Severity scale:  

Win 7 Security 2012. How to remove? (Uninstall guide)

removal by Jake Doevan - -   Also known as Win7 Security 2012, Win7Security2012 | Type: Rogue Antispyware

Win 7 Security 2012 is a rogue anti-spyware program that reports false system security threats to make you think that your computer is infected with malware when the only actual infection is Win 7 Security 2012 itself. It also displays fake security alerts and pop-ups stating that your computer is under attack from a remote computer or that your sensitive information can be stolen. Finally, it will ask you to purchase the program to remove the infections which don't even exist on your computer. As you can see, Win 7 Security 2012 is a total scam. Please don't purchase it and uninstall this bogus program from your computer upon detection.

Win 7 Security 2012 is a typical rogue program promoted through the use of Trojans and other malicious software. Trojan horses usually come from fake online anti-malware scanner or other misleading web sites. Once running, Win 7 Security 2012 will scan your computer for malware and display a list of infections that supposedly can't be removed with a trial version of the program, so you have to buy it. However, you already know that this is nothing more but a scam and you must ignore those alerts:

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

Win 7 Security 2012 Alert
Security Hole Detected!
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen. Do you want to block this attack?

Win 7 Security 2012 won't make your computer more secure nor will it remove malware from your computer. What is more, it will block legitimate programs and hijack Internet Explorer to protect itself from being removed. As you can see, this fake program is not only very annoying but also dangerous. It may install additional malware on your computer. If you find that your PC is infected with Win 7 Security 2012 please use the removal instructions below to remove this infection from the system either manually or with an automatic removal tool. If you have already purchased this program then you should contact your credit card company and dispute the charges. In addition, use one of these this registration codes: 2233-298080-3424, 2233-298080-3424, 3425-814615-3990 or 9443-077673-5028 to disable the virus. Additionally, use this removal guide:

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Win 7 Security 2012 you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Win 7 Security 2012. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Note: Manual assistance required means that one or all of removers were unable to remove parasite without some manual intervention, please read manual removal instructions below.

More information about this program can be found in Reimage review.
Press mentions on Reimage

Win 7 Security 2012 manual removal:

Kill processes:

Delete registry values:
HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerBrowserEmulation "TLDUpdates" = '1'

HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand "(Default)" = '"%LocalAppData%kdn.exe" -a "%1" %*'

HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand "(Default)" = '"%LocalAppData%kdn.exe" -a "%1" %*'

HKEY_CLASSES_ROOT.exeshellopencommand "(Default)" = '"%LocalAppData%kdn.exe" -a "%1" %*'

HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand "(Default)" = '"%LocalAppData%kdn.exe" -a "C:Program FilesMozilla Firefoxfirefox.exe"'

HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand "(Default)" = '"%LocalAppData%kdn.exe" -a "C:Program FilesMozilla Firefoxfirefox.exe" -safe-mode'

HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand "(Default)" = '"%LocalAppData%kdn.exe" -a "C:Program FilesInternet Exploreriexplore.exe"'

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center "AntiVirusOverride" = '1'

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center "FirewallOverride" = '1'

Delete files:





About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

  • jill

    click on the manual where????

  • chhom

    i deleted the files the viruses were on but now i cant use the internet anymore all i get is limited acess pleaze help me

  • Niushad

    i have used the same key word by RICH. it worked

  • RICH


  • Jordan M.

    On my computer it was in the roaming folder of appdata, it disguised itself as microsoft outlook, and its name was ryd.exe

  • Rafael

    Hey guys!!

    The bitch is hidding itself in the process htl.exe with the description Microsoft Outlook.

  • mike

    I still cant get rid of mine, mine was comically named std.exe…..when i start the comp up normally and i end the process it comes right back… restore points are fresh so even if i restore i think that the spyware is still gonna be there….i guess i could try running it as admind but i dont think it will make a difference, also on the regedit….some of the folders that im supposed to go into to delte registry entries arent there for me……ive successfully removed the 2010 version of this spyware scam with similar instructions before from my desktop but this one is driving me bonkers….any help would be much appreciated. thanks again

  • Dennis

    Ive ran both Spybot S&D and spyware Dr. My computer still is running slow and my McAfee firewall and Windows fire wall both cannot be turned on. I did stop dwm.exe Desktop Window Manager and my computer doesnt seem sluggish but I still cannot enable my firewall. Any advise on what to do next. Im not that computer knowledgeable and not sure if I should do the above stuff mentioned. Im afraid I might do something that is irreverseable.

  • Mark

    Best, fast, good, 10min and done, use it.

  • Andrew

    So how do you edit the registry when the program gets rid of the value that controls the .exe file associations? My computer does not know how to run Regedit.exe cause it “cannot be found”

  • Ray

    The file can be any three-letter name. The ones I saw on a clients PC were eyl.exe and ffl.exe, so dont go by the name completely. On Windows 7, be careful with MOM.exe and CCC.exe, as these are also part of Catalyst Control. Thats part of your video. but dont worry, if you end the process in Windows Task Manager, youll just get bad video.

  • Jonathan

    Found it as NMR.exe. AVG 2012 found and located the threat as soon as I installed it. MS Security Essentials didnt even catch it.

  • r0ach

    Ive found it as ras.exe

  • Alex

    Mine was fwc.exe

  • Alex

    Just so you guys know, this virus is made to look different on almost everyones(999 different combinations) It creates a random 3 letter file and auto runs on specific application startup. Anything that ends with .exe is going to be affected.

