How to Remove Win 7 Security 2012 – Win 7 Security 2012 Removal

Win 7 Security 2012 Description

Win 7 Security 2012 is one of the many different versions that exist of Ppn.exe, a malicious file. New versions of programs related to this file are released every day; all of the different versions of Win 7 Security 2012 are the same program, with a different name and theme. Since the rogue programs have different skins according to the user’s operating system, Win 7 Security 2012 can be hard to track by security experts. This defining characteristic has caught the attention of computer security specialists around the world.

Don’t Fall for the Win 7 Security 2012 Scam
Win 7 Security 2012 is a scam. This rogue security program is designed to prey on inexperienced users by making them think that their computer is under attack. It is, but from Win 7 Security 2012. Despite Win 7 Security 2012’s authentic sounding name, this program is really a malicious security application that causes all sorts of problems on a user’s computer. Win 7 Security 2012 then poses as a real security utility, to convince the computer user to purchase Win 7 Security 2012. Users terrified of losing the information on their computers fall for the scam, giving Win 7 Security 2012 their credit card information. Of course, giving Win 7 Security 2012 your credit card information is useless, since this fake security program is not equipped to stop any kind of infection, and Win 7 Security 2012 is itself an invasive rogue anti-spyware program.

The Defining Feature of Win 7 Security 2012 and the Ppn.exe Process
There are dozens of known versions of the Ppn.exe process, and new ones are discovered every single day. However, unlike previous spyware, these cannot properly be called clones. Instead, they are all the same program downloading different skins corresponding to the infected computer. Ppn.exe changes identities depending on the user’s operating system. Win 7 Security 2012 will rarely infect, if ever, a computer running Windows Vista or Windows XP. These systems would be infected by a version of Ppn.exe which is appropriate for that specific operating system. For example, XP Security 2012 for Windows XP, or Vista Security 2012 for Windows Vista.

The Ppn.exe Infiltration and Adaptation Process
Ppn.exe first infiltrates a computer through a Trojan, probably downloaded inadvertently from a dodgy website. This Trojan delivers Ppn.exe into the computer that is being attacked, by displaying a notification that is very similar to the ones displayed by Windows Automatic Update. Most users will simply click on it as they would with any other automatic update. This will start the Win 7 Security 2012 installation process. The program will detect the operating system being used and will then download one of three sets of skins appropriate for that operating system. These three sets of skins correspond to the three main Windows operating systems: Windows XP, Windows Vista, and Windows 7. Each of these sets includes a great number of different possible names and designs to mimic a legitimate anti-spyware application. Ppn.exe will also alter the registry so that Win 7 Security 2012 will be started up along with the operating system. The next time the user starts up Windows, he will be greeted by the Win 7 Security 2012 splash screen. The program will perform a fake scan and return numerous false positive results. Then Win 7 Security 2012 will prompt the user to enter his credit card information.

How Can You Detect Security Tool?

Anvi Smart Defender

Win 7 Security 2012 Technical Report
As new Win 7 Security 2012 details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Win 7 Security 2012:
The following fake error message(s) appears for Win 7 Security 2012:

Critical Warning!
Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)

System warning!
Security Essentials Ultimate Pack software detects programs that may compromise your privacy and harm your systems. It is highly recommended you scan your PC right now. Click here to start.

Security Alert!
Your computer is being attacked from a remote machine !
Block Internet access to your computer to prevent system infection.

System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

Win 7 Security 2012 Removal Details

Win 7 Security 2012 has typically the following processes in memory:

%AppData%\Local\[RANDOM CHARACTERS].exe

Win 7 Security 2012 creates the following files in the system:

%AppData%\Roaming\Microsoft\Windows\Templates\[RANDOM CHARACTERS]

Win 7 Security 2012 creates the following registry entries:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “(Default)” = ‘”%1″ %*’
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe” /START “%1″ %*’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”‘
HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe” /START “%1″ %*’
HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe” /START “%1″ %*’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1″ = ‘”%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe” /START “%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1″
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “IsolatedCommand” – ‘”%1″ %*’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].exe” /START “%Program Files%\Internet Explorer\iexplore.exe”‘
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation “TLDUpdates” = ‘1′

Comments are closed.