Win 7 Anti-Virus 2011 (Win7AntiVirus 2011) Virus Removal Guide

Virus Type: Rogue Security Application
Threat Level: 8 / 10

Win 7 Anti-Virus 2011 is a new fake antivirus application. While Win 7 Anti-Virus 2011 may be a new fake antivirus application, it does share many similar features and functionality with other fake antivirus applications. The original version of this fake antivirus application was introduced around February 2010 and had a file name of AV.exe; since then, the look of the virus has slightly changed in look but the functionality is similar. The main different between the current version of this fake antivirus program and the original version is the filename. Different versions of this fake antivirus program have had file names of AV.exe, AVE.exe (introduced in April 2010), and PW.exe (introduced in November 2010). The virus has now been modified to have a executable filename which changes from computer to computer. This is most likely done to make it harder to find and therefore stay hidden from the user. Win 7 Anti-Virus 2011 is different from other fake antivirus applications in that it changes its name from operating system to operating system. For example, the fake program will display the name of the program as Win 7 Anti-Virus 2011 when it infects systems running Windows 7. When the fake program infects a computer running Windows XP, it will change its name to XP Anti-Virus 2011; the virus will change into Vista Anti-Virus 2011 if it infects a computer running Windows Vista. Win 7 Anti-Virus 2011 is a clone of a variety of fake antivirus programs and has a similar look to Win 7 Antivirus Pro 2010.

Win 7 Anti-Virus 2011 main executable is generally a series of three random letters; this executable is similar to AV.exe and AVE.exe, which are the main executable of previous clones of this virus. Win 7 Anti-Virus 2011 will modify the registry; therefore, the registry must be fixed before removing the main executable file. Win 7 Anti-Virus 2011 will modify the registry to set the fake antivirus program to run when any other executable file is run. The comments here and comments here may provide insight into the successful removal of Win 7 Anti-Virus 2011. The main executable for Win 7 Anti-Virus 2011 is generally a hidden protected system file; therefore, it is important to turn on hidden files in the file explorer and turn off hide in order to see the hidden main executable file.

Below is our recommended removal tool for Win 7 Anti-Virus 2011. The removal tool has been rated 5 cows out of 5 by Tucows and was previously CNET’s Editor’s Choice. Feel free to download it below.

download

When attempting to download the removal tool, Win 7 Anti-Virus 2011 will make web browsers (Internet Explorer, Mozilla Firefox, and Google Chrome) unusable by showing the following page when attempting to browse the web.

Win 7 Anti-Virus 2011 Removal Tip - The best method to download the removal tool is to go to the following web address (type the web address into the internet browser and press enter). By going directly to the link, Win 7 Anti-Virus 2011 will not be able to block the download. If you need assistance with running the removal tool, please email us at virusremovalguru@gmail.com.

http://www.virusremovalguru.com/download.php

Win 7 Anti-Virus 2011 Removal Tip #2 - The best method to run the browser is to right click on Mozilla Firefox or Google Chrome and select “Run as administrator.” This method will not work with Internet Explorer. This should allow the user to browse the web and download removal software for Win 7 Anti-Virus 2011. In the video below, we have detailed how to access the web in Internet Explorer.

Win 7 Anti-Virus 2011 Removal Tip #3 - If Win 7 Anti-Virus 2011 is blocking applications from running, right click on the application file and select “Run as administrator.” This should allow the user to install removal software in order to successfully remove Win 7 Anti-Virus 2011.

If you are unable to run the removal tool, or are unable to run any programs in general, you may also need to stop the processes associated with Win 7 Anti-Virus 2011 with task manager. If task manager has been blocked by Win 7 Anti-Virus 2011, try using Process Explorer. The quickest way to access the task manager is to press CTRL+SHIFT+ESC.

Win 7 Anti-Virus 2011, like many other fake antivirus programs, will create a series of warnings and pop ups in order to scare the user into purchasing the fake program. Some of these warnings which are created by Win 7 Anti-Virus 2011 can be found below.

“Privacy Threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.”

“Win 7 Anti-Virus 2011 Firewall Alert!
Win 7 Anti-Virus 2011 has blocked a program from accessing the internet.
Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen. Private data can be stolen by third parties, including credit card details and passwords.”

“Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.”

“Windows Security Center

Win 7 Anti-Virus 2011 reports that it is currently turned off. A firewall helps to protect your computer from potentially harmful content on the internet. Click Recommendations to learn how to fix this problem.

Win 7 Anti-Virus 2011 reports that it is turned off. Antivirus software helps protect your computer against viruses and other security threats. Click Recommendations for suggested actions you can take.”

