Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Win 7 Defender Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Win 7 Defender is one of the recent rogue security software being installed by Trojan FakeRean. This trojan chooses randomly from a list of names each time it is installed. It has the following list of names for Windows 7:

Win 7 Security, Win 7 Defender, Win 7 Defender Pro, Total Win 7 Security, Win 7 Smart Security 2010, Win 7 Internet Security, Win 7 Security Tool, Win 7 Antimalware, Antispyware Win 7.

A rogue security software such as Win 7 Defender belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.

Win 7 Defender 590x394 Win 7 Defender Analysis and Removal

Win 7 Defender Scareware

Win 7 Defender executable

The trojan dropper identified as SHA1:91b06687c5ef5ce690e7e0048843c4ee0d27b692 was about 204288 bytes in size. It is detected by over 75% of the antivirus engines available at VirusTotal.

This trojan drops a file named “ave.exe” with hidden and system attributes in the “local” folder in %appdata% folder. The file ave.exe in turn drops a file without extension named “y7V11” in various system folders. You may need to enable “Show hidden files, folders and drives” and disable “hide protected operating system files” in Folder Options control panel to view these files.

The trojan modifies the Windows registry so that:

  • ave.exe is executed whenever a .exe file is run, it’s a devious way to start with Windows and restart the trojan if it is killed via Task Manager.
  • Sets Internet Explorer as the default browser and sets itself to start whenever IE is started.
  • Hijacks Internet Explorer to display a fake security alert when run.
  • Creates fake Windows Action Center and suppresses genuine Windows Action Center alerts.
  • Disables Windows Firewall

Win 7 Defender Aliases

This scareware is known by the following aliases:

  • Win32/FakeRean
  • Trojan.Fraudpack.Gen!Pac.5
  • OScope.Trojan.0216
  • Mal/FakeAV-BT
  • Win32/Kryptik.DBC
  • Trojan.Win32.FraudPack.aovc
  • W32/FraudPack.fam!tr
  • W32/FakeSec.B.gen!Eldorado
  • Cryptic.BG
  • Win32:MalOb-AL
  • Win-Trojan/Xema.variant
  • Trojan.Win32.FakeAV!IK

Typical Win 7 Defender Scare Messages

Stealth intrusion! Infection detected in the background! Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

ALERT! System scan for spyware, adware, trojans and viruses is complete. Detected critical system objects. These security breaches may be exploited and lead to the following: Your system becomes a target for spam and bulky, intruding ads. Browser crashes frequently and web access speed decreases. Your personal files, photos, documents and passwords get stolen. Your computer is used for criminal activity behind your back. Bank details and credit card information gets disclosed.

Privacy threat! Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Threat detected! Security alert! Your computer was found to be infected with privacy-threatening software. Private data may get stolen and system damage may be severe. Recover your PC from the infection right now, perform a security scan.

Privacy alert! Rogue malware detected in your system. Data leaks and system damage are possible. Click here for a free security scan and spyware deletion.

Win 7 defender fake action center 590x294 Win 7 Defender Analysis and Removal

Win 7 Defender Fake Windows Action Center

Win 7 Defender Associated Files and Folders

  • C:\ProgramData\y7V11
  • C:\Users\All Users\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\ave.exe
  • C:\Users\malwarehelp_org\AppData\Local\Temp\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\y7V11
  • C:\Users\malwarehelp_org\AppData\Roaming\Microsoft\Windows\Templates\y7V11

Some of the file names may be randomly generated. The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

Win 7 Defender Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet IEXPLORE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Users\malwarehelp_org\AppData\Local\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”

The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

Win 7 Defender Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • pc-livecare.com
  • live-pccare.com
  • windows-live-care.com
  • win-live-care2010.com
  • live-pc-care.com
  • one-care-antivirus.com
  • onecare-antivirus2010.com
  • winlive-care21.com
  • antivirus-one-care2010.com
  • securitypccare.com
  • win-live-care.com
  • pc-livecare2010.com
  • security-pccare.com
  • cavertunelo.com

Note: Visiting the domains mentioned above may harm your computer system.

Win 7 Defender Removal (How to remove Win 7 Defender)

When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

  1. Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  2. MalwareBytes’s Anti-Malware
  3. CCleaner Slim version
  • Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
  • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on
  • Install, scan and clean the temporary files with CCleaner Slim version.

You should now be clean of this rogue.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Win 7 Defender Scareware — Video

Note: The Win 7 Defender installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.



{ 4 comments… read them below or add one }

romeske March 24, 2011 at 3:47 AM

Thank you, my girlfriend had this virus and I got rid of it this way.

Reply

Bill April 26, 2011 at 7:38 AM

Thanks man! it took about 2 1/2 hours but I followed you procedure and it got rid of that nasty win 7 defender, it came from some game manager my son downloaded. the computer was an HP and running on Windows 7. just curious why avast! did not pick it up? Thanks again

bill

Reply

Josh August 8, 2011 at 5:37 AM

I have this same problem on my computer. This has helped a lot towards fixing it, though I haven’t fixed it yet. Avast! isnt getting it, either. I wonder why?

Reply

Tanesha T January 4, 2012 at 5:27 AM

Thanks so much for this. I liked to have had a heart attack and i searched for something to clean this virus up, found this website, followed the directions and now its gone. Thanks so much!!!!!

Reply

Leave a Comment