Win 7 Total Security

Win 7 Total Security Description

Win 7 Total Security may sound like the name of a security program, but Win 7 Total Security isn't. Not only is Win 7 Total Security incapable of protecting your computer, but Win 7 Total Security is also malware that was created to scam people out of their money.

Symptoms of a Win 7 Total Security Infection

Win 7 Total Security causes the same symptoms as many other current PC threats. This is not a coincidence, and it is not an indication that Win 7 Total Security has ripped off some other malware. All of these identical-looking threats are part of the same scam. Win 7 Total Security exists in order to get you to believe that Win 7 Total Security is anti-virus software when Win 7 Total Security is not, so that Win 7 Total Security can engage in scare tactics and get you to believe in them, so that you will ultimately pay money for its useless software.

One of the most generally known symptoms that you'll see if you have Win 7 Total Security on your computer is that you frequently get a Win 7 Total Security interface popping up and running fake system scans. This phony interface is set up to display the first time you try to run a program after Windows starts. Since most Windows users have at least one program that will run when the operating system starts, this generally means that  you will see the interface when Windows boots. This interface uses the Windows logo and name, as well as some Windows icons for various components of your system's security, in order to make itself look realistic. Win 7 Total Security will always show that the level of your computer's security is very low.

When the interface appears, Win 7 Total Security will play a progress bar animation, and then tell you that Win 7 Total Security has found a staggering number of threats on your PC. The list of threats may even include the names of some real viruses. However, you will not find any of these malicious files on your computer, since the files that Win 7 Total Security reports as malicious are typically harmless (or even essential) Windows components. Of course, once the fake scan is complete, Win 7 Total Security will prompt you to activate its software so that Win 7 Total Security can remove all of the threats, and if you click through its prompts, you will find yourself at the payment site for Win 7 Total Security. The payment site offers the ability to pay by credit card, with the promise of increased functionality for Win 7 Total Security in return for an activation fee. Unfortunately, there is nothing to activate, because Win 7 Total Security is completely bogus. If you pay the money that the malware demands, Win 7 Total Security will still just be malware.

In addition to the fake scans with their fake results, Win 7 Total Security will also frequently generate security alerts. When you try to run another program, Win 7 Total Security will prevent that program from starting, and Win 7 Total Security will give you an alert saying that the program was prevented from running because it is infected or malicious. When you try to go online, Win 7 Total Security will prevent you from navigating to webpages you want to go to, and Win 7 Total Security will show an alert message within the browser that says that you were just prevented from navigating to a dangerous site. In general, Win 7 Total Security will create a lot of alerts, including some that claim to be firewall alerts, and some that simply pop up. All of these alerts will say that your system is under attack or that some kind of threat has been detected, and so you should take some kind of action – but in order to take that action (by running a scan, etc.) Win 7 Total Security insists you have to pay to "activate" its software.

Complications in the Win 7 Total Security Removal Process

Win 7 Total Security typically cannot be removed using ordinary methods, because Win 7 Total Security doesn't create an entry in the list of programs in the Control Panel's Add/Remove Programs list. Furthermore, because Win 7 Total Security can prevent other programs from running and prevent you from accessing the Internet to get help, this malware can be difficult to remove. There is a code that can be entered into Win 7 Total Security as a license or registration code, which reputedly can disable the malware temporarily so that Win 7 Total Security can be removed. That code is 1147-175591-6550 but remember that at best, it provides an opportunity to remove Win 7 Total Security without interference, and it is not a permanent solution.

How Win 7 Total Security Infects a Computer, and What is Really Going on?

Win 7 Total Security is one name for a malicious, fake security application that renames itself according to what Win 7 Total Security finds on your computer. There are lots of reports out there that state that Win 7 Total Security is a clone of some other malware in this same "family," or that it is extremely similar, but the fact of the matter is that all malware in this so-called family is literally identical. It is the same malware, one piece of malware, with the ability to refer to itself as different things. So technically, Win 7 Total Security only affects computers running Windows 7, but that fact is trivial. The malware names itself using three lists of component words or phrases. One of these components will be a version of Windows, and the other two will be likely-sounding security or software-related words. The name Win 7 Total Security is a name thrown together from these categories of words.

The malware that is really behind Win 7 Total Security and all of the other names that this threat goes by is Win32/FakeRean. Win32/FakeRean is a Trojan downloader, which has been used by the same Russian scam since 2008 to create rogue anti-virus programs and use them to steal money. The Trojan is typically hidden in a fake free online computer scan, or in a download of a video codec, software update, or pirated content download. Once the Trojan is on your computer, Win 7 Total Security initiates a download of the malware, and Win 7 Total Security may even disguise this download as a Windows software update. Then the fake anti-virus application makes some changes to the registry, and the next thing you know, your computer is held hostage by malware.

One of the distinctive characteristics of Win 7 Total Security is that Win 7 Total Security claims to be a Windows product, at every step of the way. Don't let this fool you: Win 7 Total Security has no legitimate connection to Windows, and Win 7 Total Security is not a Microsoft product.

Technical Information

File System Details

Win 7 Total Security creates the following file(s):
# File Name Detection Count
1 %AppData%\Local\[RANDOM CHARACTERS].exe (look for 3-letter names) N/A
2 %AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru N/A
3 \Roaming\Microsoft\Windows\Templates\t3e0ilfioi3684m2nt3ps2b6lru N/A
4 %AllUsersProfile% N/A
5 \t3e0ilfioi3684m2nt3ps2b6lru N/A
6 %AppData% N/A

Registry Details

Win 7 Total Security creates the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\[RANDOM 3 CHARACTERS].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM 3 CHARACTERS].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM 3 CHARACTERS].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM 3 CHARACTERS].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM 3 CHARACTERS].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM 3 CHARACTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM 3 CHARACTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'

Related Posts

One Comment