Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Cannot run any programs after removing XP Guardian (TrojanWin32 FakeRean)

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

I used Microsoft Security Essentials to get rid of XP Guardian virus from my computer. Since then I am unable to run any .exe programs, Please help. Matt by email

XP Guardian belongs to the family of Trojan:Win32/FakeRean. According to Microsoft the latest version “now uses individual names and looks for Windows XP, Windows Vista and Windows 7; however, rather than distribute multiple versions for each of these three platforms, FakeRean’s creators have taken an all-in-one approach.

The latest version of FakeRean chooses randomly from a list of 11 names each time it is installed. It then inserts a string into the name that is dependant on which version of Windows it is running on. The result is that a single version of the rogue can use any one of 33 different names.”

fakerean1 590x364 Cannot run any programs after removing XP Guardian (TrojanWin32 FakeRean)

What it means is that a single trojan dropper file of about 200 KB is capable of installing a random rogue from its stable of 11 names per Windows version with a matching fake Windows Security Center or a fake Action Center.

For Windows XP, it uses any one of the following names:

XP Internet Security 2010, XP Internet Security, XP Antivirus Pro 2010, XP Antivirus Pro, XP Antivirus 2010, XP Antivirus, XP Defender 2010, XP Guardian, XP Guardian 2010, Antivirus XP 2010, XP Antispyware 2010, XP Smart Security.

For Windows Vista, it uses any one of the following names:

Vista Internet Security 2010, Vista Internet Security, Vista Antivirus Pro 2010, Vista Antivirus Pro, Vista Antivirus 2010, Vista Antivirus, Vista Defender 2010, Vista Guardian, Vista Guardian 2010, Antivirus Vista 2010, Vista Antispyware 2010.

For Windows 7, it uses any one of the following names:

Win 7 Internet Security 2010, Win 7 Internet Security, Win 7 Antivirus Pro 2010, Win 7 Antivirus Pro, Win 7 Antivirus 2010, Win 7 Antivirus, Win 7 Defender 2010, Win 7 Guardian, Win 7 Guardian 2010, Antivirus Win 7 2010, Win 7 Antispyware 2010

Analysis

On installation this scareware drops a hidden, random named file and another hidden file named av.exe in the %AppData% folder. You may need to enable viewing hidden folders and protected operating system files in folder options control panel to see them. The scareware modifies the registry so that:

  • The scareware executes (av.exe) every time a .exe file is run, an innovative way to autostart with Windows or to restart when killed via TaskManager. It also makes it difficult to install and run security programs.
  • Makes Internet Explorer as the default browser and promptly hijacks it to display a scare message whenever it is run.
  • Disables Windows Firewall
  • Disables genuine Windows Security Center notifications

File and Registry Changes made by FakeRean

  • C:\Users\malwarehelp\AppData\Local\3c4e8
  • C:\Users\malwarehelp\AppData\Local\av.exe
  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\comman
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=-1205228508
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\secfile=
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet IEXPLORE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Documents and Settings\malwarehelp\Local Settings\Application Data\av.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Security Center AntiVirusDisableNotify = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Security Center AntiVirusOverride = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Security Center FirewallDisableNotify = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Security Center FirewallOverride = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Security Center UpdatesDisableNotify = “1″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1

How to remove FakeRean (FakeRean Removal)

Recently Microsoft Malicious software removal tool, Microsoft Security Essentials and Windows Defender was updated to remove this scareware, while they remove the scareware executable, they omit to remove the registry entries created by this malware thus blocking .exe files from running.

To restore .exe files (Cannot run .exe files after removing FakeRean)

Right click and save the registry file as trojan_fakerean_exe_fix.reg – trojan_fakerean_exe_fix – 156 Bytes. Left click to run the registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.

To remove FakeRean and restore .exe files

  • Download MalwareBytes’s Anti-Malware
  • Right click and save the registry file as trojan_fakerean_exe_fix.reg – trojan_fakerean_exe_fix – 319 Bytes. Left click to run the registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
  • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

If you are still unable to get rid of this rogue security software, please visit one of the recommended forums for malware help and post about your problem.

Ref: Microsoft Malware Protection Center : Win32/FakeRean is 33 rogues in 1

You may also like to read



{ 21 comments… read them below or add one }

Nage March 16, 2010 at 8:08 AM

When I click registry file it opens notepad?

Reply

Shanmuga March 16, 2010 at 8:43 AM

Make sure that you are saving the registry file with the extension .reg and not .txt.

elaine March 20, 2010 at 3:22 AM

i fell into that one also now i have had to cancel my card and they have taken $56 out of my account does internet explorer know about this fake site?
i noticed i could not get any sites up once i downloaded and paid for this fake virus remover, so i looked online and sure enough, it is a fake but i am now $56 down no keycard for 3 days and computer in a mess

Reply

elaine March 20, 2010 at 3:26 AM

i am $56 down no card as i have had to cancel it, i rang the bank and they said it was legitimate, another thing i found strange a chinese immigrant or whatever he was in the country one week looking for a job in a bank, as customer service, he was from hong kong, very rude and nasty he was, and i beleive these bank scammers are from hong kong

Reply

kevin March 24, 2010 at 8:58 AM

how do you “right click and save the registry file”?