  • mark1026

    easiest way i found was to start up in safe mode…choose safe mode with command prompt…log on like normal and black screen with all kinds of letters come up…dont erase anything!…now type in: rstrui.exe that will send your computer to system restore…choose a restore date before you had virus…within about 10 minutes you should be free of virus…then you should update malwarebytes and do a quick scan…delete any trojans…DONE!…easiest way i found yet!

  • PJ

    ~”`. Took about 10 minutes and that nasty problem is gone… Hope this helps.

  • taylor

    It could also be called tgq.exe, just wanting to contribute

  • Robert

    Spybot nails it. One sweep and it was gone. Thank god I have 2 comps.

  • macks

    Keep a lookout for the *32 processes! I had to end most of them, and while running your anti-spyware program, end the *32 process that will pop up in the task manager WHILE trying to run said anti-spyware program. It took a few trie s, but eventually I got my Spybot s&d to run/scan, and remove this bullshit. Hope this helps!

    • giedrius

      macks: most of processes labeled 32 means that they are running in 32 bit mode. They are not malicious, even if your OS is 64 bit. Majority of programs do not have 64 bit versions.

  • jason

    Also goes by the name duf.exe , I had to run programs as administrator just to get anything to run. hope to figure that out soon

  • Raquel

    I found the virus but I cant end process I cannot open my registry. The name is ukf.exe *32 I need some hlp!!!

  • MSE

    Spybot Search & Destroy was able to execute and remove this virus for me. All the other programs were blocked by the virus. Also the process was TIG.exe on this variant.

  • R. Banks

    I just spent the better part of an afternoon trying to remove this virus.This thing blocks just about any attempt to get rid of it. You cant even go online for help, it blocks everything. I use Windows XP, and I ended up using System Restore to get rid of it. Talk about beyond frustrating.

    On a personal note, I hope the creator of this virus smokes a turd in Purgatory for all time…

  • josh

    I did exactly what you said, because it was the only option i seen that i havent tried yet. i have tried everything and nothing will get rid of this virus/spyware. Super anti spyware detected some adware but not win 7 security 2012. i have no idea what to do anymore i would like to be rid of this virus without having to pay anything, but that may be out of the question now. if anyone can help. please let me know. thanks

  • rh

    I f u r not savvy or computer retard like me, simply call Microsoft at 866-727-2338 AND ITS FREE!!!!!!

    • Dennis

      Is that to Tech Support or who?

  • Rachel

    Also called oqw.exe

    Found the process using All user process option Win 7, described as microsoft direct

    stop the process than I was able to open the regedit to change the registry.
    Also did a search of the exe name to completely delete any executable with this name

  • slapthefatcat

    In processes, pretty much anything that ends with *32 is probably part of the virus. Whenever I end the process tree, it ends the closes the virus windows.

  • rs28083

    it was cab.exe for me, described as microsoft direct play in taskmanager. if u look at the
    ” { HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand “(Default)” = “%LocalAppData%kdn.exe” -a “%1″ %* }”
    in regedit. the part that says kdn.exe might be different from kdn.exe. what ever that is, is what the virus is called mine was cab.exe there

  • jovan

    Jdetector described as job detector, thank you

  • Andehh

    gat.exe *32 on my laptop. Also described as microsoft direct play

  • Leandro

    ele tbm pode ser dbc.exe pelo visto gera um processo com letras aleatóreas


    gOT a friend that had the “bug”. Removed with Norman anti malware…free version. But now her system boots to a blank screen…will have to do a system restore and use something else….this is a NASTY bug. If all else fails Ill remove her HD and scan it as a USB.

  • Emma

    Im watching doctor who on my laptop and then there is something on my screen telling me i needed a computer update. I click okay because it looked hust like it normaly does. Next thing I know the internet shuts down and i cant use it. Write now im on my dads computer. How can I fix mine without internet conection? Please help my pc has my hw on it!

  • Quinn

    Process name was hom.exe and the name was microsoft direct play. its def not a micro$oft app.

  • Wayne

    Virus detected was named bjw.exe.

  • Peter

    I got the virus from a dirty site. I couldnt do system restore, so I ran system restore from administrator, and voila I was able to restore my system and the virus was gone !! Easy and fast, though it was a couple of days of trying a million other things first. You cant download anything when you cant access internet explorer. The slime that created this virus can be caught, because they ask for credit card to remove viruses, Themselves. I hope someone takes the time to catch, expose, prosecute this slime.

    • ladybug2535

      Wasnt able to access system restore, or.internet, etc. Found it and time as search criteria. Also using task.manager systematically ending processes. Had to manually remove.everything. cant open ie or anything yet. Writing this on Droid

  • Psigirl

    My virus name was kgi.exe and all of the instructions here worked perfectly. THANKS!

  • random user

    The infection on my computer called itself PUC.EXE. I think I got it with these instructions.

  • toni

    also can be named isa.exe

  • st4rk

    Thank you!!! I was getting scared I wasnt going to be able to browse anytime soon…
    Also called eju.exe

  • Mee

    Its also call hsb.exe

  • bil

    Super Anti Spyware removed this threat for me with ease. I downloaded the portable version to a USB drive and ran it on my system……two hrs later all clear and it was a free trial.

  • Zapatopi

    Also can be called vbh.exe

  • crazyjaf

    This also goes by the executable chn.exe

  • Conor

    Executable may also be named EVE.exe

    If you cant open any files, try to open again, then hit No to the prompt. the file should then open. then open task manager and kill the EVE.exe file.

  • diicc

    Executable may also be named LWW.EXE
    If you are unable to open regedit, do a search and run with elevated rights.
    If you want internet access, use Windows Explorer to start your browser once you have stopped the process.