Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Win 7 Security Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Win 7 Security is one of the recent rogue security software being installed by Trojan FakeRean. This trojan chooses randomly from a list of names each time it is installed. It has the following list of names for Windows 7:

Win 7 Security, Win 7 Defender, Win 7 Defender Pro, Total Win 7 Security, Win 7 Smart Security 2010, Win 7 Internet Security, Win 7 Security Tool, Win 7 Antimalware, Antispyware Win 7.

A rogue security software such as Win 7 Security belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.

win 7 security 590x384 Win 7 Security Analysis and Removal

Win 7 Security Scareware

Win 7 Security executable

The trojan dropper identified as SHA1:91b06687c5ef5ce690e7e0048843c4ee0d27b692 was about 204288 bytes in size. It is detected by over 75% of the antivirus engines available at VirusTotal.

This trojan drops a file named “ave.exe” with hidden and system attributes in the “local” folder in %appdata% folder. The file ave.exe in turn drops a file without extension named “y7V11” in various system folders. You may need to enable “Show hidden files, folders and drives” and disable “hide protected operating system files” in Folder Options control panel to view these files.

The trojan modifies the Windows registry so that:

  • ave.exe is executed whenever a .exe file is run, it’s a devious way to start with Windows and restart the trojan if it is killed via Task Manager.
  • Sets Internet Explorer as the default browser and sets itself to start whenever IE is started.
  • Hijacks Internet Explorer to display a fake security alert when run.
  • Creates fake Windows Action Center and suppresses genuine Windows Action Center alerts.
  • Disables Windows Firewall

Win 7 Security Aliases

This scareware is known by the following aliases:

  • Win32/FakeRean
  • Trojan.Fraudpack.Gen!Pac.5
  • OScope.Trojan.0216
  • Mal/FakeAV-BT
  • Win32/Kryptik.DBC
  • Trojan.Win32.FraudPack.aovc
  • W32/FraudPack.fam!tr
  • W32/FakeSec.B.gen!Eldorado
  • Cryptic.BG
  • Win32:MalOb-AL
  • Win-Trojan/Xema.variant
  • Trojan.Win32.FakeAV!IK

Typical Win 7 Security Scare Messages

Stealth intrusion! Infection detected in the background! Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

ALERT! System scan for spyware, adware, trojans and viruses is complete. Detected critical system objects. These security breaches may be exploited and lead to the following: Your system becomes a target for spam and bulky, intruding ads. Browser crashes frequently and web access speed decreases. Your personal files, photos, documents and passwords get stolen. Your computer is used for criminal activity behind your back. Bank details and credit card information gets disclosed.

Privacy threat! Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Threat detected! Security alert! Your computer was found to be infected with privacy-threatening software. Private data may get stolen and system damage may be severe. Recover your PC from the infection right now, perform a security scan.

Privacy alert! Rogue malware detected in your system. Data leaks and system damage are possible. Click here for a free security scan and spyware deletion.

win 7 security fake action center 590x439 Win 7 Security Analysis and Removal

Win 7 Security Fake Action Center

Win 7 Security Associated Files and Folders

  • C:\ProgramData\y7V11
  • C:\Users\All Users\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\ave.exe
  • C:\Users\malwarehelp_org\AppData\Local\Temp\y7V11
  • C:\Users\malwarehelp_org\AppData\Local\y7V11
  • C:\Users\malwarehelp_org\AppData\Roaming\Microsoft\Windows\Templates\y7V11

Some of the file names may be randomly generated. The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

Win 7 Security Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet IEXPLORE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Users\malwarehelp_org\AppData\Local\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”

The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

Win 7 Security Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • pc-livecare.com
  • live-pccare.com
  • windows-live-care.com
  • win-live-care2010.com
  • live-pc-care.com
  • one-care-antivirus.com
  • onecare-antivirus2010.com
  • winlive-care21.com
  • antivirus-one-care2010.com
  • securitypccare.com
  • win-live-care.com
  • pc-livecare2010.com
  • security-pccare.com
  • cavertunelo.com

Note: Visiting the domains mentioned above may harm your computer system.

Win 7 Security Removal (How to remove Win 7 Security)

When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

  1. Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  2. MalwareBytes’s Anti-Malware
  3. CCleaner Slim version
  • Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
  • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on
  • Install, scan and clean the temporary files with CCleaner Slim version.

You should now be clean of this rogue.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Win 7 Security Scareware — Video

Note: The Win 7 Security installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

FakeRean on Windows 7: Win 7 Security Tool Analysis and Removal, Win 7 Defender Analysis and Removal, Antispyware Win 7 Analysis and Removal, Total Win 7 Security Analysis and Removal, Win 7 AntiMalware Analysis and Removal, Win 7 Defender Pro Analysis and Removal, Win 7 Internet Security Analysis and Removal, Win 7 Smart Security 2010 Analysis and Removal

You may also like to read



{ 49 comments… read them below or add one }

juan huerta March 28, 2010 at 3:25 AM

hi i have this virous how can i remove it juan thxxx hope u reply fast thxxxxx

Reply

Anonymous April 4, 2010 at 8:21 AM

You can actually access a program while the virus is on the computer without it starting up again by searching for the program in the start button and right clicking “run as administrator” (this is for windows 7)

Reply

Anonymous April 27, 2011 at 10:27 PM

Excellent……..I used your suggestion and was allowed my system restore…..and voila….bug be gone…thx much

scott pike February 22, 2011 at 11:08 PM

Thank you for this post it works.

