Remove Win 7 Security 2012. Removal instructions

Also known as: Win7 Security 2012, Win7Security2012

Severity scale:  (68 / 100)

Win 7 Security 2012 is a rogue anti-spyware program that reports false system security threats to make you think that your computer is infected with malware when the only actual infection is Win 7 Security 2012 itself. It also displays fake security alerts and pop-ups stating that your computer is under attack from a remote computer or that your sensitive information can be stolen. Finally, it will ask you to purchase the program to remove the infections which don't even exist on your computer. As you can see, Win 7 Security 2012 is a total scam. Please don't purchase it and uninstall this bogus program from your computer upon detection.

Win 7 Security 2012 is a typical rogue program promoted through the use of Trojans and other malicious software. Trojan horses usually come from fake online anti-malware scanner or other misleading web sites. Once running, Win 7 Security 2012 will scan your computer for malware and display a list of infections that supposedly can't be removed with a trial version of the program, so you have to buy it. However, you already know that this is nothing more but a scam and you must ignore those alerts:

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

Win 7 Security 2012 Alert
Security Hole Detected!
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen. Do you want to block this attack?

Win 7 Security 2012 won't make your computer more secure nor will it remove malware from your computer. What is more, it will block legitimate programs and hijack Internet Explorer to protect itself from being removed. As you can see, this fake program is not only very annoying but also dangerous. It may install additional malware on your computer. If you find that your PC is infected with Win 7 Security 2012 please use the removal instructions below to remove this infection from the system either manually or with an automatic removal tool. If you have already purchased this program then you should contact your credit card company and dispute the charges. In addition, use one of these this registration codes: 2233-298080-3424, 2233-298080-3424, 3425-814615-3990 or 9443-077673-5028 to disable the virus. Additionally, use this removal guide:

Automatic Win 7 Security 2012 removal:

Malwarebytes Anti Malware

download | review

Tested and Confirmed! Malwarebytes Anti Malware removes Win 7 Security 2012 (2011-06-10 14:35:20)

Emsisoft Anti Malware

download | review

Tested and Confirmed! Emsisoft Anti Malware removes Win 7 Security 2012 (2011-06-10 14:35:20)

STOPzilla

download | review

We are testing STOPzilla's efficiency at removing Win 7 Security 2012 (2012-01-27 13:22:25)

Spyware Doctor

download | review | tutorial

We are testing Spyware Doctor's efficiency at removing Win 7 Security 2012 (2012-01-27 13:22:25)

Win 7 Security 2012 manual removal:

FORUM:
Discuss Win 7 Security 2012 in
spyware removal forum

Kill processes:
ppn.exe

HELP:
how to kill malicious processes

Delete registry values:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

HELP:
how to remove registry entries

Delete files:
%AllUsersProfile%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\ppn.exe %Temp%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\U3F7PNVFNCSJK2E86ABFBJ5H %AppData%\TEMPLATES\U3F7PNVFNCSJK2E86ABFBJ5H

HELP:
how to remove harmful files

Additional resources related to Win 7 Security 2012:

1

0

diicc

Executable may also be named LWW.EXE
If you are unable to open regedit, do a search and run with elevated rights.
If you want internet access, use Windows Explorer to start your browser once you have stopped the process.

Reply »

2011 06 14

0

0

Conor

Executable may also be named EVE.exe

If you cant open any files, try to open again, then hit No to the prompt. the file should then open. then open task manager and kill the EVE.exe file.

Reply »

2011 06 18

0

0

crazyjaf

This also goes by the executable chn.exe

Reply »

2011 06 19

0

0

Zapatopi

Also can be called vbh.exe

Reply »

2011 06 19

0

0

bil

Super Anti Spyware removed this threat for me with ease. I downloaded the portable version to a USB drive and ran it on my system......two hrs later all clear and it was a free trial.

Reply »

2011 06 22

0

0

Mee

Its also call hsb.exe

Reply »

2011 07 11

0

0

st4rk

Thank you!!! I was getting scared I wasnt going to be able to browse anytime soon...
Also called eju.exe

Reply »

2011 07 16

0

0

toni

also can be named isa.exe

Reply »

2011 07 17

0

0

random user

The infection on my computer called itself PUC.EXE. I think I got it with these instructions.

Reply »

2011 07 22

0

0

Psigirl

My virus name was kgi.exe and all of the instructions here worked perfectly. THANKS!

Reply »

2011 07 25

0

0

Peter

I got the virus from a dirty site. I couldnt do system restore, so I ran system restore from administrator, and voila I was able to restore my system and the virus was gone !! Easy and fast, though it was a couple of days of trying a million other things first. You cant download anything when you cant access internet explorer. The slime that created this virus can be caught, because they ask for credit card to remove viruses, Themselves. I hope someone takes the time to catch, expose, prosecute this slime.

Reply »

2011 08 03

0

0

ladybug2535

Wasnt able to access system restore, or.internet, etc. Found it using.date and time as search criteria. Also using task.manager systematically ending processes. Had to manually remove.everything. cant open ie or anything yet. Writing this on Droid

Reply »

2011 11 28

1

0

Wayne

Virus detected was named bjw.exe.

Reply »

2011 09 04

1

0

Quinn

Process name was hom.exe and the name was microsoft direct play. its def not a micro$oft app.

Reply »

2011 11 27

0

0

Emma

Im watching doctor who on my laptop and then there is something on my screen telling me i needed a computer update. I click okay because it looked hust like it normaly does. Next thing I know the internet shuts down and i cant use it. Write now im on my dads computer. How can I fix mine without internet conection? Please help my pc has my hw on it!

Reply »

2011 11 28

0

0

DADDYFU

gOT a friend that had the "bug". Removed with Norman anti malware...free version. But now her system boots to a blank screen...will have to do a system restore and use something else....this is a NASTY bug. If all else fails Ill remove her HD and scan it as a USB.

Reply »

2011 11 30

0

0

Leandro

ele tbm pode ser dbc.exe pelo visto gera um processo com letras aleatóreas

Reply »

2011 12 01

1

0

Andehh

gat.exe *32 on my laptop. Also described as microsoft direct play

Reply »

2011 12 03

1

0

jovan

Jdetector described as job detector, thank you

Reply »

2011 12 03

2

0

rs28083

it was cab.exe for me, described as microsoft direct play in taskmanager. if u look at the
" { HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand "(Default)" = "%LocalAppData%kdn.exe" -a "%1" %* }"
in regedit. the part that says kdn.exe might be different from kdn.exe. what ever that is, is what the virus is called mine was cab.exe there

Reply »

2011 12 03

0

2

slapthefatcat

In processes, pretty much anything that ends with *32 is probably part of the virus. Whenever I end the process tree, it ends the closes the virus windows.

Reply »

2011 12 05

0

0

Rachel

Also called oqw.exe

Found the process using All user process option Win 7, described as microsoft direct

stop the process than I was able to open the regedit to change the registry.
Also did a search of the exe name to completely delete any executable with this name

Reply »

2011 12 05

0

0

rh

I f u r not savvy or computer retard like me, simply call Microsoft at 866-727-2338 AND ITS FREE!!!!!!

Reply »

2011 12 06

0

0

Dennis

Is that to Tech Support or who?

Reply »

2012 01 01

0

0

josh

I did exactly what you said, because it was the only option i seen that i havent tried yet. i have tried everything and nothing will get rid of this virus/spyware. Super anti spyware detected some adware but not win 7 security 2012. i have no idea what to do anymore i would like to be rid of this virus without having to pay anything, but that may be out of the question now. if anyone can help. please let me know. thanks

Reply »

2011 12 07

0

0

R. Banks

I just spent the better part of an afternoon trying to remove this virus.This thing blocks just about any attempt to get rid of it. You cant even go online for help, it blocks everything. I use Windows XP, and I ended up using System Restore to get rid of it. Talk about beyond frustrating.

On a personal note, I hope the creator of this virus smokes a turd in Purgatory for all time...

Reply »

2011 12 07

0

0

MSE

Spybot Search & Destroy was able to execute and remove this virus for me. All the other programs were blocked by the virus. Also the process was TIG.exe on this variant.

Reply »

2011 12 08

1

0

Raquel

I found the virus but I cant end process I cannot open my registry. The name is ukf.exe *32 I need some hlp!!!

Reply »

2011 12 10

0

0

jason

Also goes by the name duf.exe , I had to run programs as administrator just to get anything to run. hope to figure that out soon

Reply »

2011 12 11

1

0

macks

Keep a lookout for the *32 processes! I had to end most of them, and while running your anti-spyware program, end the *32 process that will pop up in the task manager WHILE trying to run said anti-spyware program. It took a few trie s, but eventually I got my Spybot s&d to run/scan, and remove this bullshit. Hope this helps!

Reply »

2011 12 15

0

0

giedrius

macks: most of processes labeled 32 means that they are running in 32 bit mode. They are not malicious, even if your OS is 64 bit. Majority of programs do not have 64 bit versions.

