RSS Feed
Follow on Twitter
YouTube Channel
Subscribe by Email
Win 7 Security is one of the recent rogue security software being installed by Trojan FakeRean. This trojan chooses randomly from a list of names each time it is installed. It has the following list of names for Windows 7:
Win 7 Security, Win 7 Defender, Win 7 Defender Pro, Total Win 7 Security, Win 7 Smart Security 2010, Win 7 Internet Security, Win 7 Security Tool, Win 7 Antimalware, Antispyware Win 7.
A rogue security software such as Win 7 Security belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.
Win 7 Security Scareware
Win 7 Security executable
The trojan dropper identified as SHA1:91b06687c5ef5ce690e7e0048843c4ee0d27b692 was about 204288 bytes in size. It is detected by over 75% of the antivirus engines available at VirusTotal.
This trojan drops a file named “ave.exe” with hidden and system attributes in the “local” folder in %appdata% folder. The file ave.exe in turn drops a file without extension named “y7V11” in various system folders. You may need to enable “Show hidden files, folders and drives” and disable “hide protected operating system files” in Folder Options control panel to view these files.
The trojan modifies the Windows registry so that:
- ave.exe is executed whenever a .exe file is run, it’s a devious way to start with Windows and restart the trojan if it is killed via Task Manager.
- Sets Internet Explorer as the default browser and sets itself to start whenever IE is started.
- Hijacks Internet Explorer to display a fake security alert when run.
- Creates fake Windows Action Center and suppresses genuine Windows Action Center alerts.
- Disables Windows Firewall
Win 7 Security Aliases
This scareware is known by the following aliases:
- Win32/FakeRean
- Trojan.Fraudpack.Gen!Pac.5
- OScope.Trojan.0216
- Mal/FakeAV-BT
- Win32/Kryptik.DBC
- Trojan.Win32.FraudPack.aovc
- W32/FraudPack.fam!tr
- W32/FakeSec.B.gen!Eldorado
- Cryptic.BG
- Win32:MalOb-AL
- Win-Trojan/Xema.variant
- Trojan.Win32.FakeAV!IK
Typical Win 7 Security Scare Messages
Stealth intrusion! Infection detected in the background! Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.
ALERT! System scan for spyware, adware, trojans and viruses is complete. Detected critical system objects. These security breaches may be exploited and lead to the following: Your system becomes a target for spam and bulky, intruding ads. Browser crashes frequently and web access speed decreases. Your personal files, photos, documents and passwords get stolen. Your computer is used for criminal activity behind your back. Bank details and credit card information gets disclosed.
Privacy threat! Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.
Threat detected! Security alert! Your computer was found to be infected with privacy-threatening software. Private data may get stolen and system damage may be severe. Recover your PC from the infection right now, perform a security scan.
Privacy alert! Rogue malware detected in your system. Data leaks and system damage are possible. Click here for a free security scan and spyware deletion.
Win 7 Security Fake Action Center
Win 7 Security Associated Files and Folders
- C:\ProgramData\y7V11
- C:\Users\All Users\y7V11
- C:\Users\malwarehelp_org\AppData\Local\ave.exe
- C:\Users\malwarehelp_org\AppData\Local\Temp\y7V11
- C:\Users\malwarehelp_org\AppData\Local\y7V11
- C:\Users\malwarehelp_org\AppData\Roaming\Microsoft\Windows\Templates\y7V11
Some of the file names may be randomly generated. The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.
Win 7 Security Associated Registry Values and Keys
- HKEY_CLASSES_ROOT\.exe\DefaultIcon
- HKEY_CLASSES_ROOT\.exe\shell
- HKEY_CLASSES_ROOT\.exe\shell\open
- HKEY_CLASSES_ROOT\.exe\shell\open\command
- HKEY_CLASSES_ROOT\.exe\shell\runas
- HKEY_CLASSES_ROOT\.exe\shell\runas\command
- HKEY_CLASSES_ROOT\.exe\shell\start
- HKEY_CLASSES_ROOT\.exe\shell\start\command
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
- HKEY_CURRENT_USER\Software\Classes\.exe
- HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
- HKEY_CURRENT_USER\Software\Classes\.exe\shell
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
- HKEY_CURRENT_USER\Software\Classes\secfile
- HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
- HKEY_CURRENT_USER\Software\Classes\secfile\shell
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet IEXPLORE.EXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Users\malwarehelp_org\AppData\Local\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.