Reply

Shanmuga March 24, 2010 at 10:27 AM

Click your right mouse button on the link that says “trojan_fakerean_exe_fix”. In the menu that appears click on “save link as” or “save target as” and save it to your computer.

Reply

Anonymous March 24, 2010 at 6:17 PM

But when I click on the saved link it doesn’t do anything. It just shows the webpage w/all the registry info. It doesn’t seem to be changing anything or ask me to modify.
Thanks for you help!!
Kevin

Reply

kevin March 29, 2010 at 9:59 AM

But when I click on the saved link it doesn’t do anything. It just shows the webpage w/all the registry info. It doesn’t seem to be changing anything or ask me to modify.
Thanks for you help!!
Kevin

Reply

Mike April 3, 2010 at 2:57 AM

One of my users installed this lovely program on his computer. I was able to get the pc to install Malwarebytes by droping it in the C drive and renaming the installer to AVE.EXE. Updated MBAM, Scanned, Cleaned, and everything is good right? Wrong. Now this PC won’t install Microsoft Patches.

I was wondering if anyone had ran across this problem and had a solution or an Idea of where I should go next. MBAM isn’t finding anything on the PC anymore. McAfee (not my choice and I hate them with a passion) is finding about 48 cookies when I scan, but that’s it. I have our Antivirus team working with McAfee on the issue, but they are about as helpful as a hole in the head. Let me know if you have anything for me.

Reply

joe brummel April 16, 2010 at 7:33 AM

so i’ve got this ave.exe, right. saved trojan fakerean fix exe to one computer, transfer it via network sharing to my laptop(infected). merged file. can’t run any exe’s. error message says ‘Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access this item.’ so i opted to open malware bytes via ‘run as admin.’ this allowed me to open malwarebytes. attempted to update, showed transfer or data, message says, ‘…will shut down then install updates’ click ok… nothing happens,and the number of known threats remains the same, thus a new scan turns up no new results. any input would be great.

Reply

Shanmuga April 16, 2010 at 8:34 AM

joe brummel, Download the latest version of MBAM MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) and then try the procedure in safe mode logged in as an administrator.

Sam August 1, 2010 at 8:35 PM

It won’t let me save it as anything but a .txt, help?

Reply

Shanmuga August 1, 2010 at 9:41 PM

@Sam, Just rename .txt to .reg.

Bob October 25, 2010 at 3:17 AM

I can’t get it to save as a reg either. Do you need to do anything else.

Reply

Thanks! April 6, 2011 at 9:41 AM

followed the instructions…worked perfectly.
to those who cannot get it,read and follow carefully,works like a charm!!!

Reply

Janey April 10, 2011 at 1:53 AM

Hi,

I can’t convert it from .txt to .reg, I have tried to use “trojan_fakerean_exe_fix” this also doesn’t work. Please help :(

Reply

Thanks! April 11, 2011 at 12:19 AM

This is a auto run command line.
right click….save as…
trojan_fakerean_exe_fix.txt will show up in the file name box
delete the .txt part of the file name,type .reg and save file
after the file is saved(place file on desktop)
left click it,and it then should run
FIXT

Reply

AK May 22, 2011 at 7:47 PM

I had a painful experience with Fakerean, thanks for this posting I was able to clean it out (I hope it is not lurking in the background somewhere).

I had to put the two files on a flash drive and copy it to the desktop and then run them.

Attempt 1: I ran the reg file and then started the malewarebytes tool, and in a dumb move, clicked on the icon parading as windows defender. It killed the Malwaretool and sent me to back to square one. I repeated the instructions and I could swear the virus had learn that the registry was being reset. I had to do it many many many times (with new files as well), and each time it got killed.

Attempt 2: I shut down the computer, restarted and quickly ran the utility (the things you say when you are a layman), and it seemed to work. Then I ran the latest Microsoft Malicious Software Removal Tool – THIS DID NOT DETECT the problem. Further, the damn thing says everything is fine!

Attempt 3: I reinstalled and ran Malwarebytes, and it did the trick. I have run it twice since. As suggested by someone, I also ran HitmanPro.

Reply

Helpful dumb guy August 11, 2011 at 6:24 PM

i had the same problem with this as a few other people. I kept clicking on the words/link trojan_fakerean_exe_fix and saving that. It would save as a txt file no matter what i called it. Then i realize you have to right click the link and a webpage with the words Windows Registry Editor Version 5.00 will open up. You save that page as .reg and ect

Reply

Nitwolf September 16, 2011 at 2:42 AM

for those who are having problems with downloading the file with the “reg” extension. Don’t use Firefox, use IE. I removed it, and typed in the new extension and it wanted to do the trojan_fakerean_fix.reg.txt grrrrrrr. did it in IE and easy as pie.

Reply

Victor December 13, 2011 at 6:07 AM

It looks like Microsoft Security Essentials is cleaning up properly now. At least I had no problem running executables after recovering using its scan. It’s a mystery to me how my computer got infected, because I am generally a safe surfer. The only thing I can think of is that I recently installed software that came with my Plustek scanner. Is there a way I can direct a scan at the installation discs to see if that might have been the source of infection?

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: