Follow:

 

Win32/FakeRean


Microsoft security software detects and removes this threat.

This family of rogue security programs pretend to scan your PC for malware, and often report lots of infections. The program will say you have to pay for it before it can fully clean your PC.

However, the program hasn't really detected any malware at all and isn't really an antivirus or antimalware scanner. It just looks like one so you'll send money to the people who made the program. Some of these programs use product names or logos that unlawfully impersonate Microsoft products.

Different brands of the rogues may modify various settings on your computer, end or close programs or system services, or block access to websites.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

In the wild, we have observed Win32/FakeRean being installed onto PCs by exploit kits like Blacole or Incognito, or by being downloaded and installed by other malware. Malware we have observed downloading FakeRean includes the following:

Note that some of these malware families may no longer be active, or may no longer be downloading Win32/FakeRean.

For more details on exploits and how to stay safe, see our exploits page.

Earlier versions of FakeRean were also installed when users were tricked into downloading the malware from a webpage that looked like an antivirus scanner.

FakeRean brands

The Win32/FakeRean family includes a number of different brands of fake scanners. The installation and operation of the malware varies between different brands.

Each brand changes its name from time to time, but the appearance of the fake scanner and its behavior are very similar. It may change its installation directory, file names, or registry entry names to reflect the new name.

Privacy Protection / Security Protection

One variant uses names like Privacy Protection or Security Protection. Their fake scanners are similar except for the name displayed.

Privacy Protection may be installed to %APPDATA%\privacy.exe. It creates the following registry entry to ensure that it runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Privacy Protection"
With data: %APPDATA%\privacy.exe

Security Protection instead uses the file name defender.exe and creates the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security Protection"
With data: %APPDATA%\defender.exe

This variant may try to stop certain programs or files from running. You can circumvent this by making a copy of the program you want to run, renaming it to svchost.exe, then running the renamed copy.

Note: Do not place this copy in <system folder>.

See the Privacy Protection or Security Protection descriptions for more details on this variant.

Other names that are being used by this variant at the time of publication include:

  • Malware Protection
  • Total PC Defender
  • Internet Security

Antivirus Protection 2012

Antivirus Protection 2012's installer drops a number of files to a folder, such as %APPDATA%\Antivirus Protection 2012 or %APPDATA%\Antivirus Protection 2012 Tm.

It may also create the following files:

  • IcoActivate.ico (icon file)
  • IcoHelp.ico (icon file)
  • IcoUninstall.ico (icon file)
  • AntivirusProtection2012.exe (fake scanner)
  • securitymanager.exe (monitors the installed file)
  • securityhelper.exe (copy of the installer)

It adds a number of registry entries to ensure that its various components are run at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Antivirus Protection 2012"
With data: "%AppData%\Antivirus Protection 2012\AntivirusProtection2012.exe" /STARTUP
Sets value: "Antivirus Protection 2012 SM"
With data: "%AppData%\Antivirus Protection 2012\securitymanager.exe"
Sets value: "Antivirus Protection 2012 SH"
With data: "%AppData%\Antivirus Protection 2012\securityhelper.exe"

It also creates files that add desktop shortcuts and start menu items.

This rogue may also disable certain services and remove the registry entry which lets Windows Defender run each time the PC starts.

Other names that are being used by this variant include:

  • AntiVirus 2010
  • AntiVirus AntiSpyware 2011
  • Antivirus Protection
  • AntiVirus Studio 2010
  • Antivirus System 2011
  • AV Protection 2012
  • Desktop Security
  • Desktop Security 2010
  • Security Monitor
  • Security Monitor 2012
  • Security Solution

XP Home Security 2012 (and others)

This variant of Win32/FakeRean has been distributed with many different names. The user interface and some other details vary to reflect each variant’s individual branding. These variants choose a name at random from a number of possibilities determined by the operating system of the affected PC. These include:

Platform: Windows 7
Platform: Windows Vista
Platform: Windows XP

Antispyware Win 7

Antispyware Vista

Antispyware XP

Antivirus Win 7 2010

Antivirus Vista

AntiSpyware XP 2009

Total Win 7 Security

Antivirus Vista 2010

Antivirus XP

Win 7 AntiMalware

Total Vista Security

Antivirus XP 2010

Win 7 AntiMalware 2010

Vista AntiMalware

Total XP Security

Win 7 Anti-Spyware

Vista AntiMalware 2010

XP AntiMalware

Win 7 Antispyware 2010

Vista Anti-Spyware

XP AntiMalware 2010

Win 7 Anti-Spyware 2011

Vista Antispyware 2010

XP Anti-Spyware

Win 7 Antispyware 2012

Vista Antispyware 2011

XP AntiSpyware 2009

Win 7 Antivirus

Vista Anti-Spyware 2011

XP Antispyware 2010

Win 7 Antivirus 2010

Vista Antispyware 2012

XP Antispyware 2011

Win 7 Anti-Virus 2011

Vista Antivirus

XP Anti-Spyware 2011

Win 7 Antivirus 2012

Vista Antivirus 2010

XP Antispyware 2012

Win 7 Antivirus Pro

Vista Antivirus 2011

XP Anti-Spyware XP Anti-Spyware

Win 7 Antivirus Pro 2010

Vista Anti-Virus 2011

XP Antivirus 2010

Win 7 Defender

Vista Antivirus 2012

XP Antivirus 2011

Win 7 Defender 2010

Vista Antivirus Pro

XP Anti-Virus 2011

Win 7 Defender Pro

Vista Antivirus Pro 2010

XP Antivirus 2012

Win 7 Guard

Vista Defender

XP Antivirus Pro

Win 7 Guardian

Vista Defender 2010

XP Antivirus Pro 2010

Win 7 Guardian 2010

Vista Defender Pro

XP Defender

Win 7 Home Security

Vista Guard

XP Defender 2010

Win 7 Home Security 2011

Vista Guardian

XP Defender Pro

Win 7 Home Security 2012

Vista Guardian 2010

XP Defender Pro 2010

Win 7 Internet Security

Vista Home Security

XP Guard

Win 7 Internet Security 2010

Vista Home Security

XP Guardian

Win 7 Internet Security 2011

Vista Home Security 2011

XP Guardian 2010

Win 7 Internet Security 2012

Vista Home Security 2012

XP Home Security

Win 7 Security

Vista Internet Security

XP Home Security 2011

Win 7 Security 2011

Vista Internet Security 2010

XP Home Security 2012

Win 7 Security 2012

Vista Internet Security 2011

XP Internet Security

Win 7 Security Center

Vista Internet Security 2012

XP Internet Security 2010

Win 7 Security Tool

Vista Security

XP Internet Security 2011

Win 7 Security Tool 2010

Vista Security 2011

XP Internet Security 2012

Win 7 Smart Security

Vista Security 2012

XP Police Antivirus

Win 7 Smart Security 2010

Vista Security Tool

XP Security

Win 7 Total Security

Vista Security Tool 2010

XP Security 2011

Win 7 Total Security 2011

Vista Smart Security

XP Security 2012

Win 7 Total Security 2012

Vista Smart Security 2010

XP Security Center

 

Vista Total Security

XP Security Tool

Vista Total Security 2011

XP Security Tool 2010

Vista Total Security 2012

XP Smart Security

 

XP Smart Security 2010

XP Total Security

XP Total Security 2011

XP Total Security 2012

 

The image below depicts the "XP Home Security 2012" branding.

When run, the malware copies itself to a location such as %APPDATA%\<three lowercase characters>.exe (for example,%APPDATA%\qkm.exe).

This variant may also change security settings and block access to programs and websites. See the XP Home Security 2012 description for more details.

XP Antispyware 2009

Earlier variants had different behavior. See the XP AntiSpyware 2009 description for more details.

Analysis by David Wood


Symptoms

Symptoms vary among different subfamilies and variants of Win32/FakeRean; below are some common variants we see in the wild:

See the relevant encyclopedia entry for a list of specific infection symptoms.


Prevention


Alert level: Severe
This entry was first published on: Feb 08, 2011
This entry was updated on: May 21, 2014