Win 7 Security Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- pc-livecare.com
- live-pccare.com
- windows-live-care.com
- win-live-care2010.com
- live-pc-care.com
- one-care-antivirus.com
- onecare-antivirus2010.com
- winlive-care21.com
- antivirus-one-care2010.com
- securitypccare.com
- win-live-care.com
- pc-livecare2010.com
- security-pccare.com
- cavertunelo.com
Note: Visiting the domains mentioned above may harm your computer system.
Win 7 Security Removal (How to remove Win 7 Security)
When removed improperly, the left over registry entries messes up the opening of .exe files.
Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:
- Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
- MalwareBytes’s Anti-Malware
- CCleaner Slim version
- Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
- Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
- Turn System Restore off and on
- Install, scan and clean the temporary files with CCleaner Slim version.
You should now be clean of this rogue.
If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.
Win 7 Security Scareware — Video
Note: The Win 7 Security installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
FakeRean on Windows 7: Win 7 Security Tool Analysis and Removal, Win 7 Defender Analysis and Removal, Antispyware Win 7 Analysis and Removal, Total Win 7 Security Analysis and Removal, Win 7 AntiMalware Analysis and Removal, Win 7 Defender Pro Analysis and Removal, Win 7 Internet Security Analysis and Removal, Win 7 Smart Security 2010 Analysis and Removal
You may also like to read
{ 49 comments… read them below or add one }
hi i have this virous how can i remove it juan thxxx hope u reply fast thxxxxx
You can actually access a program while the virus is on the computer without it starting up again by searching for the program in the start button and right clicking “run as administrator” (this is for windows 7)
Excellent……..I used your suggestion and was allowed my system restore…..and voila….bug be gone…thx much
Thank you for this post it works.
I accidentally had my antivirus off for performance while running a game and got stricken with this after realizing I hadn’t restarted my antivirus.
Hopefully this information works… thanks for the help!
Excellent. It worked very very very well…thank you dear
seems overwhelming at first, but it worked perfectly……..it’s really not to bad, the worst part was waiting for malwarebytes to scan. it took about 30 min on my machine.
great Worked like a charm
This virus now also uses the names tyf.exe and onh.exe
I found both these files were being launched every time i opened any program, and the stupid Win 7 Security window came up. Went through and deleted all the files manually as listed above (including the registry edits).
All good now =)
Thank you so very much. These step just made me look very smart in front of a desperate client. Thanks again.
Thanks! It Really Worked!
thanks! worked perfectly
Works extremely well!
Thanks!
hi did follow this but looks like win 7 too much damage in the time of repair and ended up corrupting my stuff and my recovery disk doesnt work good instructions as worked well on my friends computer.
Thanks a lot! problem solved!
Thanks a lot for saving hours of my time!
Dude you are sooooo amazing! I was so worried that my computer was about to be messed up for life until I stumbled on this page. And best of all it took little to no time to do!!!!!!!!!!!!
Niccceee, it worked!!! You’re a computer genius!!! You should change your name to the virus puncher!
Thank you so much for this, worked great for my laptop.
T.Y.V.M for the step by step fix for this DISGUSTING infection.
I tried unsuccessfully to remove this manually and totally hooped one of my favourite machines (BSOD everytime I got to the desktop). It would only boot into safe mode. I finally got MS Security essentials to do a complete scan in safe mode and managed to login afterwards w/an admin account, after that I found your page w/another machine and have been following the process step by step, so far so good, MBAWM is currently doing its job and found 9 infections thus far. I sooooo thought I was going to have to completely re-install and lose almost a years worth of tweaking/re-tweaking on my machine.
Will repost w/an update when I`m rid of this evil.
Thank u very much for the help …..
i really freaked out when i found out that this is fake
but know i am good and i was almost going to format my computer but now i am good
love u 🙂
thank u so yar:):):)made my day….
Hero!
Thanks. Got the virus right out of my computer. Took most of the day to do it, though (a lot of it spent finding this website), but now the virus is gone. You saved me from having to restore my system. Glad that’s over, I’m gonna warn my friends about this now.
This worked for me, after a lot of fiddling:
Firstly, DON’T AGREE to anything it wants you to do. Just keep closing all the windows as they pop up.
