Howdy folks,
I just dealt with a real PITA of a virus on my laptop. It's called FakeRean, and while it was a PITA there was a fairly easy fix so I figured I'd point y'all towards it just in case. This will be a long and rambly post, but hopefully it will save somebody the hassle and stress of trying to find an answer on google.
First of all, what is is. FakeRean is a virus that pretends to be a Microsoft antivirus program/Microsoft Security Center/Windows Defender/and a massive host of aliases. The concerning thing about this is that it actually seizes control of the genuine Microsoft security programs and disables firewalls, etc. It will come up with dangerous threats to your system and then call for you to register to get rid of them. Naturally they're after your money, there does not appear to be any truly serious threat to your computer's integrity, but lots of popups, constantly running programs, it's annoying and concerning because another thing I've heard of it doing (there seems to be at least two or three variations of the same basic virus, one of which downloads other viruses which CAN be more dangerous).
If a virus program EVER starts giving you alerts, disconnect from the internet as soon as is humanly possible. If it's a fake alert like the one I got, you don't want it having access to your computer and the internet, it's amazing just how much information is stored in program files and how easy they are to get at. If it's a genuine alert, your computer is obviously compromised and you don't want the virus being distributed to other people via the internet; and that is one of the primary purposes of hacking computers, to take their processing power/bandwidth for mail, virus distribution and brute-force hacking of other systems.
Causes for concern:
Incessant popups are always a cause for concern, I've never seen an antivirus program that would do more than a single popup and unpleasant noise when it finds a threat. If it's continuously coming up with things telling you your computer is infected, it probably is; just not with what it's telling you. When this started, I had five or six popups continuously appearing. It will also tend to open webpages, but the very first sign I got was firefox dying spontaneously.
If Microsoft asks for money there's probably something wrong - Windows Defender, security centre, firewall etc are all free with windows.
Task manager access restricted - this particular virus enters a registry key that will deprive you of task manager access so you cannot kill it. If you are an administrator this should NEVER happen
Regedit access restricted - it will also restrict access to regedit so you can't fix the registry.
What you can do
Firstly, like I say, disconnect. That's your initial damage control.
Secondly, switch users (don't log out) and log in as a different administrator. Often, a virus will affect a single user as was the case in this situation. I was still able to access registry controls and task manager from the other user.
Thirdly, Ctrl+Alt+Del to get the task manager. Click on the "Processes" tab. There should be an option underneath the list of processes to "Show processes from all users". Check this.
When you have the list of processes from all users, you can look for dodgy applications. The dodgy ones will often have the same entry for "Image Name" as "Description" though this is not absolute. Three files you DEFINITELY want to keep an eye on are "av.exe" "ave.exe" and "geurge.exe". If you see these, right click and "Open File Location" and end them, then delete them. The problem with this virus is that it runs itself under multiple different names (apparently generating them at random) and appears to set itself as a dependency for all applications (ie any time you start an application the virus will restart).
Unfortunately, the easiest (if not the only) way to fix this virus once and for all is to use an antivirus program. I will include a download at the end of this. The antivirus program will scan your computer and delete the infected files. Install the antivirus program as your alternate administrator and let it do its work. It will ask to reset. This leads you to the next problem.
Since the virus made itself a prerequisite for any programs, you now cannot run applications as the infected user. The joy! What you can do, however, is right click on an application and select "Run as administrator". However, this does no good at this point. What you need to run is Regedit (as the infected user), which you still don't have permissions for. So, next step!
I will include in another download this handy little VBScript called Regtools. This will allow you to edit the registry. You must run the VBscript as the infected user. Log out and back in, IIRC!
Now, you can finally fix the exe files. However, to do this, you must use Windows Explorer (about the only working application in the infected user) to navigate to C:\Windows. There should be an executable called "regedit.exe". Right click and run as administrator. First thing you ever want to do when editing the registry is click "File" and "Export...". This will save a backup of your registry should things get messed up.
