Skip to main content

How do you remove Win 7 Security 2012?

There is a new form of ransomware also called crapware or scareware that is now infecting computer systems.  This particular variant appears to be aimed at Microsoft Windows 7 systems.  The infection exploits a weakness in Sun Java.  As of this writing, this particular variant is not detected by all antivirus applications possibly because the infection is a simple registry hijack.

Win 7 Security 2012 performs the following:

  • Disables and corrupts existing antivirus application.
  • Installs fake antivirus application.
  • Prompts for credit card number.
  • Takes control of Windows GUI. 
  • Prevents execution of any application ending in EXE.
  • Prevents System Restore.

Removal of Win 7 Security 2012 is actually quite simple.  Following are the steps:
  1. Reboot.

  2. Hit F8 repeatedly.

  3. Select Safe Mode and hit Enter.

  4. Hit CTRL-ALT-DEL and End Task on any three-letter application.  Example: tpq.exe

  5. Quickly browse to C:\Users\[Username]\AppData\Local.

  6. Delete any three-letter applications in this directory.  Example: tpq.exe.  You must act quickly in order to delete the three-letter application as the system will attempt to re-open the application which prevents its deletion.  If you have not moved quickly enough, simply perform End Task again and then immediately delete the application.

  7. Install Ccleaner.  Run Ccleaner.

  8. Install Malwarebytes Anti-Malware.

  9. Browse to C:\Program Files\Malwarebytes' Anti-Malware. 

  10. Copy mbam.exe.  Paste mbam.exe.

  11. Rename Copy of mbam.exe to Copy of mbam.com.

  12. Run Malwarebytes Anti-Malware.  Remove all found instances of malware.

  13. When prompted, click Yes to restart computer.

  14. Create a new file entitled: fix.reg

  15. Copy and paste the following text into fix.reg:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"

    [HKEY_CLASSES_ROOT\.exe\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"

    [HKEY_CLASSES_ROOT\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
      00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
      32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
      00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runas]
    "HasLUAShield"=""

    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runasuser]
    @="@shell32.dll,-50944"
    "Extended"=""
    "SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"

    [HKEY_CLASSES_ROOT\exefile\shell\runasuser\command]
    "DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"

    [HKEY_CLASSES_ROOT\exefile\shellex]

    [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers]
    @="Compatibility"

    [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility]
    @="{1d27f844-3a1f-4410-85ac-14651078412d}"

    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"

    [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
    @="C:\Program Files\Mozilla Firefox\firefox.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
    @="C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode

    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
    @="C:\Program Files\Internet Explorer\iexplore.exe"

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]
    [-HKEY_CURRENT_USER\Software\Classes\.exe]
    [-HKEY_CURRENT_USER\Software\Classes\pezfile]
    [-HKEY_CLASSES_ROOT\.exe\shell\open\command]

  16. Double-click fix.reg

  17. Reboot.

  18. Using Programs and Features, uninstall your antivirus application.

  19. Reinstall your antivirus application.
This issue has now been resolved.  To prevent the infection, upgrade Sun Java to the latest version.

http://www.smartnetadmin.com
Labels:

Comments

Post a Comment

Popular posts from this blog

Access Denied (policy_denied). Your system policy has denied access to the requested URL. For assistance, contact your network support team.

While browsing the internet, you may encounter the message: "Access Denied (policy_denied).  Your system policy has denied access to the requested URL.  For assistance, contact your network support team."   This message indicates the internet traffic is being filtered.  The most common source of an internet traffic filter is in corporate environments that use a proxy server or a firewall appliance designed to filter web traffic.  Some businesses are configured as satellite locations using a VPN tunnel.  In these configurations, the VPN may be configured to filter internet traffic.  In rare instances, the Internet Service Provider is filtering internet traffic.  Typically though, your IT Department or a Network Management Team has configured your internet traffic to be filtered.  Isolating Source of Web Filtering In an environment that is unmanaged and the source of the filtering is unknown, following are some steps you may wish to peform: Th...
3 comments
Read more

How do you stop an unstoppable Windows Service?

You may encounter a Windows Service in Services that has the buttons for Start, Stop, Pause and Resume greyed out.  If you attempt to stop the Service using sc stop [servicename], you encounter the error message: "The requested control is not valid for this service."  To resolve this issue, please perform the following steps: Click Start - Control Panel - Administrative Tools - Services. Double-click the relevant Service. Change the Service Start-Up Type to Disabled. Click Apply. Click OK. Hit CTRL-ALT-DEL on your keyboard. Select Task Manger. Perform an End Task on the relevant Service. This issue has been resolved. http://www.smartnetadmin.com
Post a Comment
Read more

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

You may encounter the following error message when using the L2TP/IPSec VPN Client that is native to the Windows Operating System: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."  This error message typically occurs when you are using the wrong Pre-Shared Key for your L2TP VPN.  This error message can occur when other components of your configuration are incorrect but the first thing to confirm is that you are using the correct Pre-Shared Key. If you are using the wrong Pre-Shared Key, the L2TP VPN connection will say Connecting for a long period of time and then display the error message: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." If you are using the wrong username or password, the L2TP VPN will immediately respond with: "The remote connection was denied b...
1 comment
Read more