Win 7 Antivirus 2012

7 June 2011 Rogue 1 Comment

Win 7 Antivirus 2012 is a name-changing rogue security program that is clever enough to identify target computer operating system. Since it can change its name based on victims OS, Win 7 Antivirus 2012 may look like a legitimate software for the current system. This potentially unwanted application can easily deceive users that it was part of Windows security features by providing task bar messages like the following:

System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.

System Hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.

These messages are part of the rogue program’s aggressive technique to make victims believe that there are really security issues needed to be taken care of. Repeatedly, a prompt to obtain the licensed version of Win 7 Antivirus 2012 is issued. Internet browser is also hijack and instead display a warning page that the traffic was blocked due to virus infection. On the same fake error page, it will provide a link to payment processing web site where a registered copy of Win 7 Anti-Virus 2012 can be obtained. By having the full version, it promises to remove viruses and stop these annoyances.

Typically, rogue programs will provide no security and clean nothing even with the paid version. Fake AV such as Win 7 Antivirus 2012 was never designed to function like a real security program. It must be remove from the computer immediately and purchasing it should never be an option.

Screen Shot Image of Win 7 Anti-Virus 2012:

This rogue security application also mimic Windows’ security center and calls it Action Center. It aims to mislead computer users. The fake Action Center contains false security reports and deceiving advises to activate the full version of the rogue product.

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Malware Behavior
Win 7 Antivirus 2012 will block any programs from running. An attempt to launch any application will produce a pop-up alert stating that the file is infected and blocked from accessing the Internet.

Win 7 Antivirus 2012 Firewall Alert
Win 7 Antivirus 2012 has blocked a program from accessing the Internet.
file.exe is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including details and passwords.

Name: Microsoft Windows Operating System
Location: C:\Windows\explorer.exe
Company: Microsoft Corporation
Version: 6.1.7601.17567

Windows recommend to Activate Win 7 Antivirus 2012
Click “Yes, Activate…” to register your copy of Win 7 Antivirus 2012 and perform threat removal on your system.

Added Registry Entries:

HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’
HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” 
= ‘”C:\Users\\Local Settings\Application Data\(3 random characters).exe” /START “%1? %*’

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” 
= ‘”%UserProfile%\Local Settings\Application Data\(3 random characters).exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”‘

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” 
= ‘”C:\Users\\Local Settings\Application Data\(3 random characters).exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” 
= ‘”C:\Users\\Local Settings\Application Data\(3 random characters).exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”‘

Associated Files and Folders:

C:\Users\\AppData\Roaming\Local\(3 random characters).exe
C:\ProgramData\lopk8y1qbgt5ydjiyt67gaplw
C:\Users\\AppData\Roaming\Local\lopk8y1qbgt5ydjiyt67gaplw
C:\Users\\AppData\Roaming\Microsoft\Windows\Templates\lopk8y1qbgt5ydjiyt67gaplw
C:\Users\\AppData\Local\Temp\lopk8y1qbgt5ydjiyt67gaplw

Note: “lopk8y1qbgt5ydjiyt67gaplw” can be any random characters.

Video Tutorial (Win 7 Antivirus 2012 Removal)

Activating the Rogue Program

Win 7 Anti-Virus 2012 will block running of any programs. It also prevents access to Internet particularly anti-virus web sites. Execution of Windows tools like Task Manager, Registry Editor and Control Panel is similarly block by the rogue program. Activating the program using the registration key below will regain access to the mentioned services.

Activation Code: 3425-814615-3990

Once activated, downloading of necessary program to scan and remove Win 7 Anti-Virus 2012 is now possible.

Automatic Removal

Here is a simple step-by-step procedure to remove Win 7 Anti-Virus 2012 virus from an infected computer. Please follow the steps carefully.

1. Download removal software and save it on your Desktop or any accessible location of your hard drive.

2. After downloading, double-click on the file to install the application.

3. Follow the prompts and install the program using the “default” settings.

4. Before the installation completes, you need to update the database. - Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before starting a scan. Please proceed with update to obtain the latest database necessary to detect and remove Win 7 Anti-Virus 2012.

6. Scan your computer thoroughly and completely check all files, folders and registry entries for possible infection.

7. When scanning is finished, click on Show Results.

8. Make sure that all detected threats are marked, click on Remove Selected.

9. After removing items associated with Win 7 Anti-Virus 2012, it will prompt to restart the computer. Click Yes to complete the cleaning process.

10. When computer starts, open MalwareBytes Anti-Malware. Go to Quarantine tab and click on Delete All to fully remove all malicious items.

Note: Win 7 Anti-Virus 2012 may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.