“Security hole detected!

A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen!

Attack from: 115.172.215.164
Attacked port: 9921
Threat: IRC-Worm.DOS.Loa”

“Internet connect alert!

Suspicious network activity detected! Malware infection is possible!

Details
Attack from: 41.77.185.174
Attacked port: 18759
Threat: P2P-Worm.Win32.Franvir”

Win 7 Anti-Virus 2011 may also modify Internet Explorer to show the following alert listed below when the browser is opened.

“Internet Explorer alert. Visiting this site may pose a security threat to your system!”

It is recommended to use safe mode when removing the virus because Win 7 Anti-Virus 2011 will generally not be able to load in safe mode. To enter safe mode, restart the computer and press F8 multiple times before the Windows screen to bring up the boot options.

Boot Menu

The safe mode with networking option will allow the user to be able to use the internet in safe mode. Win 7 Anti-Virus 2011 can be removed by using the removal tool or by manually removing the virus.

View Win 7 Anti-Virus 2011 Files
View Win 7 Anti-Virus 2011 Keys

Common symptoms and characteristics of Win 7 Anti-Virus 2011 and other rogue security programs include:
1. Win 7 Anti-Virus 2011 is generally installed without user permission.
2. Win 7 Anti-Virus 2011 uses pop ups and fake virus scans to scare the user.
3. Various antivirus and system programs on the user’s computer will stop functioning.

Manual Win 7 Anti-Virus 2011 Removal – In order to manually remove Win 7 Anti-Virus 2011, the processes associated with Win 7 Anti-Virus 2011 must be stopped, the files associated with the processes must be removed, and the registry entries must be corrected to the previous state before Win 7 Anti-Virus 2011 entered the computer.

Important: Before attempting to manually remove Win 7 Anti-Virus 2011, we recommend that the user read through comments posted by other users on how they removed specific fake antivirus programs since many fake antivirus programs are similar. These comments can be found by clicking here. These comments may provide additional information which may be useful in removing Win 7 Anti-Virus 2011. However, please use discretion since these specific comments pertain to other fake antivirus programs.

Stop Win 7 Anti-Virus 2011 Processes (Learn How To Do This)
[random letters].exe

Remove Win 7 Anti-Virus 2011 Files (Learn How To Do This)
C:\Users\[username]\AppData\Local\[random letters].exe

Win 7 Anti-Virus 2011 main executable file is generally a hidden protected system file. Therefore, the user will need to turn on “show hidden files” and must turn off “hide protected operating system files” in order to see these files. This feature can be found in the folder options in the view tab. In Windows 7, you can search “hidden files and folders” in the Windows Search Bar to find the folder options. To bring up the Windows Search Bar, click on the Windows symbol in the bottom left hand part of the screen. It is recommended that the user turn back on “hide protected operating system files” after removing Win 7 Anti-Virus 2011.

Remove Win 7 Anti-Virus 2011 Registry Keys (Learn How To Do This)
HKEY_CURRENT_USER\Software\Win 7 Anti-Virus 2011
HKEY_LOCAL_MACHINE\SOFTWARE\Win 7 Anti-Virus 2011
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win 7 Anti-Virus 2011

Remove Win 7 Anti-Virus 2011 Startup Entry (Learn How To Do This)
[random letters].exe

Common Questions -
1. What is a computer virus? (Click Here To View)
2. How did I get this computer virus? (Click Here To View)
3. What common symptoms show that my computer may be infected? (Click Here To View)
4. What is a rogue security application? (Click Here To View)
5. What are some antivirus and antispyware programs which I can use to remove viruses and spyware? (Click Here To View)

If you have any questions or comments, please don’t hesitate to comment below. If you need any help with any of the steps, please don’t hesitate to comment below. We recommend that you follow our safety tips so that you can keep your computer clean Please Click Here to View Our Safety Tips.

Your feedback is very highly valued by others so please feel free to comment below. Please feel free to share a solution that you may have used to remove Win 7 Anti-Virus 2011.

This entry was posted on Sunday, March 20th, 2011 at 3:44 am and is filed under Malware Removal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

12 Responses to “Win 7 Anti-Virus 2011 (Win7AntiVirus 2011) Virus Removal Guide”

fnord March 21st, 2011 at 1:33 pm

Under Win7, this spyware blocks access to itself by denying access to Documents and Settings and regedit.exe. The method mentioned above will not work even in safe mode, as the malware manages to boot even then.