Then go File>Import... and select "trojan_fakerean_exe_fix.reg" (I will include this as a download with the vbscript). It will edit the registry key that prevents you from running applications. The effect should be immediate!
This still leaves the task manager - while still in Regedit, navigate to:
HKEY_CURRENT_USER
>Software
->Microsoft
-->Windows
--->CurrentVersion
---->Policies
----->System
Here will be a key called "DisableTaskMgr"
Right click and select "Modify"
Under "Value Data" it will say 1. Change this to 0.
And you're done!
For the record, this was all done on Windows Vista and I have no clue whether it would work on XP. It's only been done half an hour or so, so I can't say whether the Antivirus program is 100% trustworthy, I downloaded it because I didn't have my own and it was recommended by the website that gave me the other fixes, and that seemed reliable. If you have your own that you know/trust, use it instead. This is why I included it in a seperate zip file:
Zip file 1 - this includes the VBscript for allowing registry editing, and the registry key to make applications work once the virus is gone.
Malwarebytes Anti-Malware the program used for removal
I hosted the VBscript and registry files on my dad's server so that y'all would know that they weren't gonna get changed after this post by someone of malicious intent!
So, I hope that helps and wasn't too annoying/confusing, I ain't so good at explaining stuff. It's probably unlikely that this will be a problem for most of y'all, but I thought i'd put it out there anyway as it was difficult for me to find.
Like I say, this fix is only half an hour or so old for me: I'm not 100% confident that it's worked yet, though it appears to have and I can't see any out of the ordinary processes running in task manager. I did notice that a lot of desktop icons have disappeared though, and my windows appearance settings were reset. No files appear to be missing, though a few shortcuts (such as the Documents shortcut in the start menu) are now dead.
Given that I'm ultimately unsure about whether it's fully gone, and unsure about the antivirus program, I can make no guarantees about it working on your computer, I just think that it has on mine!
Anyway, that's been my evening! A real PITA!
Pete
I just dealt with a real PITA of a virus on my laptop. It's called FakeRean, and while it was a PITA there was a fairly easy fix so I figured I'd point y'all towards it just in case. This will be a long and rambly post, but hopefully it will save somebody the hassle and stress of trying to find an answer on google.
First of all, what is is. FakeRean is a virus that pretends to be a Microsoft antivirus program/Microsoft Security Center/Windows Defender/and a massive host of aliases. The concerning thing about this is that it actually seizes control of the genuine Microsoft security programs and disables firewalls, etc. It will come up with dangerous threats to your system and then call for you to register to get rid of them. Naturally they're after your money, there does not appear to be any truly serious threat to your computer's integrity, but lots of popups, constantly running programs, it's annoying and concerning because another thing I've heard of it doing (there seems to be at least two or three variations of the same basic virus, one of which downloads other viruses which CAN be more dangerous).
If a virus program EVER starts giving you alerts, disconnect from the internet as soon as is humanly possible. If it's a fake alert like the one I got, you don't want it having access to your computer and the internet, it's amazing just how much information is stored in program files and how easy they are to get at. If it's a genuine alert, your computer is obviously compromised and you don't want the virus being distributed to other people via the internet; and that is one of the primary purposes of hacking computers, to take their processing power/bandwidth for mail, virus distribution and brute-force hacking of other systems.
Causes for concern:
Incessant popups are always a cause for concern, I've never seen an antivirus program that would do more than a single popup and unpleasant noise when it finds a threat. If it's continuously coming up with things telling you your computer is infected, it probably is; just not with what it's telling you. When this started, I had five or six popups continuously appearing. It will also tend to open webpages, but the very first sign I got was firefox dying spontaneously.
If Microsoft asks for money there's probably something wrong - Windows Defender, security centre, firewall etc are all free with windows.
Task manager access restricted - this particular virus enters a registry key that will deprive you of task manager access so you cannot kill it. If you are an administrator this should NEVER happen
Regedit access restricted - it will also restrict access to regedit so you can't fix the registry.
