trojan.Fraudpack.Gen!Pac.5
  • OScope.Trojan.0216
  • Mal/FakeAV-BT
  • Win32/Kryptik.DBC
  • Trojan.Win32.FraudPack.aovc
  • W32/FraudPack.fam!tr
  • W32/FakeSec.B.gen!Eldorado
  • Cryptic.BG
  • Win32:MalOb-AL
  • Win-Trojan/Xema.variant
  • Trojan.Win32.FakeAV!IK

Typical Antispyware Win 7 Scare Messages

Stealth intrusion! Infection detected in the background! Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

ALERT! System scan for spyware, adware, trojans and viruses is complete. Detected critical system objects. These security breaches may be exploited and lead to the following: Your system becomes a target for spam and bulky, intruding ads. Browser crashes frequently and web access speed decreases. Your personal files, photos, documents and passwords get stolen. Your computer is used for criminal activity behind your back. Bank details and credit card information gets disclosed.

Privacy threat! Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Threat detected! Security alert! Your computer was found to be infected with privacy-threatening software. Private data may get stolen and system damage may be severe. Recover your PC from the infection right now, perform a security scan.

Privacy alert! Rogue malware detected in your system. Data leaks and system damage are possible. Click here for a free security scan and spyware deletion.

antispyware win 7 fake action center 590x296 Antispyware Win 7 Analysis and Removal

Antispyware Win 7 - Fake Windows Action Center

Antispyware Win 7 Associated Files and Folders

  • C:\ProgramData\y7V11
  • C:\Users\All Users\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\ave.exe
  • C:\Users\malwarehelp_org\AppData\Local\Temp\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\y7V11
  • C:\Users\malwarehelp_org\AppData\Roaming\Microsoft\Windows\Templates\y7V11

Some of the file names may be randomly generated. The term in the above entries denotes the name of the Windows user account in the test machine.

Antispyware Win 7 Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Users\malwarehelp_org\AppData\Local\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”

The term in the above entries denotes the name of the Windows user account in the test machine.

Antispyware Win 7 Associated Domains

This scareware was observed accessing the following domains during installation and operation:


Note: Visiting the domains mentioned above may harm your computer system.

Antispyware Win 7 Removal (How to remove Antispyware Win 7)

When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

  1. Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  2. MalwareBytes’s Anti-Malware
  3. CCleaner Slim version
  • Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
  • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on
  • Install, scan and clean the temporary files with CCleaner Slim version.

You should now be clean of this rogue.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antispyware Win 7 Scareware — Video

Note: The Antispyware Win 7 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 19 comments… read them below or add one }

Flo November 25, 2010 at 10:51 PM

Great article. Did a great job and i got rid of this fu(/§& malware.
Thanks a lot.


hollow2020 March 18, 2011 at 11:55 AM

This software infected my computer and will screw it up. it is ALSO SCAM SOFTWARE!!!!!!

its installation file name is: null0.07186429268096617



dum bass March 26, 2011 at 10:33 PM

uhm , its also spread via spam to my e-mail lets hope it works 8_8 for luck :)


PN April 26, 2011 at 12:56 AM

This was great help! Thankyou thankyou thankyou!!


p*ssed April 26, 2011 at 11:48 AM

thank you. it got rid of the malware and spyware.


gq May 14, 2011 at 5:20 PM

Article says: “When removed improperly, the left over registry entries messes up the opening of .exe files.”

How do we fix this problem?


gq May 14, 2011 at 5:22 PM

if the virus is removed improperly, how do we fix the exe problem?


Shanmuga May 14, 2011 at 6:29 PM

You can fix the .exe problem by running a registry fix. I quote from the above article:

“Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension……Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.”

Rob May 15, 2011 at 1:50 AM

My wife’s cousin’s computer got infected with the Win7 Antispyware trojan. She was able to get rid of the infection using SuperAntispyware Portable, then running a system restore to repair the .exe problem.


Anne May 19, 2011 at 2:53 AM

I have tried the steps outlined here and still have trouble with the registry fix. I’ve saved the file with a .reg extension but nothing happens, just a text file opens. I’ve even tried dragging it into regedit but nothing happens, I get an error that it can’t find the file? Tried importing it into regedit but it doesn’t see the file in the file system even tho I’ve double checked it’s a .reg extension…. I’m running Windows7 not XP. Any other suggestions for dealing with the registry fix? Good job I’ve got a 2nd computer to browse the internet for help otherwise i’d be hooped.
Thanks a lot


Aaron June 6, 2011 at 1:18 PM

Thanks for the file and reg information. I removed it by hand with the help of a second computer.

A few more tips:
0) The virus might have different varision. As in my the exe and data file names are irh.exe and w750dc15gj4lahb7v3a. They put them in my admin/AppData
1) Clean up the reg to stop the exe from running and reboot.
using a second machine would help you restore the key registry like classes/.exe, classes/exefile and /clients/startmenuinternet
2) remove those files and then reboot. Your machine should be back free of it.


B June 7, 2011 at 12:28 AM

Worked as advertised, sound advice!


Tai June 13, 2011 at 4:48 PM


go in to your folder options and UNTICK the box that hides known file extensions
The txt file will have .txt at the end of it like mine did, you can then delete this so the file ends in .reg and your be able to do this without a problem :)



Jack June 17, 2011 at 2:13 AM

thanks this helped a lot my computer is running faster than ever


random person June 22, 2011 at 7:45 PM

thank u so much i dont even know how i got the virus but this fixed it


Willow June 28, 2011 at 4:33 AM

I am SOOOO upset that my Norton did not catch or prevent it! And when I called they wanted an ADDITIONAL $99 to remove it. Thank you for the fix! It worked perfectly!


Daughter's Hero August 22, 2011 at 9:08 AM

Thank you so much SHANMUGA! It’s great that there’s Good people like you out there in the world to help us fight off Bad people of the world who create these major annoyances to begin with. Your solution worked perfectly, and now I’m my daughter’s hero for rescuing her infected laptop.


Jen December 11, 2011 at 4:31 AM

This worked to remove the trojan. Everything seems to be working fine, except my internet. Internet Explorer says “Navigation to the webpage was canceled” and Opera says “Could not connect to proxy server. Acess denied.” What should I do to fix this?


This Trojan Blows January 2, 2012 at 9:06 PM

Nice article, I got rid of this trojan by scanning a file with my anti-virus software. Apperently their was a flaw in the program as the trojan let me open up the software. Once that occured, I simply cleaned my computer. Just another thing to try


Leave a Comment