This threat is also detected as:
  • Trojan:Win32/FakeRean (Microsoft)
  • Win32/FakeRean (Microsoft)
  • Antispyware Vista (other)
  • Antispyware Win 7 (other)
  • Antispyware XP (other)
  • AntiSpyware XP 2009 (other)
  • Antivirus Pro 2010 (other)
  • AntiVirus Studio 2010 (other)
  • Antivirus Vista (other)
  • Antivirus Vista 2010 (other)
  • Antivirus Win 7 (other)
  • Antivirus Win 7 2010 (other)
  • Antivirus XP (other)
  • Antivirus XP 2010 (other)
  • Desktop Defender 2010 (other)
  • Desktop Security 2010 (other)
  • Home Antivirus 2010 (other)
  • PC Antispyware 2010 (other)
  • PC Security 2009 (other)
  • Privacy Protection (other)
  • Security Central (other)
  • Security Protection (other)
  • Security Solution 2011 (other)
  • Smart Security 2010 (other)
  • Spyware Protection (other)
  • Total PC Defender (other)
  • Total PC Defender 2010 (other)
  • Total Vista Security (other)
  • Total Win 7 Security (other)
  • Total XP Security (other)
  • Vista AntiMalware (other)
  • Vista AntiMalware 2010 (other)
  • Vista Anti-Spyware (other)
  • Vista Antispyware 2010 (other)
  • Vista Antispyware 2011 (other)
  • Vista Anti-Spyware 2011 (other)
  • Vista Antispyware 2012 (other)
  • Vista Antivirus (other)
  • Vista Antivirus 2010 (other)
  • Vista Antivirus 2011 (other)
  • Vista Anti-Virus 2011 (other)
  • Vista Antivirus 2012 (other)
  • Vista Antivirus Pro (other)
  • Vista Antivirus Pro 2010 (other)
  • Vista Defender (other)
  • Vista Defender 2010 (other)
  • Vista Defender Pro (other)
  • Vista Guard (other)
  • Vista Guardian (other)
  • Vista Guardian 2010 (other)
  • Vista Home Security (other)
  • Vista Home Security 2011 (other)
  • Vista Home Security 2012 (other)
  • Vista Internet Security (other)
  • Vista Internet Security 2010 (other)
  • Vista Internet Security 2011 (other)
  • Vista Internet Security 2012 (other)
  • Vista Security (other)
  • Vista Security 2011 (other)
  • Vista Security 2012 (other)
  • Vista Security Tool (other)
  • Vista Security Tool 2010 (other)
  • Vista Smart Security (other)
  • Vista Smart Security 2010 (other)
  • Vista Total Security (other)
  • Vista Total Security 2011 (other)
  • Vista Total Security 2012 (other)
  • Win 7 AntiMalware (other)
  • Win 7 AntiMalware 2010 (other)
  • Win 7 Anti-Spyware (other)
  • Win 7 Antispyware 2010 (other)
  • Win 7 Anti-Spyware 2011 (other)
  • Win 7 Antispyware 2012 (other)
  • Win 7 Antivirus (other)
  • Win 7 Antivirus 2010 (other)
  • Win 7 Anti-Virus 2011 (other)
  • Win 7 Antivirus 2012 (other)
  • Win 7 Antivirus Pro (other)
  • Win 7 Antivirus Pro 2010 (other)
  • Win 7 Antivirus Pro 2013 (other)
  • Win 7 Antivirus Security Pro 2013 (other)
  • Win 7 Defender (other)
  • Win 7 Defender 2010 (other)
  • Win 7 Defender Pro (other)
  • Win 7 Guard (other)
  • Win 7 Guardian (other)
  • Win 7 Guardian 2010 (other)
  • Win 7 Home Security (other)
  • Win 7 Home Security 2011 (other)
  • Win 7 Home Security 2012 (other)
  • Win 7 Internet Security (other)
  • Win 7 Internet Security 2010 (other)
  • Win 7 Internet Security 2011 (other)
  • Win 7 Internet Security 2012 (other)
  • Win 7 Security (other)
  • Win 7 Security 2011 (other)
  • Win 7 Security 2012 (other)
  • Win 7 Security Center (other)
  • Win 7 Security Tool (other)
  • Win 7 Security Tool 2010 (other)
  • Win 7 Smart Security (other)
  • Win 7 Smart Security 2010 (other)
  • Win 7 Total Security (other)
  • Win 7 Total Security 2011 (other)
  • Win 7 Total Security 2012 (other)
  • XP AntiMalware (other)
  • XP AntiMalware 2010 (other)
  • XP Anti-Spyware (other)
  • XP AntiSpyware 2009 (other)
  • XP Antispyware 2010 (other)
  • XP Antispyware 2011 (other)
  • XP Anti-Spyware 2011 (other)
  • XP Antispyware 2012 (other)
  • XP Antivirus 2010 (other)
  • XP Antivirus 2011 (other)
  • XP Anti-Virus 2011 (other)
  • XP Antivirus 2012 (other)
  • XP Antivirus Pro (other)
  • XP Antivirus Pro 2010 (other)
  • XP Defender (other)
  • XP Defender 2010 (other)
  • XP Defender Pro (other)
  • XP Defender Pro 2010 (other)
  • XP Guard (other)
  • XP Guardian (other)
  • XP Guardian 2010 (other)
  • XP Home Security (other)
  • XP Home Security 2011 (other)
  • XP Home Security 2012 (other)
  • XP Internet Security (other)
  • XP Internet Security 2010 (other)
  • XP Internet Security 2011 (other)
  • XP Internet Security 2012 (other)
  • XP Police Antivirus (other)
  • XP Security (other)
  • XP Security 2011 (other)
  • XP Security 2012 (other)
  • XP Security Center (other)
  • XP Security Tool (other)
  • XP Security Tool 2010 (other)
  • XP Smart Security (other)
  • XP Smart Security 2010 (other)
  • XP Total Security (other)
  • XP Total Security 2011 (other)
  • XP Total Security 2012 (other)
  • Smart Security (other)