[Tutourial] Remove Win32/FakeRein Virus

[Tutorial] Remove Win32/FakeRein Virus

• Display of the following icons, warnings, pop-ups, or other things
• 
  
  
  
  
  
  
  

Technical Information (Analysis)

Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

Win32/FakeRean has been distributed with several different names. The user interface and some other details vary to reflect each variant’s individual branding. Current variants of FakeRean choose a name at random, from a number of possibilities determined by the operating system of the affected system. Please see below for all the possible combinations that may be used to brand the interface and associated content, including websites, etc. in recent variants:

==7==
Win 7 Internet Security 2010
Win 7 Internet Security
Win 7 Antivirus Pro 2010
Win 7 Antivirus 2010
Win 7 Antivirus
Win 7 Antivirus Pro
Win 7 Defender 2010
Win 7 Guardian
Win 7 Defender
Win 7 Antispyware 2010 Antivirus
Win 7 2010
Win 7 Guardian 2010
Win 7 Defender Pro
Win 7 Smart Security
Win 7 Smart Security 2010
Win 7 Security Tool
Win 7 Security Tool 2010
Win 7 AntiMalware
Win 7 AntiMalware 2010
Win 7 Internet Security
Antivirus Win 7
Antispyware Win 7
Total Win 7 Security
Win 7 Security
Win 7 Security Center

==Vista==
Vista Internet Security 2010
Vista Internet Security
Vista Antivirus Pro 2010
Vista Antivirus Pro
Vista Antivirus 2010
Vista Antivirus
Vista Defender 2010
Vista Guardian
Vista Guardian 2010
Vista Antispyware 2010
Vista Defender
Vista Antivirus 2010
Vista Defender Pro
Vista Smart Security
Vista Smart Security 2010
Vista Security Tool 2010
Vista Security Tool
Vista AntiMalware
Vista AntiMalware 2010
Vista Internet Security Antivirus
Vista Antispyware
Vista Essentials
Vista Security
Total Vista Security

==XP==
XP Antivirus
XP Defender 2010
XP Guardian
XP Guardian 2010
Antivirus XP 2010
XP Antispyware 2010
XP Defender
XP Defender Pro
XP Smart Security
XP Smart Security 2010
XP Security Tool
XP Security Tool 2010
XP AntiMalwareXP
AntiMalware 2010
XP Internet Security y
XP Security
XP Defender Pro 2010 Total
XP Security Antispyware
XP Antivirus
XP Essentials
XP Internet Security 2010
XP Internet Security
XP Antivirus Pro 2010
XP Antivirus Pro
XP Antivirus 2010



Installation

Win32/FakeRean installers download several archives in either ZIP or CAB format from a remote location via HTTP. While surfing the web, So that is why it is so important you have a good security program installed

The following is what it downloads as a CAB format

• Binaries1.cab
• Binaries2.cab
• Binaries3.cab

The installer then extracts these files into a directory it creates under %program files%.

The installer displays a window before it begins downloading, Like this:






While downloading, The installer will display a window like the following:



Presence of the following files, for example:

• Binaries1.cab
  Binaries2.cab
  Binaries3.cab
  %Program Files%\XP_AntiSpyware\AVEngn.dll
  %Program Files%\XP_AntiSpyware\htmlayout.dll
  %Program Files%\XP_AntiSpyware\pthreadVC2.dll
  %Program Files%\XP_AntiSpyware\Uninstall.exe
  %Program Files%\XP_AntiSpyware\wscui.cpl
  %Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
  %Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
  %Program Files%\XP_AntiSpyware\data\daily.cvd
  %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
  %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
  %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
  %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll
• Presence of the following registry modifications:
  Key: HKCU\Control Panel\don't load
  Value: scui.cpl
  Data: "No"
  Value: wscui.cpl
  Data: "No"
  
  Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  Value: ForceClassicControlPanel
  Data: 0x1
  