Reply

Anonymous March 5, 2011 at 5:15 PM

I accidentally had my antivirus off for performance while running a game and got stricken with this after realizing I hadn’t restarted my antivirus.

Hopefully this information works… thanks for the help!

Reply

Asim March 16, 2011 at 7:42 PM

Excellent. It worked very very very well…thank you dear

Reply

Dan March 19, 2011 at 10:33 PM

seems overwhelming at first, but it worked perfectly……..it’s really not to bad, the worst part was waiting for malwarebytes to scan. it took about 30 min on my machine.

Reply

Pierre March 23, 2011 at 8:44 AM

great Worked like a charm

Reply

Luc March 24, 2011 at 10:35 AM

This virus now also uses the names tyf.exe and onh.exe
I found both these files were being launched every time i opened any program, and the stupid Win 7 Security window came up. Went through and deleted all the files manually as listed above (including the registry edits).

All good now =)

Reply

val March 29, 2011 at 12:42 AM

Thank you so very much. These step just made me look very smart in front of a desperate client. Thanks again.

Reply

Oscar March 29, 2011 at 10:38 AM

Thanks! It Really Worked!

Reply

xainjeff March 29, 2011 at 1:47 PM

thanks! worked perfectly

Reply

Bob April 1, 2011 at 6:37 AM

Works extremely well!

Thanks!

Reply

Monkey April 1, 2011 at 8:03 AM

hi did follow this but looks like win 7 too much damage in the time of repair and ended up corrupting my stuff and my recovery disk doesnt work good instructions as worked well on my friends computer.

Reply

Mona April 1, 2011 at 8:41 AM

Thanks a lot! problem solved!

Reply

Mona April 1, 2011 at 8:42 AM

Thanks a lot for saving hours of my time!

Reply

Joseph April 1, 2011 at 11:06 PM

Dude you are sooooo amazing! I was so worried that my computer was about to be messed up for life until I stumbled on this page. And best of all it took little to no time to do!!!!!!!!!!!!

Reply

Anonymous April 2, 2011 at 11:59 PM

Niccceee, it worked!!! You’re a computer genius!!! You should change your name to the virus puncher!

Reply

Lisa H April 3, 2011 at 9:46 AM

Thank you so much for this, worked great for my laptop.

Reply

Dimzin April 4, 2011 at 1:23 AM

T.Y.V.M for the step by step fix for this DISGUSTING infection.
I tried unsuccessfully to remove this manually and totally hooped one of my favourite machines (BSOD everytime I got to the desktop). It would only boot into safe mode. I finally got MS Security essentials to do a complete scan in safe mode and managed to login afterwards w/an admin account, after that I found your page w/another machine and have been following the process step by step, so far so good, MBAWM is currently doing its job and found 9 infections thus far. I sooooo thought I was going to have to completely re-install and lose almost a years worth of tweaking/re-tweaking on my machine.
Will repost w/an update when I`m rid of this evil.

Reply

Faisal April 6, 2011 at 12:51 AM

Thank u very much for the help …..

i really freaked out when i found out that this is fake

but know i am good and i was almost going to format my computer but now i am good

love u :)

Reply

chitra April 8, 2011 at 9:20 PM

thank u so yar:):):)made my day….

Reply

Vellinga April 9, 2011 at 7:31 PM

Hero!

Reply

James Pecke April 10, 2011 at 11:14 AM

Thanks. Got the virus right out of my computer. Took most of the day to do it, though (a lot of it spent finding this website), but now the virus is gone. You saved me from having to restore my system. Glad that’s over, I’m gonna warn my friends about this now.

Reply

Judy April 10, 2011 at 1:18 PM

This worked for me, after a lot of fiddling:
Firstly, DON’T AGREE to anything it wants you to do. Just keep closing all the windows as they pop up.
1. Ctr-Alt-Delete, Processes tab. Locate the suspicious three letter .exe file (mine was gnx), select it and End Task. This stops it running but it is still in your system. However you should now be able to find it in a search.
2. Open Windows Explorer (right-click Start button and do it this way if it won’t let you do it the normal way), search for the file, and DELETE it. Shift-Delete will remove it completely without sending it to Recycle Bin.
3. Restart. You won’t be able to open several files as your registry is stuffed. Right-clicking and Open as Administrator helps.
4. Do a System Restore to a date before the virus came in. Start, Accessories, System Restore. You might need to right click and Run as Administrator.
5. Restart. It should all be OK now. DON’T open suspicious email attachments again!

