My Battle With The FakeRean Trojan & TDL3 Rootkit
Personally, I run Ubuntu Linux on my desktop and laptop computers, but my wife runs Windows XP (SP3) on her desktop. Thanks to XP, over the past 7 days, I had the distinct (dis)pleasure of having to deal with the FakeRean trojan and the TDL3 rootkit that it installs.
This whole exercise was an incredibly frustrating experience, but I eventually managed to get the problem solved. So I decided to document my experiences here to hopefully prevent you from also damning those virus writers to hell!
Symptoms?
How did I know that something was wrong?
The most obvious clue was that Firefox browser would go to websites that I had not intended. I would do a search on Google, and if I click on one of the links in the search results, I would end up on a totally different website. Without any action from me, Firefox would also open a new tab by itself and go to some strange website. Once I saw that, I knew that Firefox was hijacked and that I probably had a virus of some sort!
After this I installed Google’s new browser, Chrome, knowing that it is a safe browser and hoping that it would not have the same hijacking problem. Chrome installed OK, but it was completely blocked from any internet access. To me, this was confirmation that something big was wrong!
Identifying the Virus
I was surprised that I picked up the virus in the first place. I run Comodo Antivirus on that machine and it works well. Then I discovered that the virus definitions were about 3 months old (very bad). When I tried to update the virus definitions, the process kept failing. Some Googling led me to believe that my virus database was corrupt, which might account for how the virus slipped onto the machine. I managed to download an update using my Linux machine and updated Comodo on the XP machine.
In a way, I got lucky with identifying FakeRean. I spotted a file called ave.exe amongst all the open processes (using Task Manager). I Googled that and discovered that it was part of a trojan called FakeRean.
What is FakeRean?
You can read the a lot more about FakeRean here, but basically it is a fake antivirus / anti-malware program that comes under a variety of names, like “XP AntiSpyware 2009″, “Vista AntiVirus Pro”, and about 30 other names.
It displays fake warnings about infected files on your computer, and asks if you want to remove the files. If you say “yes”, it saves a file called ave.exe to your computer. It changes your computer’s registry to make sure that ave.exe is run every time you open a program. When ave.exe runs, it hijacks your Internet Explorer browser and Firefox browser, disables your Windows firewall and Windows Security Center notifications.
I am assuming that it is also during this time that the TDL3 rootkit gets installed because, in the end, that was the last part of this thing that I removed and it was responsible for hijacking Firefox and blocking Chrome.
Removing FakeRean
I took two steps to remove Fakerean:
- Download this file from MalwareHelp.org and save it on your Desktop. (Right-click on the file and select Save Target As). Don’t worry, the file is safe. This file fixes the changes that FakeRean made to your registry. Double-click the file and click Yes to merge the file with your registry. This will stop ave.exe from starting up every time you run another program.
- Download and install MalwareBytes’ Anti-Malware. Start the program. Go to the Updates tab and make sure you have the latest updates installed. Then go to the Scanner tab to run a full scan. After the scan, the Scan Results shows all the bad stuff that was found. Make sure all the bad stuff is selected and click the button to remove it.
In my case, these two steps killed off the initial infection… but wait… there’s more…
The Firefox redirection and Chrome block was still in place despite the original cause (FakeRean) being removed. I discovered that it was the TDL3 rootkit doing it.
Removing TDL3 Rootkit
I don’t know much about rootkits other than that they can be very difficult to remove. These things get embedded into your system in very smart and hidden ways. That being said, there are supposedly some tools that can remove them. It’s just a matter of finding the right tool.
Kaspersky’s TDSS Killer was reported to kill TDL3. It did locate TDL3, but reported it to be in the file atapi.sys while Comodo reported it to be in the file viaide.sys. Several attempts to remove TDL3 failed because subsequent scans, with computer reboots between each, kept reporting that atapi.sys was still infected with TDL3 (and it said nothing about viaide.sys).
I discovered Hitman Pro to be the tool that can remove TDL3.
So here’s what I did to get rid of TDL3 rootkit and its effects:
- Download Hitman Pro, activate their free 30-day license, and scan the computer. In my case, it found TDL3 in viaide.sys as Comodo had also reported. It cleaned the infection and a second scan reported no further threats.
- Flush the DNS cache: Go to Start -> Run and type in cmd and click OK to open the command window. Then type ipconfig /flushdns and press Enter. You will get a message that says, “Successfully flushed the DNS Resolver Cache.”
- Download HostsXpert to reset your Windows hosts file to its original configuration. Sometimes browser hijackers will modify the hosts file. After downloading and extracting the zipfile, run the program, click Make Hosts Writable?, and click Restore Microsofts’ Hosts File.
- As a final step, do another scan with MalwareBytes’ Anti-Malware (dowloaded and installed earlier).