  Key: HKLM\SOFTWARE\Microsoft\Security Center
  Value: AntiVirusDisableNotify
  Data: 0x1
  Value: FirewallDisableNotify
  Data: 0x1
  Value: UpdatesDisableNotify
  Data: 0x1
  
  Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\
  Value: DisplayName
  Data: "XP Antispyware 2009"
  Value: UninstallString
  Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"
  
  Key: HKLM\Software\XP_Antispyware
  Value: info
  Data: "<date installed>"
  
  To subkey: HKCU\Software\Classes\.exe
  Sets value: "(Default)"
  With data: "secfile"
  
  To subkey: HKCU\Software\Classes\.exe
  Sets value: "Content Type"
  With data: "application/x-msdownload"
  
  To subkey: HKCU\Software\Classes\.exe\DefaultIcon
  Sets value: "(Default)"
  With data: "%1"
  
  To subkey: HKCU\Software\Classes\.exe\shell\open\command
  Sets value: "(Default)"
  With data:"C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"
  
  To subkey: HKCU\Software\Classes\.exe\shell\open\command
  Sets value: "(Default)"
  With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"
  
  To subkey: HKCU\Software\Classes\.exe\shell\open\command
  Sets value: "IsolatedCommand"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\.exe\shell\runas\command
  Sets value: "(Default)"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\.exe\shell\runas\command
  Sets value: "IsolatedCommand"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\.exe\shell\start\command
  Sets value:"(Default)"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\.exe\shell\start\command
  Sets value: "IsolatedCommand"
  With data:""%1" %*"
  
  To subkey: HKCU\Software\Classes\secfile
  Sets value: "(Default)"
  With data: "Application"
  
  To subkey: HKCU\Software\Classes\secfile
  Sets value: "Content Type"
  With data: "application/x-msdownload"
  
  To subkey: HKCU\Software\Classes\secfile\DefaultIcon
  Sets value: "(Default)"
  With data: "%1"
  
  To subkey: HKCU\Software\Classes\secfile\shell\open\command
  Sets value: "(Default)"
  With data: ""C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"
  
  To subkey: HKCU\Software\Classes\secfile\shell\open\command
  Sets value: "IsolatedCommand"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\secfile\shell\runas\command
  Sets value: "(Default)"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\secfile\shell\runas\command
  Sets value: "IsolatedCommand"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\secfile\shell\start\command
  Sets value: "(Default)"
  With data: ""%1" %*"
  
  To subkey: HKCU\Software\Classes\secfile\shell\start\command
  Sets value: "IsolatedCommand"
  With data: '"%1" %*"
• Presence of the following shortcuts:
  %Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
  %Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
  %Desktop%\XP_AntiSpyware.lnk
  %APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk

Different programs for different versions of Windows (It Scans before showing up) will show the correct Windows Scanner (Example if you are using Vista it might show Vista Security,

The directories and file names used depend on the branding used by each variant.


%Program Files%\XP_AntiSpyware\AVEngn.dll
%Program Files%\XP_AntiSpyware\htmlayout.dll
%Program Files%\XP_AntiSpyware\pthreadVC2.dll
%Program Files%\XP_AntiSpyware\Uninstall.exe
%Program Files%\XP_AntiSpyware\wscui.cpl
%Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
%Program Files%\XP_AntiSpyware\data\daily.cvd
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll

In another example, these files are installed by the variant that calls itself "AntispywareXP 2009":

%Program Files%\AntiSpywareXP2009\AVEngn.dll
%Program Files%\AntiSpywareXP2009\htmlayout.dll
%Program Files%\AntiSpywareXP2009\pthreadVC2.dll
%Program Files%\AntiSpywareXP2009\Uninstall.exe
%Program Files%\AntiSpywareXP2009\wscui.cpl
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.cfg
%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe
%Program Files%\AntiSpywareXP2009\data\daily.cvd
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcr80.dll

Win32/FakeRean also adds shortcuts to the current user's Start menu, desktop and quick launch bar, for example:

