Personally, I run Ubuntu Linux on my desktop and laptop computers, but my wife runs Windows XP (SP3) on her desktop. Thanks to XP, over the past 7 days, I had the distinct (dis)pleasure of having to deal with the FakeRean trojan and the TDL3 rootkit that it installs.
This whole exercise was an incredibly frustrating experience, but I eventually managed to get the problem solved. So I decided to document my experiences here to hopefully prevent you from also damning those virus writers to hell!
How did I know that something was wrong?
The most obvious clue was that Firefox browser would go to websites that I had not intended. I would do a search on Google, and if I click on one of the links in the search results, I would end up on a totally different website. Without any action from me, Firefox would also open a new tab by itself and go to some strange website. Once I saw that, I knew that Firefox was hijacked and that I probably had a virus of some sort!
After this I installed Google’s new browser, Chrome, knowing that it is a safe browser and hoping that it would not have the same hijacking problem. Chrome installed OK, but it was completely blocked from any internet access. To me, this was confirmation that something big was wrong!
Identifying the Virus
I was surprised that I picked up the virus in the first place. I run Comodo Antivirus on that machine and it works well. Then I discovered that the virus definitions were about 3 months old (very bad). When I tried to update the virus definitions, the process kept failing. Some Googling led me to believe that my virus database was corrupt, which might account for how the virus slipped onto the machine. I managed to download an update using my Linux machine and updated Comodo on the XP machine.
In a way, I got lucky with identifying FakeRean. I spotted a file called ave.exe amongst all the open processes (using Task Manager). I Googled that and discovered that it was part of a trojan called FakeRean.
What is FakeRean?
You can read the a lot more about FakeRean here, but basically it is a fake antivirus / anti-malware program that comes under a variety of names, like “XP AntiSpyware 2009”, “Vista AntiVirus Pro”, and about 30 other names.
It displays fake warnings about infected files on your computer, and asks if you want to remove the files. If you say “yes”, it saves a file called ave.exe to your computer. It changes your computer’s registry to make sure that ave.exe is run every time you open a program. When ave.exe runs, it hijacks your Internet Explorer browser and Firefox browser, disables your Windows firewall and Windows Security Center notifications.
I am assuming that it is also during this time that the TDL3 rootkit gets installed because, in the end, that was the last part of this thing that I removed and it was responsible for hijacking Firefox and blocking Chrome.
I took two steps to remove Fakerean:
- Download this file from MalwareHelp.org and save it on your Desktop. (Right-click on the file and select Save Target As). Don’t worry, the file is safe. This file fixes the changes that FakeRean made to your registry. Double-click the file and click Yes to merge the file with your registry. This will stop ave.exe from starting up every time you run another program.
- Download and install MalwareBytes’ Anti-Malware. Start the program. Go to the Updates tab and make sure you have the latest updates installed. Then go to the Scanner tab to run a full scan. After the scan, the Scan Results shows all the bad stuff that was found. Make sure all the bad stuff is selected and click the button to remove it.
In my case, these two steps killed off the initial infection… but wait… there’s more…
The Firefox redirection and Chrome block was still in place despite the original cause (FakeRean) being removed. I discovered that it was the TDL3 rootkit doing it.
Removing TDL3 Rootkit
I don’t know much about rootkits other than that they can be very difficult to remove. These things get embedded into your system in very smart and hidden ways. That being said, there are supposedly some tools that can remove them. It’s just a matter of finding the right tool.
Kaspersky’s TDSS Killer was reported to kill TDL3. It did locate TDL3, but reported it to be in the file atapi.sys while Comodo reported it to be in the file viaide.sys. Several attempts to remove TDL3 failed because subsequent scans, with computer reboots between each, kept reporting that atapi.sys was still infected with TDL3 (and it said nothing about viaide.sys).
I discovered Hitman Pro to be the tool that can remove TDL3.
So here’s what I did to get rid of TDL3 rootkit and its effects:
- Download Hitman Pro, activate their free 30-day license, and scan the computer. In my case, it found TDL3 in viaide.sys as Comodo had also reported. It cleaned the infection and a second scan reported no further threats.
- Flush the DNS cache: Go to Start -> Run and type in cmd and click OK to open the command window. Then type ipconfig /flushdns and press Enter. You will get a message that says, “Successfully flushed the DNS Resolver Cache.”
- Download HostsXpert to reset your Windows hosts file to its original configuration. Sometimes browser hijackers will modify the hosts file. After downloading and extracting the zipfile, run the program, click Make Hosts Writable?, and click Restore Microsofts’ Hosts File.
- As a final step, do another scan with MalwareBytes’ Anti-Malware (dowloaded and installed earlier).
At this point your problem should be solved, i.e. Firefox no longer spawns new tabs and goes to strange websites, and Chrome is no longer blocked from internet access. This was the case for me.
There are those who believe that you can never know if a computer is 100% in good shape after cleaning a rootkit infection. They say that it is best to rebuild the machine. I haven’t done that (too much work and I’m still recovering from the frustration of dealing with this) and I’ll leave it to you to decide if you want to do it.
The people who write malware as sophisticated as FakeRean and TDL3 are obviously very talented programmers. I don’t understand why these people will use those talents to purposefully create something bad. C’mon guys, use your talents for something good instead!