Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Total Win 7 Security Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Total Win 7 Security is one of the recent rogue security software being installed by Trojan FakeRean. This trojan chooses randomly from a list of names each time it is installed. It has the following list of names for Windows 7:

Win 7 Security, Win 7 Defender, Win 7 Defender Pro, Total Win 7 Security, Win 7 Smart Security 2010, Win 7 Internet Security, Win 7 Security Tool, Win 7 Antimalware, Antispyware Win 7.

A rogue security software such as Total Win 7 Security belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.

Total Win 7 Security Scareware

Total Win 7 Security executable

The trojan dropper identified as SHA1:91b06687c5ef5ce690e7e0048843c4ee0d27b692 was about 204288 bytes in size. It is detected by over 75% of the antivirus engines available at VirusTotal.

This trojan drops a file named “ave.exe” with hidden and system attributes in the “local” folder in %appdata% folder. The file ave.exe in turn drops a file without extension named “y7V11” in various system folders. You may need to enable “Show hidden files, folders and drives” and disable “hide protected operating system files” in Folder Options control panel to view these files.

The trojan modifies the Windows registry so that:

  • ave.exe is executed whenever a .exe file is run, it’s a devious way to start with Windows and restart the trojan if it is killed via Task Manager.
  • Sets Internet Explorer as the default browser and sets itself to start whenever IE is started.
  • Hijacks Internet Explorer to display a fake security alert when run.
  • Creates fake Windows Action Center and suppresses genuine Windows Action Center alerts.
  • Disables Windows Firewall

Total Win 7 Security Aliases

This scareware is known by the following aliases:

  • Win32/FakeRean
  • Trojan.Fraudpack.Gen!Pac.5
  • OScope.Trojan.0216
  • Mal/FakeAV-BT
  • Win32/Kryptik.DBC
  • Trojan.Win32.FraudPack.aovc
  • W32/FraudPack.fam!tr
  • W32/FakeSec.B.gen!Eldorado
  • Cryptic.BG
  • Win32:MalOb-AL
  • Win-Trojan/Xema.variant
  • Trojan.Win32.FakeAV!IK

Typical Total Win 7 Security Scare Messages

Stealth intrusion! Infection detected in the background! Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

ALERT! System scan for spyware, adware, trojans and viruses is complete. Detected critical system objects. These security breaches may be exploited and lead to the following: Your system becomes a target for spam and bulky, intruding ads. Browser crashes frequently and web access speed decreases. Your personal files, photos, documents and passwords get stolen. Your computer is used for criminal activity behind your back. Bank details and credit card information gets disclosed.

Privacy threat! Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Threat detected! Security alert! Your computer was found to be infected with privacy-threatening software. Private data may get stolen and system damage may be severe. Recover your PC from the infection right now, perform a security scan.

Privacy alert! Rogue malware detected in your system. Data leaks and system damage are possible. Click here for a free security scan and spyware deletion.

Total Win 7 Security Associated Files and Folders

  • C:\ProgramData\y7V11
  • C:\Users\All Users\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\ave.exe
  • C:\Users\malwarehelp_org\AppData\Local\Temp\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\y7V11
  • C:\Users\malwarehelp_org\AppData\Roaming\Microsoft\Windows\Templates\y7V11

Some of the file names may be randomly generated. The term in the above entries denotes the name of the Windows user account in the test machine.

Total Win 7 Security Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Users\malwarehelp_org\AppData\Local\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”

The term in the above entries denotes the name of the Windows user account in the test machine.

Total Win 7 Security Associated Domains

This scareware was observed accessing the following domains during installation and operation:


Note: Visiting the domains mentioned above may harm your computer system.

Total Win 7 Security Removal (How to remove Total Win 7 Security)

When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

  1. Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  2. MalwareBytes’s Anti-Malware
  3. CCleaner Slim version
  • Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
  • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on
  • Install, scan and clean the temporary files with CCleaner Slim version.

You should now be clean of this rogue.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Total Win 7 Security Scareware — Video

Note: The Total Win 7 Security installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 9 comments… read them below or add one }

Charles March 22, 2011 at 3:50 AM

Guys at this website.. Thanks you so much for having informatiom that helped me rid my system of this bad Total Win 7 Security virus


Cindy March 28, 2011 at 7:43 PM

Thank you so much!!!! It worked!


Clean April 2, 2011 at 9:20 AM

Works perfectly! Thanks very much!


Todd April 22, 2011 at 9:36 PM

Downloaded and applied the registry fix and was able to get rid of this malware – THANKS


Robert May 10, 2011 at 7:25 AM

Thanks for this post, mate!


Leigh May 15, 2011 at 4:02 AM

Never normally leave comments, but this worked perfectly, and had tried so many other options! thank you


kristine May 18, 2011 at 3:44 AM

thank you! it worked! i got rid o it! thank you!!
The computer world is a better place with people like you!!!!! =D


shane May 19, 2011 at 4:32 AM

Thank you, it worked perfectly.

However what do I need to do to ensure it doesn’t happen again?

I’m very disappointed my Anti-Virus didn’t stop my computer being infested with this malware.


Baadpat May 28, 2011 at 8:57 PM

The fix above worked great, no more popups with Win 7 Security but…
Now I do not have IE on the infected PC and cannot get to the internet to download and fix.



Leave a Comment