• %Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
• %Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
• %Desktop%\XP_AntiSpyware.lnk
• %APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk

or

• %Start menu%\Programs\AntiSpywareXP2009\AntiSpywareXP2009.lnk
• %Start menu%\Programs\AntiSpywareXP2009\Uninstall.lnk
• %Desktop%\AntiSpywareXP2009.lnk
• %APPDATA%\Microsoft\Internet Explorer\Quick Launch\AntiSpywareXP2009.lnk

Desktop icon for the XP Version



Win32/FakeRean will also modify the registry in order to ensure that it runs whenever the user's Internet browser is launched from the Start menu. The program makes it so you can't open anything except My Computer or Control Panel


Adds value: (Default)
With data:"<malware file name>" /START <location of browser>
To subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

For example:
Adds value: (Default)
With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
To subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Payload

Displays Fake Alerts, and Fake Scanning Results
Win32/FakeRean adds a registry entry to launch its fake scanner automatically each time Windows starts. For example:
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: XP Antispyware 2009
Data: ""%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe" /hide"
or
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: AntiSpywareXP 2009
Data: ""%Program Files%\AntiSpywareXP2009\AntiSpywareXP2009.exe" /hide"

The fake scanner UI may look like this, for an example:


When a "scan" is completed, it displays a message like this:



Periodically it may display fake warning pop-ups from its system tray icon, for example:




Win32/FakeRean also installs a control panel applet which imitates the Windows security center:

• <system folder>\_scui.cpl

For example:


Clicking any of the buttons or links in this window merely opens the default browser and opens a page to buy the fake product online.

Modifies system security settings
In order to prevent the real Windows security center from being displayed in the control panel, Win32/FakeRean sets these registry entries:

Key: HKCU\Control Panel\don't load
Value: scui.cpl
Data: "No"
Value: wscui.cpl
Data: "No"

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: ForceClassicControlPanel
Data: 0x1

It also sets registry entries to stop notifications from the real security center:
Key: HKLM\SOFTWARE\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 0x1
Value: FirewallDisableNotify
Data: 0x1
Value: UpdatesDisableNotify
Data: 0x1

Win32/FakeRean may also add an uninstall entry, for example:

Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\
Value: DisplayName
Data: "XP Antispyware 2009"
Value: UninstallString
Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"
or
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareXP2009
Value: DisplayName
Data: "AntiSpywareXP 2009"
Value: UninstallString
Data: "%Program Files%\AntiSpywareXP2009\Uninstall.exe"

This usually does not uninstall the trojan; however, the shortcut added to the start menu ("Uninstall.lnk") may remove most of the program. The fake security center control panel applet (_scui.cpl) is left behind.

While Win32/FakeRean pretends to scan the machine, it may create files with randomly generated files names, which it fills with random "junk" bytes. These are the files it reports as threats, presumably to make its claims seem more plausible.

Modifies system settings
Recent variants of Win32/FakeRean make a number of changes to the registry in order to ensure that FakeRean's executable is executed every time a file with an '.exe' file extension is run. Win32/FakeRean may make the following registry modifications for this purpose:

To subkey: HKCU\Software\Classes\.exe
Sets value: "(Default)"
With data: "secfile"

To subkey: HKCU\Software\Classes\.exe
Sets value: "Content Type"
With data: "application/x-msdownload"

To subkey: HKCU\Software\Classes\.exe\DefaultIcon
Sets value: "(Default)"
With data: "%1"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data:"C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "(Default)"
With data: "C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value:"(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\.exe\shell\start\command
Sets value: "IsolatedCommand"
With data:""%1" %*"

To subkey: HKCU\Software\Classes\secfile
Sets value: "(Default)"
With data: "Application"

To subkey: HKCU\Software\Classes\secfile
Sets value: "Content Type"
With data: "application/x-msdownload"

To subkey: HKCU\Software\Classes\secfile\DefaultIcon
Sets value: "(Default)"
With data: "%1"

To subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "(Default)"
With data: ""C:\Documents and Settings\Administrator\Local Settings\Application Data\av.exe" /START "%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\open\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\runas\command
Sets value: "IsolatedCommand"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "(Default)"
With data: ""%1" %*"

To subkey: HKCU\Software\Classes\secfile\shell\start\command
Sets value: "IsolatedCommand"
With data: '"%1" %*"

Additional Information

FakeRean may set a registry entry containing the date it was installed, for example:
Key: HKLM\Software\XP_Antispyware
Value: info
Data: "10/21/2008"


Removal :

The most simple way to remove Win32/FakeRean is to CTRL-ALT-DELETE

Start Task Manager

Go to Processes

(You may have to bring it up several times as said in the info it closes things)

Click Defender.exe

End Process

Click Enter

Run your Antivirus and delete it off your computer

Done! Hope this helped everyone out... It just happened to me




Credit to Microsoft for the Pictures!

Do you know what Rundl132.exe is?

I had a bad virus a while back, and it said Rundl132 was preventing me from opening my control panel. It was really bad had to start my computer from scratch. This guide looked great though, be honest i didnt read much cuz its long! but it looks like you know what your doing.

OS List fixed

The problem can occur if the "drivers=mmsystem.dll" line is missing from the boot section of the System.ini file.

To correct the problem:

1. Use Notepad to edit the System.ini file.
2. Add the following line to the [boot] section of the file: drivers=mmsystem.dll
3. Save and then close the System.ini file.
4. Restart your computer!

wow, nice guide, but hopefully i won't have to use it one day

Thanks! Sadly I had to use it, Thats why I wrote this artical... Stupid Virus

Trust me I feel your pain.

I once had a virus similar except it was a different fake anti-virus.

It was called Antivir Pro Test (or something like that) and I let it do a scan since I assumed somebody installed it on my PC.

It says all these things saying I had tons of viruses and weird stuff and I was like "Oh crap...not again!"

The first thing I noticed weird is how the virus installed another virus (one virus leads to another..oh bummer!)

I was playing Counter-Strike:Source and I heard ads running in the background.

I exit out and surely theres ads running in my background!I was like what the eff is this.

Surely I freaked out but this isn't anything new.I'm bad about viruses so yeah.

Once it was removed I was very happy.

Viruses suck but having the right software does the trick!

Exactly that!

Unfortunately at a young age I developed a horrible thing about getting viruses.

Most of them time I can never figure out what lead to the viruses I got.

The last virus I got was when I was trying to some some customization on the boot up screen on XP and change some layouts.

When my PC started acting funny once I installed the program I immediately got Spybot and got rid of it.

My body knew it was a virus as I was installing the program.

But heres my problem.When I really want to get something working & I really want this program cause it seemed cool and the program I was installing was going to do what I wanted it to do but it had some weird stuff about it and I knew it was a virus.

Problem is my other half of my brain was like "do it anyways cause thats how I roll!"

Though point is is that I gotta stop that bad habit of mine.

Luckly its been probably 4-6 months since my last virus.

I did a scan the other day on Spybot and didn't have anything.

Just the occasional cookies which isn't an issue.

Though I will say this.

And yes I am writing a lot but I like typing crap like this .

Heres something I developed over the years of finding viruses.

Iv'ed probably been getting viruses every few months since I was 9 and I'm 15 now.

Well over the period I have gained knowledge,preparation,and skill over defeating viruses.

Over those years I got better & "slicker" with getting rid of em.

Though I do believe that I have been more cautious and more sure of there being a virus on my PC.

If there's something different or "feels" different I always suspect a virus.

That scan I did a few days ago was because I had a "scent" that a virus may of been on.Luckly there wasn't.

All in all over the years I kick viruses ASS.I may attract viruses but viruses can't beat ol' Nick.Nick kicks there ass and gives them the finger once I remove them.

I kick dem' viruses ass so hard that more viruses keep on coming to challenge me!Kidding.

Though I know its bad to get viruses but as long as I keep kicking there ass they can bring it on!

Amazing thread.

/Sticky