Win 7 Security 2012

Win 7 Security 2012 Description

ScreenshotWin 7 Security 2012 is one of the many different versions that exist of Ppn.exe, a malicious file. New versions of programs related to this file are released every day; all of the different versions of Win 7 Security 2012 are the same program, with a different name and theme. Since the rogue programs have different skins according to the user's operating system, Win 7 Security 2012 can be hard to track by security experts. This defining characteristic has caught the attention of computer security specialists around the world.

Don't Fall for the Win 7 Security 2012 Scam

Win 7 Security 2012 is a scam. This rogue security program is designed to prey on inexperienced users by making them think that their computer is under attack. It is, but from Win 7 Security 2012. Despite Win 7 Security 2012's authentic sounding name, this program is really a malicious security application that causes all sorts of problems on a user's computer. Win 7 Security 2012 then poses as a real security utility, to convince the computer user to purchase Win 7 Security 2012. Users terrified of losing the information on their computers fall for the scam, giving Win 7 Security 2012 their credit card information. Of course, giving Win 7 Security 2012 your credit card information is useless, since this fake security program is not equipped to stop any kind of infection, and Win 7 Security 2012 is itself an invasive rogue anti-spyware program.

The Defining Feature of Win 7 Security 2012 and the Ppn.exe Process

There are dozens of known versions of the Ppn.exe process, and new ones are discovered every single day. However, unlike previous spyware, these cannot properly be called clones. Instead, they are all the same program downloading different skins corresponding to the infected computer. Ppn.exe changes identities depending on the user's operating system. Win 7 Security 2012 will rarely infect, if ever, a computer running Windows Vista or Windows XP. These systems would be infected by a version of Ppn.exe which is appropriate for that specific operating system. For example, XP Security 2012 for Windows XP, or Vista Security 2012 for Windows Vista.

The Ppn.exe Infiltration and Adaptation Process

Ppn.exe first infiltrates a computer through a Trojan, probably downloaded inadvertently from a dodgy website. This Trojan delivers Ppn.exe into the computer that is being attacked, by displaying a notification that is very similar to the ones displayed by Windows Automatic Update. Most users will simply click on it as they would with any other automatic update. This will start the Win 7 Security 2012 installation process. The program will detect the operating system being used and will then download one of three sets of skins appropriate for that operating system. These three sets of skins correspond to the three main Windows operating systems: Windows XP, Windows Vista, and Windows 7. Each of these sets includes a great number of different possible names and designs to mimic a legitimate anti-spyware application. Ppn.exe will also alter the registry so that Win 7 Security 2012 will be started up along with the operating system. The next time the user starts up Windows, he will be greeted by the Win 7 Security 2012 splash screen. The program will perform a fake scan and return numerous false positive results. Then Win 7 Security 2012 will prompt the user to enter his credit card information.

Aliases: TrojWare.Win32.Trojan.Agent.Gen [Comodo], Trojan.Agent/Gen-Frauder, HEUR:Trojan.Win32.Generic [Kaspersky], a variant of Win32/Kryptik.QUY [NOD32], Rogue.Agent/Gen, Trojan.Win32.FakeAV.ecou [Kaspersky], Generic23.CFUB [AVG], Trojan.Cryptic [Ikarus], Trojan.Gen, Win32:Renosa-J [GData], Mal/FakeAV-MQ [Sophos], Trojan.AVKill.2 [DrWeb], Trojan.Cryptic!IK, Trojan.Agent/Gen-Mixel and Trojan.Generic.KD.302340 [BitDefender].

Technical Information

Screenshots & Other Imagery

Tip: Turn your sound ON and watch the video in Full Screen mode to fully experience how Win 7 Security 2012 infects a computer.

Win 7 Security 2012 Video

Win 7 Security 2012 Image 1 Win 7 Security 2012 Image 2 Win 7 Security 2012 Image 3 Win 7 Security 2012 Image 4 Win 7 Security 2012 Image 5 Win 7 Security 2012 Image 6 Win 7 Security 2012 Image 7 Win 7 Security 2012 Image 8

File System Details

Win 7 Security 2012 creates the following file(s):
# File Name Size MD5 Detection Count
1 %LOCALAPPDATA%afu.exe 335,872 e86a084051e4fb393b282858357e6a79 2
2 %SystemDrive%\Users\daniell\Local Settings\Application Data\voh.exe 327,680 22fab34f18e5a7e564d4c546b0d4fca4 2
3 %USERPROFILE%\Local Settings\Application Data\kpr.exe 330,752 16eea9f8977d11cbd3a3d80fafdef3cb 2
4 %LOCALAPPDATA%uio.exe 339,968 953e9170934cfeccb7d4509a70274d4d 1
5 %LOCALAPPDATA%etq.exe 352,256 784b903aefb5b895c65b20da699db29c 1
6 %LOCALAPPDATA%guv.exe 330,752 ccfbc220b145119da810362bee192638 1
7 %USERPROFILE%\Local Settings\Application Data\ugs.exe 333,824 3241489ed05497104d196812ea610a8d 1
8 %USERPROFILE%\Local Settings\Application Data\oey.exe 342,016 c61f2496eb9da3c68d5c7129572be209 1
9 %USERPROFILE%\Local Settings\Application Data\auf.exe 332,288 8b7f140ecd9593fee3c86b607afdc8bd 1
10 %USERPROFILE%\Local Settings\Application Data\cil.exe 330,240 c634de87f21ee489080d2845c83a7566 1
11 %USERPROFILE%\Local Settings\Application Data\fvg.exe 327,168 65e061905342551e8bc9ead11c0d17ba 1
12 %USERPROFILE%\Local Settings\Application Data\mbw.exe 333,312 1fe4e5893ef9b3b03dbc1bcea96923c4 1
13 %USERPROFILE%\Local Settings\Application Data\xwo.exe 324,096 63edc3d8270df5d5da81ffc654a8e9be 1
14 %USERPROFILE%\Local Settings\Application Data\nur.exe 312,832 12d802c56e02606be89f0f7807833c83 1
15 %LocalAppData%\ppn.exe N/A
16 %AppData%\Local\[RANDOM CHARACTERS].exe N/A
17 %AppData%\Local\[RANDOM CHARACTERS] N/A
18 %LocalAppData%\U3F7PNVFNCSJK2E86ABFBJ5H N/A
19 %Temp%\[RANDOM CHARACTERS] N/A
20 %AppData%\TEMPLATES\U3F7PNVFNCSJK2E86ABFBJ5H N/A
21 %AllUsersProfile%\[RANDOM CHARACTERS] N/A
22 %AppData%\Roaming\Microsoft\Windows\Templates\[RANDOM CHARACTERS] N/A

Registry Details

Win 7 Security 2012 creates the following registry entry or registry entries:
RegistryKey
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%Program Files%\Mozilla Firefox\firefox.exe"'
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%Program Files%\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1"
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" – '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe" /START "%Program Files%\Internet Explorer\iexplore.exe"'
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'

More Details on Win 7 Security 2012

The following messages associated with Win 7 Security 2012 were found:
Critical Warning!
Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)
Security Alert!
Your computer is being attacked from a remote machine !
Block Internet access to your computer to prevent system infection.
System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.
System warning!
Security Essentials Ultimate Pack software detects programs that may compromise your privacy and harm your systems. It is highly recommended you scan your PC right now. Click here to start.

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.