At this point your problem should be solved, i.e. Firefox no longer spawns new tabs and goes to strange websites, and Chrome is no longer blocked from internet access. This was the case for me.
There are those who believe that you can never know if a computer is 100% in good shape after cleaning a rootkit infection. They say that it is best to rebuild the machine. I haven’t done that (too much work and I’m still recovering from the frustration of dealing with this) and I’ll leave it to you to decide if you want to do it.
Final Thoughts
The people who write malware as sophisticated as FakeRean and TDL3 are obviously very talented programmers. I don’t understand why these people will use those talents to purposefully create something bad. C’mon guys, use your talents for something good instead!
Credits
Thanks so much to all the good people at websites like BleepingComputer.com, MalwareHelp.org, SevenForums.com for providing me with the information that helped me solve this problem. You rock!
April 26th, 2010 at 2:42 pm
Based on my visitor stats for this post, unfortunately it seems like many people are being hit with this thing at the moment. You have my sympathies! What a pain!
Another observation about the impact of TDL3: Despite reinstalling Firefox after removing TDL3, it seems that something is left behind (or missing or broken) that messes with Firefox. I have noticed that if you use Firefox, shortly after opening it, it consumes near 100% of CPU cycles, slowing the PC to a crawl. I have now stopped using Firefox on that machine and is using Chrome instead (which does not suffer from the problem).
This leads to me support some people's notion that it is best to rebuild your PC after a rootkit infection. It's a further pain because that means backing up all your data somewhere else, reinstalling Windows, and reinstalling all your programs. That's a big job!
April 29th, 2011 at 7:38 pm
Apparently, even a year from this post, fakerean is still running rampant. My brother, who works at a geek squad precinct, has seen a resurgence ever since after the 2010 holidays. And now, I'm battling it myself. Its by far the most frustrating malware I've run into since blaster.
April 30th, 2011 at 6:43 pm
Jerby, I agree… very frustrating! And it seems like it leaves some damage behind after removing it. Can\’t use Firefox on that machine now, or you can, but it quickly sucks up 100% of CPU cycles.
May 11th, 2011 at 11:33 pm
I wanted to say thank you for posting this, had the exact same problem and followed your directions and everything is now clear!
May 12th, 2011 at 8:11 am
You're welcome, Martha. I'm glad it helped you.
May 22nd, 2011 at 10:13 pm
I also would like to thank everyone who spent the time to write these instructions. We have microsoft security essentials, but apparently they had not been updated. My husband noticed the presumed antivirus, and I told him not to click and clean the computer. Thus ave.exe was apparently not downloaded. I found out that it was impossible to restrat the MSE, but I got from another website registry instructions to reinstall the abilit ty run exe programs. Eventually MSE ran, updated, found several threats. I cleaned the caches of firefox and internet explorer. A second scan shows nothing. If something is strange, I will follow up the details on this post.
I should probably set back the computer a few days back for good measure.
May 23rd, 2011 at 10:46 am
You're welcome! Our only weapon against these idiots is to share the solutions with one another.
May 28th, 2011 at 11:54 pm
I'm battling the TDL3 trojan myself and am quite frankly freaking out about it. My father bought this laptop for me as a graduation gift and now it's got this thing that Sophos basically painted as a system killer. Lots of my life is on the hard drive: music, family photos, personal writing, on and on. I'm so upset that I'm shaking.
It got infected from a compromised legit website. (The stupid "do you want to install this plugin" popups need a better layout than having "yes" on the bottom, but that's a whole other rant.)
Can I still save my laptop, or am I screwed?
May 29th, 2011 at 6:50 pm
Anadra, no need to completely freak out, although I understand that you want to. My wife's desktop, which was the infected computer that my article is based on, has now been clean and running for a little more than a year after I took the steps that I outlined in the article. I'm not 100% convinced that the computer is exactly the same as it was before the infection, but it is running well. (The only difference I know about is that she can no longer run Firefox because it slows the computer down when it consumes 100% CPU cycles, but she simply uses Chrome now, which works great.)
After cleaning your laptop, I would recommend that you back up all your important files somewhere else as well. It can be as simple as backing your stuff up to an external hard drive, or there are some great online solutions available too. This will also protect you against, for example, a hard drive crash.
June 1st, 2011 at 7:08 pm
Battled fakerean on 2 computers. Malwarebytes latest version seems to get rid of the fakerean trojan and eliminate the need for hitman pro.
I would really like to find the solution to the firefox hijack and CPU problem. A reinstall did not work.
June 11th, 2011 at 11:50 pm
I never downloaded any anti-spyware and my AVG notified me that i had an attack on my computer or something and quarantined two .exe files. Looking in the program's history, one was Fakerean and one was Kryptik.OWQ. After quarantining these files, my IE and firefox both don't work. I had to change my LAN settings to get on here. How do I get my IE back to normal? I don't care about firefox cuz I didn't use it really. Thanks