Helping people with computers... one answer at a time.

Win 7 Home Security 2012 is the latest in a long line of so-called "scareware" trojans. I'll review this malware and how to stay safe.

Twice now, in as many months, I've been hit with the Win 7 Home Security 2012 trojan. First time, I was able to kill it with Malwarebytes in Safe Mode. This time, it even showed up in Safe Mode and my system now won't boot. I had to take my desktop to Best Buy to get it cleaned and fixed. Do you have any recommendations for preventing trojans like this for infecting my system in the first place? I have a PC running Windows 7. Personally, I think these sociopathic oxygen thieves that create this digital fecal matter should ....

I can understand your frustration.

Right up there with spammers, the folks that create this kind of stuff deserve severe punishment. When you tally up the overall cost in wasted time, data loss, and who knows what else, the impact of malware like this is significant.

From what I've seen, "Win 7 Home Security 2012" propagates through pretty traditional means.

Which means prevention is, as well, fairly traditional.

Let's review what that means.

Win 7 Home Security 2012

This particular bit of malware seems to be showing up more often of late. It's really just the latest in a long line of similar trojans that appear every year.

“The good news is that because it propagates in traditional ways, traditional security steps can be used to avoid it.”

This particular trojan is often classified as "scareware", attempting to scare you into purchasing the so-called "full version" to remove a long list of infections. The infections listed are fake. The goal is simply to get you to hand over some money and possibly to entice you to download even more malware onto your machine.

Getting Win 7 Home Security 2012

Fortunately, I've not been infected by this little gem. However, my research shows that it generally infects your machine in one of the two most common infection vectors:

  • Anything that tricks you to download and run an executable - including web downloads, peer-to-peer file sharing, email attachments, and more.

  • Malicious or hacked web sites that take advantage of unpatched vulnerabilities in your operating system or browser.

Other than its persistance and annoyance, there's nothing particularly unique about how Win 7 Home Security 2012 propagates.

Avoiding Win 7 Home Security 2012

The good news is that because it propagates in traditional ways, traditional security steps can be used to avoid it.

  • Use a good anti-virus program, make sure that it's up-to-date and scanning regularly.

  • Keep your operating system, browser, browser plugins, and other applications as up-to-date as possible.

  • Use a firewall (your router will do).

  • Use common sense.

That last one is perhaps the most difficult. There's absolutely nothing that can protect you from yourself; as a result, malware often successfully propagates by convincing you that it's something that you really, really want. Until you get it, of course, at which point you know that you've been had.

All of these steps, and a few more, are covered in Internet Safety: How do I keep my computer safe on the internet?

Removing Win 7 Home Security

There are dozens of sites on the web with removal instructions for this specific bit of malware. Bleepingcomputer.com is one good source.

The instructions boil down to:

  • Possibly using a different computer to safely perform downloads.

  • Running a couple of scripts and tools to fix a couple of specific registry modifications made by the malware.

  • Running a tool to kill existing running instances of the malware.

  • Using Malwarebytes Anti-malware (free) to remove the infection.

I won't duplicate the instructions here. Just head over to the page on bleepingomputer.com with the detailed instructions.

Also worth mentioning is the virus recovery checklist in How do I recover from a bad virus infection?

Article C5009 - December 10, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

21 Comments
Andrew
December 13, 2011 8:56 AM

My experience as a tech is that no standard antivirus or Internet security program (e.g., AVG, Norton Internet Security, McAfee) will prevent an infection of this type because none will detect it. I have this experience from perhaps a couple of hundred cases where I have dealt with fake antivirus infections. In fact, the fake antivirus genre shuts normal AV's down quite nicely. I do not know why the standard products do not detect them. Perhaps someone here can clear that up for me. MBAM deals with them all very nicely after the fact (though sometimes it takes some time and gymnastics to get MBAM running when a machine is infected with a fake antivirus). Makes it all the more surprising that the standard products don't see them.

Narc
December 13, 2011 8:59 AM

On the topic of common sense, I'd like to note that it is necessary, but not sufficient, especially when dealing with scareware, as in this article. There is a secondary requirement of knowledge -- either from research (Google is your friend) or through getting burned (Fool me once, shame on you; fool me twice, shame on me).

Without knowledge, a claim of "we found something bad on your computer and you can pay us to fix it" cannot always be dismissed out of hand. Common sense can suggest it might be a ruse, but it can also feed you false negatives or just be uncertain. Researching the program in question, though, can (and often does) give you a bit more information to make a decision with. Similarly, hearing from a friend that they've been burned by a certain piece of software can help you avoid it (again, giving you knowledge).

So, common sense and knowledge.

Dan Covill
December 13, 2011 9:08 AM

I've never had this one, but I've had to remove it from other machines twice. The thing that's really nasty is that it disables the browser(s) so you can't research anything or download MalWare Bytes.

But the cure was easy. We just found a System Restore checkpoint that had to be earlier than the infection, restored, and Voila! All was back to normal.

I note that these machines were running WSE behind a router, and were completely up to date. So software won't prevent it; a skeptical operator will.

Michael Horowitz
December 13, 2011 9:39 AM

A *big* step for safety is to be logged on to Windows as a restricted user ("limited" and "standard" are the terms used by Microsoft). This is not perfect protection, but its a big barrier for malware to overcome. And, if something does get installed, you should be able to logon as an admin user and remove it. When logging on as the admin user its very likely the malware will not auto-start giving you a huge advantage in removing it.

Steuart Bowling
December 13, 2011 10:19 AM

It seems like this bug or variations of it is the only one I encounter anymore. I've noticed that the bad guys have upped their game recently too. The last version I dealt with had multiple rootkits and actually defeated MBAM's disinfection attempts--scary for me because I had learned to rely on it.

I had some luck with RKILL and Combo fix to cripple it enough for MBAM to knock out the active files, but rebooting just brought it back since none of these tools addressed the rootkits.

This bug targets the restore points very quickly and gradually blocks access to just about every tool the novice user would employ to fight it. I agree with Andrew that the antivirus software is usally blind to it. It's getting to the point where you have to create a boot CD with the latest disinfection tools on it for each new infection.

They're targeting the novice users, but even experienced people have brought deeply infected machines to me for help. I know browser hijacks and search engine redirectors have been used to feed people into infection points. If you've ever been hit by what appears to be the infection screen, you can see why it works so well. They use just enough confusion and redirection to buy the time they need to infect your system. Even when you know what's happening, it still takes a moment to realize it and decide on the proper way to stop it. I've begun to think you're infected long before you ever see that screen anway.

The best advice I can offer is to not rely on a single defense and think you are protected. The people who release these bugs are constantly strengthening and improving them. These are not kids in a basement--think large scale organized crime and terror/anarchist groups with PLENTY of resources to bring to bear. Learn about rootkits--at least be aware of what they are, and learn about bootable disinfection CD's and boot sector repair tools. If you create a bootable CD, write the date on it and be prepared to throw it away in a few weeks. Chances are the next time you encounter this thing the tools on the old CD won't stop it.

Mike
December 13, 2011 10:23 AM

It showed up on my wife's computer. She was probably lured by the "official" Win 7 tag. I used Leo's recommendation of the Microsoft Standalone System Sweeper as a boot disc, and it tagged the offending malware so it could be removed. Note that it's necessary to run the latest update, so you'll need access to another computer for the free downloand. I also ran an updated version of Malwarebytes afterward, which identified and took out a couple remnants of the trojan, too.

GREG JACKSON
December 13, 2011 11:55 AM

Jerry, Jerry, Jerry--
This great site is free to us, but not Leo. The ads help cover the expense [cuz nothing is free]. The ads you refer to, the ones with the "double underline" are only activated when you click on them.[another hint]

The ads, and "Buy Leo a Latte!" [hint,hint] are the means the end to defer the cost of this free newsletter. Leo loves his Latte [hint,hint again].
Nuff said.

GREG JACKSON
December 13, 2011 12:05 PM

"this kind of stuff deserve severe punishment."YES.

It truly is a shame when these things happen. While their intent is directed towards Widows [I think] it has a profound effect on the average Joe/Jane causing much grief and expense. One could say they are even doing this to their own mother and dear sweet Auntie. Shame. If they would only use their genius for good instead of evil
[sigh].

johnpro2
December 13, 2011 2:36 PM

I suggest you run untested software sandboxed.

The bad guys will show up soon after running new software, however their devious methods will not infect your operating system if protected by a sandbox {quarantine principles}

Sandboxie is free & is excellent protection for web browsing as well.

Even 'Ask Leo' himself has previously direct linked to Sandboxie site in one of his articles.

http://www.sandboxie.com/index.php?DownloadSandboxie

tom
December 13, 2011 2:50 PM

It's people like Jerry that make me wonder. Do these people work for nothing - do they tell their company or their welfare agents to keep the money or to spread it to their neighbors for good will. where do people like Jerry get off calling names when they have such a low tolerance for understanding how the world works. Jerry get a grip even charities don't work for nothing. look at their expense reports what they pay for legal services, transportation, general help in gathering donations. nobody really works for nothing - even the welfare recipients do some kind of work. I think Jerry and other people like him should just be thankful their are sites like Leo's and they are not forced to pay anything for the information they receive. i personally am thankful for the info and am willing to pay for it which is not mandatory from Leo.

Blackspear
December 13, 2011 3:24 PM

You have probably clicked on a newly infected website while making a search, downloaded or received by email a new variant of the Virtumonde aka Vundo Trojan; further information on this infection can be located in the following two links: http://roguedatabase.net/RogueDL.php

http://www.reuters.com/assets/print?aid=USTRE62N29T20100324

These Trojans are aggressively modified multiple times a day by a large Eastern European criminal organization, and tested at websites such as www.virustotal.com in order to avoid detection by ALL antivirus programs.

This infection has also been able to install itself because more than likely you are using an “Administrator” account in Windows, instead of a Limited/Standard user account.

Once the infection has been removed I would suggest that you create and use a STANDARD USER account for daily use of your computer (as recommended by Microsoft). This costs NOTHING, it is built within Windows, and I cannot make it any clearer;

THIS IS YOUR VERY FIRST LINE OF DEFENCE AGAINST INFECTION

Please refer to the following link:
http://www.unixwiz.net/techtips/win7-limited-user.html

Blackspear

Ryan
December 13, 2011 3:39 PM

I was infected with this just yesterday, right after I was fed up with how much system resources my anti-virus program was taking up, and uninstalled it. I remembered an article Leo wrote about the Microsoft Standalone System Sweeper. I quickly downloaded the 200 MB .iso, burned it to disc, and TADA! virus gone..... I would've used Malwarebytes based on it's success in the past, but I wanted to try Microsoft's latest hit.

Ken
December 13, 2011 3:50 PM

What is being done to these bad people? They got me for $59.00 and still had to pay $169.00 to clean my PC. Computer literate individuals must help us Joe/Jane average citizens.

Steven
December 13, 2011 4:45 PM

I have been with this since Antivirus 2009. Why can't someone find a free way to totally block and patch the computers? It seems like the people in RUSSA know more about windows than Microsoft does(sorry, Leo). Why don't you and Bob Rankin ever mention Bleeping computer's combofix. I keep hearing it is Powerful and potentially dangerous, but it is completely safe if you ignore the logs at the end. Use MBAM to finish cleaning up, instead of using the combofix logs to manually fix the leftovers. I have never had any of the computers get trashed or hosed by combofix as of yet.

Maro
December 13, 2011 4:48 PM

Actuslly removing Trojans requires FIRST AND THIS IS THE MOST IMPORTANT, deleting all "system Restore Files" as it is 'saved" there and will popagate again from there regardless of whether trying safe mode or not. The way to do that is to cancle the option of "System Restore", then remove it in Safe Mode, then restart the computer and re-activate System Restore.

johnpro2
December 13, 2011 7:19 PM

Quote: "It's people like Jerry that make me wonder. Do these people work for nothing"

Jerry makes a valid point all the same. Trusted sites should never link to untrusted sites ..regardless of how good the money is.
At minimum, warnings should be given not to click on any links.

jp

Duncan
December 13, 2011 7:24 PM

I know this will sound naive but it is something I have never seen commented on. For this trojan to make money for its propagator, one would need to follow through and actually pay to purchase the 'cure'. All payments must go eventually into the accounts of these criminals. Is there no agency anywhere that actually follows these scams though to find the perpetrators and to which we could report attempts? Yes, I realise that tracing and enforcement might be harder if the purchase perhaps goes to Russia or Serbia, etc. (not to point a finger of course) just wondering?

Mark J
December 14, 2011 1:59 AM

@Duncan
Good point. There is a serious proposal to go after spammers through the banks which spammers use. Here's an interesting article on the subject.
Banks Might Be the Spam Ecosystem's Weak Spot

Tom
December 14, 2011 4:15 AM

Your third point "Use common sense".

I prefer to call it Good Sense because, unfortunately it's not that common!

steven
December 16, 2011 4:06 AM

I was wondering what the Geek squad used in cleaning computers? i would be surprised, if they use the same stuff I use, such as MBAM, suprantispywarebytes and combofix. and Microsoft system sweeper on a USB stick.

J P
December 16, 2011 7:12 PM

I have been removing viruses/ trojans for a couple of decades now, and I actually would suggest that you, Leo, are underestimating this trojan; I certainly did when I volunteered to fix an infected PC. I spent many hours before defeating this animal. My friend's computer had an up-to-date antivirus, behind a hardware firewall and a software firewall. She was unsure as to what might have caused that installation. Only going into safe mode and using an anti-malware which was on a thumb drive allowed the use of the machine. There were some indications that 'parts' of the trojan were still hiding after the removal. So, after retrieving any needed files, I wiped the computer and reinstalled everything. This was the biggest mess I've ever seen on an individual PC. It was actually very insidious. I used the directions on how-to-geek; those on bleeping computer may work, but I found that the trojan would not allow administrator-required activities and/or denied that I was the administrator (which I was.) The penalty for the perpetrators of this trojan should be sent to Gitmo! Thanks for your help!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.