The solution is simple – System Restore. I’ve restored to a point 3 days before i picked that malware up, and that was all that was needed.

bloodprince82 March 23rd, 2011 at 3:40 am

I have another antivirus program, McAfee, when i scanned it (got it after i had got infected with win 7 anti virus 2011, previously had microsoft security essentials which was destroyed by the win 7 thing) it didn’t get rid of win 7, is there a way i can get rid of it with McAfee or will McAfee stop all attacks done by win 7? any help woul be much appreciated

Jon March 23rd, 2011 at 12:13 pm

Hi BloodPrince82,

Please update McAfee and run again. Since this is a new, it may take time to create an update to remove Win 7 Anti-Virus 2011.

moisty April 2nd, 2011 at 10:31 pm

I’m running windows 7. I couldn’t run exe files or system restore. Tried loads of sites with no joy. But here’s the solution found by luck :-) If you have malware bytes anti malware just right click and run as admin this will open it. If not just right click your internet browser and right click and run as admin download malware byte or what ever remover you prefer right click and run as admin job done. I don’t know how this works but seems to bypass virus. Happy days please spread the word.

Tony April 3rd, 2011 at 6:31 am

Please please help!!! I’m in no way a computer literate guy. Got the win 7 virus by a silly mistake of opening an attachment and now I’m doomed…….doomed I say !!! I need some real basic non computer talk walk through guide to get rid. Tried opening in safe mode as directed but no joy. Anyone give any basic instructions for me would be fab. Help me !!!

Tony April 3rd, 2011 at 6:50 am

I did a full system recovery in the end. Lost some files and yet to see if it works but if it does then it was worth it. Is it advisable to download the removal tool ??

Jie April 5th, 2011 at 6:25 am

While scanning on malware bytes the whole thing just
freezes. Any help?

Annette April 6th, 2011 at 10:11 pm

I did the F8 thing and a system restore to a point before we got this win 7 and so far it seems okay, does that mean I got rid of it or is it just hiding and waiting to come out again later?

NEIL April 13th, 2011 at 11:07 am

Like Annette I also did system restore which seems to have worked. Early days yet though!

A Passerby April 14th, 2011 at 7:27 pm

I was recently attacked by this. My sister was the one who fixed the problem. I don’t know what she did. The program seems to have been removed, but the problem now is that I have to run every program as an Administrator to even use it. Things like Paint or Internet Explorer ask what program I’d like to use to open them which is just nuts. What do I do now?

Sharath Nair April 22nd, 2011 at 5:51 am

The simple way to remove infection is to cleanup your computer. Steps are given below.

1) Restart your computer in safe mode with networking (While restarting your computer keep tapping F8 to boot your computer in safe mode with networking)

2) If you are using windows Xp, click on start then, run then type temp and press enter. It will open a folder, delete all the files.

For vista and windows 7, click on start then type temp in search program and followed the same steps

3) Now, type %temp% instead of temp and delete all the files and folders.

4) Then, type prefetch and delete all the files and folders.

5) Then type regedit

Detect and delete other Win 7 Anti-Virus 2011 files:

NOTE: Take the back of registry (Click on file the export and save in your documents)

HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’

HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’

HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1′ = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’

HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’

HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’

HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’

HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’

HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1′

HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’

HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’

HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “(Default)” = ‘”%1″ %*’

HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “IsolatedCommand” – ‘”%1″ %*’

HKEY_CLASSES_ROOT\.exe\DefaultIcon “(Default)” = ‘%1′

HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’

HKEY_CLASSES_ROOT\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’

HKEY_CLASSES_ROOT\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’

HKEY_CLASSES_ROOT\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’

HKEY_CLASSES_ROOT\exefile “Content Type” = ‘application/x-msdownload’

HKEY_CLASSES_ROOT\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’

HKEY_CLASSES_ROOT\exefile\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’

HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”‘

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”‘

5) Then type cleanmgr and checked all the components and delete them.

6) Then type http://www.tinyurl.com/333utee and press enter to install Malwarebytes to remove the infection.

7) Restart the computer

Hope it will work for you!

Dylan May 13th, 2011 at 9:16 pm

I tried 3 different antivirus programs to get rid of this. Adaware, spybot search and destroy and malwarebytes. I’m not sure if it was the combination of the 3 but in the end it was Malwarebytes that finally removed the virus. Each program discovered something and removed it.

- You can run exe programs by right clicking and clicking Start or Run as Administrator.

- Open Task Manager and close any processes that are 3 letters (opg.exe etc). You will need to keep doing this throughout the process as it will keep reopening them.

- It will come up with a block page on ie or firefox, closing the 3 letter processes should allow you to go to a webpage.

- Once you have downloaded malwarebytes right click and select run.

- Full system scan should remove it.

- Good luck.

Leave a Reply