Windows: How to Remove “Win 7 Antivirus 2012”

By Xah Lee. Date:

Big warning to you all. I just got hit by a virus on my Windows 7 machine. The virus is called: “Win 7 Antivirus 2012”. (it's a virus that pretends to be a antivirus software)

First i describe how to remove it for those of you came here for that. Then i blog about how i got this virus and my PC experiences.

What is “Win 7 Antivirus 2012”

It's a virus that pretends to be a anti-virus software. It basically screws up your computer, prevents you to run any app, and kept asking with a pop-up dialogue for you pay by credit card for a bogus anti-virus software.

Windows: How to Remove “Win 7 Antivirus 2012”

The virus cames with several different names. For example, {“Win 7 Antivirus 2012”, “Win 7 Security 2012 ”, “XP Antivirus 2012”, …}. To remove it, i recommend following this article at:

Remove Win 7 Security 2012 (Uninstall Guide) By Grinler. At [ http://www.bleepingcomputer.com/virus-removal/remove-win-7-security-2012 ]

That article will ask you to download some tools. Do it. I've used their product in the past years. I trust them. It is free. (if you are a Windows sysadmin, you could remove it manually. See below.)

Just in case that site is being hijacked or sometimes in the future no longer exists or sold with changed info, the following is a guide on how to remove from my own experience.

• Download “FixNCR.reg” at [ http://download.bleepingcomputer.com/reg/FixNCR.reg ] (2011-12-15) and run it. This will fix the registry. Wait for the program to finish. It should take no more than 2 minutes.

• Download “RKill” at [ http://www.bleepingcomputer.com/download/anti-virus/rkill ] (2011-12-15) and run it.

“RKill” will terminate the rogue program that's running. Some rogue program prevents RKill to run. So, if you double click on RKill and it won't run, try download the same program but different name from the site above.

• Download “Malwarebytes' Anti-Malware” at [ http://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malware ] (2011-12-15) .

“Malwarebytes' Anti-Malware” is a anti-virus software, one of which i trust. It's shareware.

Install it, follow all default options, then run it. Allow it to update when it starts. Then, do a full scan. (May take 1 hour.) After scan, remove the virus detected. After it's done, it'll create a log file listing the removed rogue software.

Malwarebytes
Malwarebytes screenshot.

Manually Remove “Win 7 Antivirus 2012”

For those of you programers or sysadmins, here's the tech detail. (The info are gathered from the above site, and partially verified on my machine.)

Associated Win 7 Security 2012 Files:

%AllUsersProfile%\‹random characters›
%Temp%\‹random characters›
%LocalAppData%\‹random characters›
%LocalAppData%\‹random 3 characters›.exe
%AppData%\Microsoft\Windows\Templates\‹random characters›
File Location Notes:

Associated Win 7 Security 2012 Windows Registry Information:

HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'ah'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%LocalAppData%\‹random 3 chars›.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah
HKEY_CURRENT_USER\Software\Classes\ah "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\ah "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\ah\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\ah\shell\open\command "(Default)" = "%LocalAppData%\‹random 3 chars›.exe" -a "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%LocalAppData%\‹random 3 chars›.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah\shell\open\command "(Default)" = "%LocalAppData%\‹random 3 chars›.exe" -a "%1" %*
HKEY_CLASSES_ROOT\ah\shell\open\command "IsolatedCommand"

If you forgot the basics of Windows environment variable or Windows Registry, see:

My Experiences of Virus on Windows

In the following, i describe how i got this virus, and other tips.

The virus came from a porn site, from a URL from “4chan.org”. The site shows you a video, when you click to play, then it installs the virus silently (via Flash) The next thing you know, your computer will tell you that you got a virus and you need to buy (pay by creditcard) to get rid of the virus. (whereas, in fact, that is a virus itself)

Basically your computer is broken at this point. You can't launch any browser or app, etc.

i've got similar virus before. I trust the bleepingcomputer.com and the real antivirus program called “Malwarebytes' Anti-Malware”.

Beware, there are lots of other fake programs using that name too. This means, if you do web search for “Malwarebytes” or similar term, you might get many results that's not the real one.

Note: my PC Windows has all the latest updates with latest updates of anti-virus program running. So, apparently this virus got thru. So, this means this virus must be pretty new.

The last time i got a virus, i documented it fully here: Windows: How to Remove “Antivirus Action” Malware .

That one came thru from Java. This time, it came thru Flash.

Random Thoughts About Viruses, and Linux, Mac

If you are on Mac or Linux, you are lucky, because practically you don't need to worry about viruses.

When i first started using Windows as my main home machine full time in ~2008, i was worried about virus problem. But after a year, my thought changed to: if you are computer literate, and do all updates, there's nothing to worry about. But now i know that's not actually true. I do all updates, and use latest IE9 (among latest Chrome and Firefox), but basically if you frequently visit {porn, piracy, gaming} sites that you don't know, you can easily get infected. Once infected, it's truely hell. Get ready to waste like 4 hours.

The viruses on Windows is incredibly a bad situation. When you lookup a virus on the internet, all the results are scam or semi-scam sites telling you to buy this or that software to solve the problem, or ten hundred random joe in online forums asking about this problem but all the answers (if any) have little idea what they are talking about. Half of the answers are again scams. (you have to blame Google too.)

The virus market among spam/rogue/virus/anti-virus software seems to be extremely lucrative and competitive. I often have neighbors calling me to fix their computer, filled with tens of viruses, adware and junkware, 5 browser toolbars, 10 gaming tool bars add-on shit. The machine crawls. These people are the type who hardly know what's copy/paste.

When you got a virus, it's very tempting to pay the $10 or $20 to get rid of the problem at hand, even if you knew you got scam'd. A lot people do exactly that, i suppose.

Unless you are a win sysadmin expert, it's rather quite difficult to fix virus today. Am not a windows admin, never done Windows sysadmin, but as a programer/sysadmin on unix for 10+ years, and have been using Windows at day job since 1999, i know the basics of Windows such as “com.exe”, some system log tools, env vars, registry, etc. I'd thought i'd have no problem fixing it, maybe just 10 min, but that's not the case at all. First problem is getting info about the virus. There are hundreds of dedicated sites on Windows virus, but majority of it is money-making schemes.

By the way, rootkit viruses happens on Mac and Linux too, just that they are very rare.