1. Ctr-Alt-Delete, Processes tab. Locate the suspicious three letter .exe file (mine was gnx), select it and End Task. This stops it running but it is still in your system. However you should now be able to find it in a search.
2. Open Windows Explorer (right-click Start button and do it this way if it won’t let you do it the normal way), search for the file, and DELETE it. Shift-Delete will remove it completely without sending it to Recycle Bin.
3. Restart. You won’t be able to open several files as your registry is stuffed. Right-clicking and Open as Administrator helps.
4. Do a System Restore to a date before the virus came in. Start, Accessories, System Restore. You might need to right click and Run as Administrator.
5. Restart. It should all be OK now. DON’T open suspicious email attachments again!
i don’t understand set one
Probably missed a step.
Ctrl-Alt-Delete, Task Manager, Processes tab.
Wahoo! You guys are the best! I should pay you.
Thanks a ton. Got my computer and internet back!
Okay, I have a follow-up on my previous comment. While this tutorial does reverse most of the effects of the virus, I’m finding that the virus is never really removed from my system. It has been coming back every day now and it’s honestly getting pretty annoying. Do you have any advice for a more permanent removal of this virus?
This worked!!!! Everything is free!!!
@James Pecke… it may be coming back due to the cloned files it creates in your system area or in one of your “Application Data” directories. I initially had the same problem. The file names of the clones are just a string of random characters without extension like “ASJKDJJDUENBDJ”. If you or Malwarebytes doesn’t get all of these AND the registry entries aren’t deleted it may come back. First, run the instructions above to the letter… especially saving and double clicking the .reg file above. When I ran “Malwarebytes” I noticed all of the files it deleted, and the directories it deleted them from. I went to those directories and looked for a file with random letters without extensions that had the same file date and time and deleted it. Then I ran a search for that filename and found one more copy in an “application data” directory and deleted that too. Then I ran CCleaner (free download) to clean out any temp files/cached files, then ran CCleaner’s Registry scan and it found the orphaned registry entries now that the cloned files were gone and deleted them. As a final bit of insurance I ran a FULL Malwarebytes scan again, then let it reboot. Problem solved. Some steps seem redundant, but it worked for me.
Pony
can somebody help me out, I have done both the first steps in safe mode which are:
■Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
■Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
the problem with me is that I cannot access properties in comupter (window 7) in order to be able to restore the system off and on
could anybody help me?
thanks
Thank you so much for your help!!!!
Thank you so very much for real! you saved my computer! I cant believe it really worked! Thank you thank you thank you!!!
THANK YOU SO MUCH!!! I was crying ’cause I thought my computer was broken and I’d need to get another. Thank you for fixing it.
It really worked, Thanks for best way of presentation, easy to read and easy to install. Appreciate it
JUST called SONY Tech Support as I got this virus on my computer thirty minutes ago. My warranty was expired but they said that even warranties dont cover viruses and wanted to charge me $129.18 to get it fixed! I just did a system restore but if this malware pops up again ill be sure to use this method as it seems it works for alot of people! Just dont pay ridiculous amounts of money for no reason is my basic message. Enjoy all!
Thank you, this worked, and CCleaner is doing wonders for my computer as well!
Great stuff – just helped a customer with your instructions. Cheers
it not hard just open task manger and kill the (random 3 letters).exe and run your antivirus it should detect the reg files and delete them easily and if u don’t have an antivirus your are stupid who has an unprotected computer a free antivirus from Microsoft there legit
Thank you so much for this tutorial. I will be blogging about it soon. You saved my computer. I have already lost one computer to this terrible virus last year.
Susan
Thank you. I plan to blog about this and link you in the near future.
Thank you so much, this guide was really helpful in removing this nasty virus.
very helpful ,,thanks
This was the most easy, clear, concise steps to remove this virus. My sincerest appreciation.
You rock:)
Hi, I had this virus even when i had my norton internet security ON, it took me awhile before i got rid of this virus and when it finally was over, I noticed that all my files were blocked..It wasn’t like before, so i’m trying to do as you say. But only this time Should i have my Norton ON or OFF ? Thnx!
Thanks!!!!!!!!!!!!
Thanks for your help on getting rid of this bug.. what a pain. Save me so much time