Win 7 Guardian
Win 7 Guardian is a deceitful anti-spyware application that is distributed by Trojans obtained from malicious websites and online scanners. Once the Trojan is inside a system it will drop and execute Win 7 Guardian. Then it will create a start-up registry entry for Win 7 Guardian as well as a number of harmless files that will later be detected as malware when a fake system scan is run. On execution, Win 7 Guardian will conduct a fake online system scan and display security alerts and pop-ups all claiming that the system is infected and the only solution is to pay for the "licensed version" of Win 7 Guardian. Win 7 Guardian does not perform any legitimate security software functions and should be removed upon detection.
File System Details
Win 7 Guardian may create the following file(s):
| # | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|
| 1. | av.exe |
Registry Details
Win 7 Guardian may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