Reply »

2011 12 19

0

0

Robert

Spybot nails it. One sweep and it was gone. Thank god I have 2 comps.

Reply »

2011 12 18

0

0

taylor

It could also be called tgq.exe, just wanting to contribute

Reply »

2011 12 18

0

0

PJ

~"`. Took about 10 minutes and that nasty problem is gone... Hope this helps.

Reply »

2011 12 19

0

3

mark1026

easiest way i found was to start up in safe mode...choose safe mode with command prompt...log on like normal and black screen with all kinds of letters come up...dont erase anything!...now type in: rstrui.exe that will send your computer to system restore...choose a restore date before you had virus...within about 10 minutes you should be free of virus...then you should update malwarebytes and do a quick scan...delete any trojans...DONE!...easiest way i found yet!

Reply »

2011 12 21

0

0

Alex

Just so you guys know, this virus is made to look different on almost everyones(999 different combinations) It creates a random 3 letter file and auto runs on specific application startup. Anything that ends with .exe is going to be affected.

Reply »

2011 12 23

0

0

Alex

Mine was fwc.exe

Reply »

2011 12 25

0

0

r0ach

Ive found it as ras.exe

Reply »

2011 12 27

0

0

Jonathan

Found it as NMR.exe. AVG 2012 found and located the threat as soon as I installed it. MS Security Essentials didnt even catch it.

Reply »

2011 12 28

0

0

Ray

The file can be any three-letter name. The ones I saw on a clients PC were eyl.exe and ffl.exe, so dont go by the name completely. On Windows 7, be careful with MOM.exe and CCC.exe, as these are also part of Catalyst Control. Thats part of your video. but dont worry, if you end the process in Windows Task Manager, youll just get bad video.

Reply »

2011 12 28

0

0

Andrew

So how do you edit the registry when the program gets rid of the value that controls the .exe file associations? My computer does not know how to run Regedit.exe cause it "cannot be found"

Reply »

2011 12 29

0

0

Mark

Best, fast, good, 10min and done, use it.

Reply »

2011 12 30

0

0

Dennis

Ive ran both Spybot S&D and spyware Dr. My computer still is running slow and my McAfee firewall and Windows fire wall both cannot be turned on. I did stop dwm.exe Desktop Window Manager and my computer doesnt seem sluggish but I still cannot enable my firewall. Any advise on what to do next. Im not that computer knowledgeable and not sure if I should do the above stuff mentioned. Im afraid I might do something that is irreverseable.

Reply »

2012 01 01

0

0

mike

I still cant get rid of mine, mine was comically named std.exe.....when i start the comp up normally and i end the process it comes right back.....my restore points are fresh so even if i restore i think that the spyware is still gonna be there....i guess i could try running it as admind but i dont think it will make a difference, also on the regedit....some of the folders that im supposed to go into to delte registry entries arent there for me......ive successfully removed the 2010 version of this spyware scam with similar instructions before from my desktop but this one is driving me bonkers....any help would be much appreciated. thanks again

Reply »

2012 01 14

0

0

Rafael

Hey guys!!

The bitch is hidding itself in the process htl.exe with the description Microsoft Outlook.

Reply »

2012 01 16

0

0

Jordan M.

On my computer it was in the roaming folder of appdata, it disguised itself as microsoft outlook, and its name was ryd.exe

Reply »

2012 01 18

0

0

RICH

YES, I CAN HELP. I HAD TO USE MY CELL PHONE WHILE I WAS WORKING ON TRYING TO GET RID OF THE VIRUS. THEY WANT YU TO PAY SO YU CAN GET THE PRODUCT KEY. WELL AFTER SEARCHING I FOUND A BUNCH OF KEYS PEOPLE WERE POSTING. I TRIED IT & IT WORKED. IM SOO HAPPY IF ANY OF YOU STILL HAVE THE FAKE VIRUS CLICK ON MANUAL ( DONT CLICK ON REGISTER NOW ) CLICH ON THE MANUAL .... AND ENTER THIS PRODUCT KEY 9443-077673-5028

Reply »

2012 01 19

1

0

Niushad

i have used the same key word by RICH. it worked

Reply »

2012 01 20

0

0

chhom

i deleted the files the viruses were on but now i cant use the internet anymore all i get is limited acess pleaze help me

Reply »

2012 01 21

Post Comment:

Attention: Use this form only if you have additional information about Win 7 Security 2012 parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«


* All field required