Reply

Anonymous April 11, 2011 at 1:08 AM

i don’t understand set one

Reply

Judy April 12, 2011 at 11:25 AM

Probably missed a step.
Ctrl-Alt-Delete, Task Manager, Processes tab.

malwaresinner April 11, 2011 at 3:10 AM

Wahoo! You guys are the best! I should pay you.

Thanks a ton. Got my computer and internet back!

Reply

James Pecke April 13, 2011 at 4:30 AM

Okay, I have a follow-up on my previous comment. While this tutorial does reverse most of the effects of the virus, I’m finding that the virus is never really removed from my system. It has been coming back every day now and it’s honestly getting pretty annoying. Do you have any advice for a more permanent removal of this virus?

Reply

Heidi April 23, 2011 at 10:36 AM

This worked!!!! Everything is free!!!

Reply

Mike April 26, 2011 at 12:46 AM

@James Pecke… it may be coming back due to the cloned files it creates in your system area or in one of your “Application Data” directories. I initially had the same problem. The file names of the clones are just a string of random characters without extension like “ASJKDJJDUENBDJ”. If you or Malwarebytes doesn’t get all of these AND the registry entries aren’t deleted it may come back. First, run the instructions above to the letter… especially saving and double clicking the .reg file above. When I ran “Malwarebytes” I noticed all of the files it deleted, and the directories it deleted them from. I went to those directories and looked for a file with random letters without extensions that had the same file date and time and deleted it. Then I ran a search for that filename and found one more copy in an “application data” directory and deleted that too. Then I ran CCleaner (free download) to clean out any temp files/cached files, then ran CCleaner’s Registry scan and it found the orphaned registry entries now that the cloned files were gone and deleted them. As a final bit of insurance I ran a FULL Malwarebytes scan again, then let it reboot. Problem solved. Some steps seem redundant, but it worked for me.

Pony

Reply

vthe April 28, 2011 at 5:08 AM

can somebody help me out, I have done both the first steps in safe mode which are:
■Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
■Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

the problem with me is that I cannot access properties in comupter (window 7) in order to be able to restore the system off and on

could anybody help me?

thanks

Reply

anon May 3, 2011 at 8:43 AM

Thank you so much for your help!!!!

Reply

Jameela Pruden May 11, 2011 at 4:11 AM

Thank you so very much for real! you saved my computer! I cant believe it really worked! Thank you thank you thank you!!!

Reply

anonymous May 15, 2011 at 10:18 AM

THANK YOU SO MUCH!!! I was crying ’cause I thought my computer was broken and I’d need to get another. Thank you for fixing it.

Reply

Adnan May 16, 2011 at 9:21 PM

It really worked, Thanks for best way of presentation, easy to read and easy to install. Appreciate it

Reply

Racerchick May 17, 2011 at 10:15 PM

JUST called SONY Tech Support as I got this virus on my computer thirty minutes ago. My warranty was expired but they said that even warranties dont cover viruses and wanted to charge me $129.18 to get it fixed! I just did a system restore but if this malware pops up again ill be sure to use this method as it seems it works for alot of people! Just dont pay ridiculous amounts of money for no reason is my basic message. Enjoy all!

Reply

Zteve May 20, 2011 at 12:45 AM

Thank you, this worked, and CCleaner is doing wonders for my computer as well!

Reply

samuel May 28, 2011 at 9:41 PM

Great stuff – just helped a customer with your instructions. Cheers

Reply

this is too easy May 29, 2011 at 8:59 AM

it not hard just open task manger and kill the (random 3 letters).exe and run your antivirus it should detect the reg files and delete them easily and if u don’t have an antivirus your are stupid who has an unprotected computer a free antivirus from Microsoft there legit

Reply

Susan June 2, 2011 at 12:03 AM

Thank you so much for this tutorial. I will be blogging about it soon. You saved my computer. I have already lost one computer to this terrible virus last year.

Susan

Reply

Susan June 2, 2011 at 12:04 AM

Thank you. I plan to blog about this and link you in the near future.

Reply

Daz June 21, 2011 at 10:10 PM

Thank you so much, this guide was really helpful in removing this nasty virus.

Reply

rfchil July 27, 2011 at 10:53 AM

very helpful ,,thanks

Reply

calwright December 12, 2011 at 12:52 AM

This was the most easy, clear, concise steps to remove this virus. My sincerest appreciation.

Reply

Anonymous December 23, 2011 at 12:45 AM

You rock:)

Reply

Lavinia January 13, 2012 at 7:10 PM

Hi, I had this virus even when i had my norton internet security ON, it took me awhile before i got rid of this virus and when it finally was over, I noticed that all my files were blocked..It wasn’t like before, so i’m trying to do as you say. But only this time Should i have my Norton ON or OFF ? Thnx!

Reply

anonymous January 15, 2012 at 10:48 PM

Thanks!!!!!!!!!!!!

Reply

carlos January 18, 2012 at 10:28 AM

Thanks for your help on getting rid of this bug.. what a pain. Save me so much time

Reply

Leave a Comment

Previous post:

Next post: