Remove the Win 7 Internet Security 2012 virus the Quick & Easy Way (Instructions)

Last night during my ~~usual blackhat~~ grayhat travels I managed to get infected with the Win 7. Internet Security 2012 virus / trojan. Mine in particular came via the consrv.dll rootkit which tends to infest itself via bugs in popular software like Adobe producs and Flash. Nice. Thumbs Up

I happened to stop at ThePirateBay torrent search site which most likely had a flash object on it, which most likely attacked my vulnerable version of Adobe Flash (all speculation) and off it went. My first tip-off was when my Comodo Anti-virus popped up a message saying consrv.dll was found (as soon as I loaded the Pirate Bay page, so it must've been downloaded via the bugged Flash), so I chose the "Clean" option. I guess either Comodo's "clean" feature doesn't work, or the consrv.dll had already done it's work by installing the Win 7. Internet Security 2012 virus, or whatever, because as soon as I clicked the "Clean" button, b00m! I started getting all of the expected symptoms of the Win 7. Internet Security 2012 virus.

Fortunately though, the Win 7. Internet Security 2012 isn't a very "dangerous" virus/Malware; all it really does is spam the hell out of you with popups telling you that your system is completely infested (it's not) with viruses, and wants you to pay for the registered version in order to clean it all out. Whatever you do, don't pay a cent via any of those popups, you're only helping to encourage these virus authors if you do. This is nothing more than a FakeAV (Fake Anti-Virus).

What Win 7. Internet Security 2012 Does:

You'll get notices in your system tray as popup balloons
An icon in your system tray, typically looks like a shield to make you think it's some sort of genuine protection
Popup dialog boxes in the bottom corner of your window
False, but very genuine looking, Windows Security Alerts
Whenever you try to run any program with a .exe extension, it'll hijack it, stop it from running, and instead show you a popup message saying that the program you just tried to launch is infected, (again, it's NOT).
Adds a few registry keys to run itself whenever you try to run Firefox or Internet Explorer (IE), and on startup

Example:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX..EXE\shell\open\command\(default)(Hijack.StartMenuInternet)
Bad: ("C:\Users\Scott\AppData\Local\wat.exe" -a "E:\Internet\Browsers\Firefox. x32\FIREFOX..EXE")
Good: (FIREFOX..EXE)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX..EXE\shell\safemode\command\(default)(Hijack.StartMenuInternet)
Bad: ("C:\Users\Scott\AppData\Local\wat.exe" -a "E:\Internet\Browsers\Firefox. x32\FIREFOX..EXE" -safe-mode)
Good: (FIREFOX..EXE -safe-mode)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default)(Hijack.StartMenuInternet)
Bad: ("C:\Users\Scott\AppData\Local\wat.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe")
Good: (iexplore.exe)

It'll also add itself to your usual startup registry key(s). The files it'll create are usually random 3 letter words + .exe, like my "wat.exe" example above.

Some examples of what the Win 7. Internet Security 2012 popups will say are:

Win 7. Internet Security 2012 wrote:

Win 7. Internet Security 2012 Alert
Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:

Dangerous code found in this site’s pages which installed unwanted software into your system.
Suspicious and potentially unsafe network activity detected.
Spyware infections in your system
Complaints from other users about this site.
Port and system scans performed by the site being visited.

Things you can do:

Get a copy of Vista Security 2012 to safeguard your PC while surfing the web (RECOMMENDED)
Run a spyware, virus and Malware scan
Continue surfing without any security measures (DANGEROUS)

Win 7. Internet Security 2012 wrote:

Win 7. Internet Security 2012 Alert
Security Hole Detected!
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen. Do you want to block this attack?

Win 7. Internet Security 2012 wrote:

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

Win 7. Internet Security 2012 wrote:

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

Removal: How to Remove Win 7. Internet Security 2012, the super-easy way:

Set your system Date & Time ahead 7+ days. Wait a little bit (up to an hour or so), or just restart your computer. That's it! All clean!

Why does this work? Because, as I mentioned earlier, the Win 7. Internet Security 2012 isn't a particularly insidious Malware; it'll do everything in it's power to annoy you, scare, and you stress you out, but it's main goal is to just get you to cough up that money for it's so-called registered, pro version (which by the way, you won't get anything at all other than a lighter wallet if you do pay up to them). If you don't pay them within about a week, apparently the author(s) assume that you won't ever pay for it and it removes itself (how polite of them ...). So setting your system date ahead a week tricks it into thinking it's time to remove itself.

The next thing you should do is run a known, good anti-Malware scanner, like MalwareBytes and/or SuperAntiSpyware. Or even BOTH one after the other, all just to be on the safe side, and for that extra piece of mind. (Clean out anything they may find, if they do).

You can reboot your system again once you're all clean and set your Date & Time back to your real Date & Time.

Some Other Tips:

While I was diagnosing my issue, I found that since Win 7. Internet Security 2012 hijacks .exe files, making it almost impossible to run your Malware scanners, if you make a copy of the scanner's main .exe and rename the .exe to .com, you'll then be able to run them as usual.
For example, to be able to run the MalwareBytes scanner:
- Press Win + E to bring up Explorer
- Navigate to your installation of the program highlight the mbam.exe file
- Press Ctrl + C and then Ctrl + V to make a copy of it
- Finally, rename the .exe portion to .com
In fact I recommend doing this for your scanners even when you don't have any infections just in case you need to run them down the road during an infection. You can set these up to be your normal shortcut to the file instead of it's usual .exe version so that you can just run it from wherever you placed it shortcut, just be sure to do the process over again if the softwares' main program gets updated.
Don't click on any of the buttons in any of the popups. Just leave them alone. You can't trust anything these virus authors tell you, including a simple "close this window" or similarly phrased button. It may do the opposite if what it says. There's only one exception (below) and I don't even recommend bothering to do that ...
There have been some claims that if you enter one of these 2 serial numbers into it's registration field, it'll disable / clean / remove itself, because it thinks it got your money "legitimately".
- 1147-175591-6550
- 2233-298080-3424 3425-814615-3990
Some other names for the Win 7. Internet Security 2012 virus can be:
- Vista Internet Security 2012
- XP Internet Security 2012
- ^-- Which attack those Windows Operating Systems' respectively, and/or a difference in the year at the end of the name, i.e. XP Internet Security 2011

Win 7 Internet Security 2012 Malware Virus Trojan Removal

If we've helped you at all with this removal guide, please be sure to click that Facebook "Like" button to recommend it to all of your friends or family, and we'd love if you also Liked our Fan page. If you have any other tips, advice or info on removing / cleaning Win 7. Internet Security 2012, leave us a comment. Smile