What is Win32/FakeRean?
Win32/FakeRean is a member of a group of programs called Rogue antivirus software, that claim to be a legitimate antivirus solution, reporting a number of fake viruses and malware infections. These warnings are displayed in order to coerce the user into purchasing registration for the software in order to remove these fake infections.
An example installation of Win32/FakeRean. (Credit: Microsoft)
Win32/FakeRean Aliases
Much like the BlueFlare Antivirus or the similar Mac equivalent MacProtector, Win32/FakeRean is installed as a piece of software that looks like a real antivirus program. The virus can show itself with one of multiple potential names. The name displayed by the program will vary depending on the version of Windows you are running.
- Win7 Internet Security 2010
- Win7 Antivirus Pro 2010
- Win7 Defender 2010
- Win7 Guardian 2010
- Win7 Smart Security
- Win7 Security Tool
- Win7 AntiMalware
- Antivirus Win7
- AntiSpyware Win7
- Total Win7 Security
- Win7 Security Centre
- XP Antivirus 2011
- Win7 Antivirus 2011
- Vista Internet Security 2011
- XP Security 2012
Installation
Win32/FakeRean downloads a number of archives in ZIP or CAB format from a remote server using HTTP. These may include:
- Binaries1.cab
- Binaries2.cab
- Binaries3.cab
The installer then extracts these files into a directory it creates under %windir%\%program files%. The program may then display a window on screen, before it begins downloading and installing the software. Upon installation, a number of files will be created on your computer’s local storage. The location of these files will vary depending on the name of the software that has been installed. For example, the “XP Antispyware 2009″ varient of Win32/FakeRean installs the following files:
- %Program Files%\XP_AntiSpyware\AVEngn.dll
- %Program Files%\XP_AntiSpyware\htmlayout.dll
- %Program Files%\XP_AntiSpyware\pthreadVC2.dll
- %Program Files%\XP_AntiSpyware\Uninstall.exe
- %Program Files%\XP_AntiSpyware\wscui.cpl
- %Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
- %Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
- %Program Files%\XP_AntiSpyware\data\daily.cvd
- %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
- %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
- %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
- %Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll
Win32/FakeRean may also add shortcuts to your desktop, Start menu, and quick launch bar. These files may be stored in the following locations, and can be deleted.
- %Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
- %Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
- %Desktop%\XP_AntiSpyware.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk
Win32/FakeRean may also modify the registry in order to ensure that it runs whenever the user’s Internet browser is launched from the Start menu.
Adds value: (Default) With data:"" /START To subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Win32/FakeRean adds a registry entry to launch its fake scanner automatically each time Windows starts. For example:
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Value: XP Antispyware 2009 Data: ""%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe" /hide"
Win32/FakeRean also installs a control panel applet which imitates the Windows security center:
\_scui.cpl
In order to prevent the real Windows security center from being displayed in the control panel, Win32/FakeRean sets these registry entries:
Key: HKCU\Control Panel\don't load Value: scui.cpl Data: "No" Value: wscui.cpl Data: "No"
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Value: ForceClassicControlPanel Data: 0x1
It also sets registry entries to stop notifications from the real security center:
Key: HKLM\SOFTWARE\Microsoft\Security Center Value: AntiVirusDisableNotify Data: 0x1 Value: FirewallDisableNotify Data: 0x1 Value: UpdatesDisableNotify Data: 0x1
Win32/FakeRean may also add an uninstall entry, for example:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\ Value: DisplayName Data: "XP Antispyware 2009" Value: UninstallString Data: "%Program Files%\XP_AntiSpyware\Uninstall.exe"
This uninstall shortcut may remove some aspects of the program, however the fake security control panel (_scui.cpl) is left behind. Win32/FakeRean may also modify the registry so that the fake virus scan will run whenever any .exe file is run.
How to Remove Win32/FakeRean
Malwarebytes Anti Malware Screenshot
In order to remove the rogue antivirus Win32/FakeRean, you will need to install an anti-malware application. The best choice that I have found is Malwarebytes, available in a full-featured paid version, or a free version. After downloading and installing Malwarebytes, update the virus definitions (you will need an active Internet connection) and run a full system scan. When the scan has been completed, it will prompt you to restart your computer, in order to completely remove the virus.
Edit Registry entries
Win32/FakeRean adds registry entries so that it will run whenever any .exe file is run on your computer. Removing the infection with Malwarebytes shouldstop the program from running, however it is a good idea to remove these registry entries also. To remove/modify the changes that Win32/FakeRean has made to your computer, follow these steps:
Click Start and then click Run
In the Open box, type explorer and then click OK.
Navigate to the Windows directory (e.g. a typical path may be C:\Windows) and locate regedit.exe.
Run Regedit:
--On Windows XP systems:
-Right-click on regedit.exe and select Run as.
Uncheck "Protect my computer and data from unauthorized program activity" and click OK.
--On Windows 7 or Vista: -Right-click on regedit.exe and select Run as administrator. Click Yes to accept the UAC prompt.
Using Regedit, locate and then click on the following registry key:
HKeyCurrentUser\Software\Classes
- Fake Rean Registry
On the left panel, right-click on the following registry subkey:
'.exe'
Select Delete and then click OK.
Locate and then click on the following registry key:
HKeyCurrentUser\Software\Classes
On the left panel, right-click on the following registry subkey:
'secfile'
Select Delete and then click OK.
Close Registry Editor.
This post is brought to you by LachyTech.