What you can do
Firstly, like I say, disconnect. That's your initial damage control.
Secondly, switch users (don't log out) and log in as a different administrator. Often, a virus will affect a single user as was the case in this situation. I was still able to access registry controls and task manager from the other user.
Thirdly, Ctrl+Alt+Del to get the task manager. Click on the "Processes" tab. There should be an option underneath the list of processes to "Show processes from all users". Check this.
When you have the list of processes from all users, you can look for dodgy applications. The dodgy ones will often have the same entry for "Image Name" as "Description" though this is not absolute. Three files you DEFINITELY want to keep an eye on are "av.exe" "ave.exe" and "geurge.exe". If you see these, right click and "Open File Location" and end them, then delete them. The problem with this virus is that it runs itself under multiple different names (apparently generating them at random) and appears to set itself as a dependency for all applications (ie any time you start an application the virus will restart).
Unfortunately, the easiest (if not the only) way to fix this virus once and for all is to use an antivirus program. I will include a download at the end of this. The antivirus program will scan your computer and delete the infected files. Install the antivirus program as your alternate administrator and let it do its work. It will ask to reset. This leads you to the next problem.
Since the virus made itself a prerequisite for any programs, you now cannot run applications as the infected user. The joy! What you can do, however, is right click on an application and select "Run as administrator". However, this does no good at this point. What you need to run is Regedit (as the infected user), which you still don't have permissions for. So, next step!
I will include in another download this handy little VBScript called Regtools. This will allow you to edit the registry. You must run the VBscript as the infected user. Log out and back in, IIRC!
Now, you can finally fix the exe files. However, to do this, you must use Windows Explorer (about the only working application in the infected user) to navigate to C:\Windows. There should be an executable called "regedit.exe". Right click and run as administrator. First thing you ever want to do when editing the registry is click "File" and "Export...". This will save a backup of your registry should things get messed up.
Then go File>Import... and select "trojan_fakerean_exe_fix.reg" (I will include this as a download with the vbscript). It will edit the registry key that prevents you from running applications. The effect should be immediate!
This still leaves the task manager - while still in Regedit, navigate to:
HKEY_CURRENT_USER
>Software
->Microsoft
-->Windows
--->CurrentVersion
---->Policies
----->System
Here will be a key called "DisableTaskMgr"
Right click and select "Modify"
Under "Value Data" it will say 1. Change this to 0.
And you're done!
For the record, this was all done on Windows Vista and I have no clue whether it would work on XP. It's only been done half an hour or so, so I can't say whether the Antivirus program is 100% trustworthy, I downloaded it because I didn't have my own and it was recommended by the website that gave me the other fixes, and that seemed reliable. If you have your own that you know/trust, use it instead. This is why I included it in a seperate zip file:
Zip file 1 - this includes the VBscript for allowing registry editing, and the registry key to make applications work once the virus is gone.
Malwarebytes Anti-Malware the program used for removal
I hosted the VBscript and registry files on my dad's server so that y'all would know that they weren't gonna get changed after this post by someone of malicious intent!
So, I hope that helps and wasn't too annoying/confusing, I ain't so good at explaining stuff. It's probably unlikely that this will be a problem for most of y'all, but I thought i'd put it out there anyway as it was difficult for me to find.
Like I say, this fix is only half an hour or so old for me: I'm not 100% confident that it's worked yet, though it appears to have and I can't see any out of the ordinary processes running in task manager. I did notice that a lot of desktop icons have disappeared though, and my windows appearance settings were reset. No files appear to be missing, though a few shortcuts (such as the Documents shortcut in the start menu) are now dead.
Given that I'm ultimately unsure about whether it's fully gone, and unsure about the antivirus program, I can make no guarantees about it working on your computer, I just think that it has on mine!
Anyway, that's been my evening! A real PITA!
Pete
Last edited:
as I restarted the PC, I hit F11 for recovery but then decided on System Restore which, it appears to have sorted the problem. Good post by the way, might come in handy for me sometime. 
