Written by Tomas Meskauskas
Damage level: High
Win32/FakeRean family of fake antivirus programs
The FakeRean/Braviax family of fake antivirus programs is developed and distributed by cyber criminals. The main purpose of these rogue programs is to infiltrate users' operating systems and display fake security scans to trick users into purchasing a fake license key. Cyber criminals responsible for creating these bogus programs use 'exploit kits' to infiltrate users' systems. Exploit kits rely on outdated software to infect users' operating systems, and therefore, keeping your installed software up-to-date can drastically reduce the risk of computer virus infection. The Braviax/FakeRean family of rogues is well known for the name-changing capability of its fake antivirus programs. The bogus programs from this family detect the operating system of the computers targeted for infiltration and modify their names accordingly. For example, when infecting a computers running the Windows 7 operating system, rogue programs from this family appear as Windows 7 Antivirus, Windows 7 Internet Security, Windows 7 Home Security, or Win 7 Security. Windows XP users observe these bogus programs appearing as Windows XP Antivirus, Windows XP Internet Security, etc.
The main reason for distribution of these rogue programs is to convince PC users into believing that their computers are at risk, and then to sell the useless license keys. In fact, paying for any program from the FakeRean/Braviax family is equivalent to sending your money to cyber criminals - you will lose your money and divulge your banking information, potentially leading to further thefts from your account. PC users should express caution when purchasing security software to protect their computers since the Internet is rife with fake versions. Always research these products before purchasing any antivirus program. Furthermore, no legitimate antivirus programs start security scans each time the user loads their operating system. Common sources of fake antivirus programs from this family are infected email messages, malicious websites, and drive-by downloads. To protect your computer from security infections such as this, keep your operating system and all installed software up-to-date and use legitimate antivirus and anti-spyware software.
The following are the names of some variations used by fake antivirus programs from this family:
Win 7/XP/Vista Antivirus 2012/2013
Win 7/XP/Vista Anti-spyware 2012/2013
Win 7/XP/Vista Internet Security 2012/2013
Win 7/XP/Vista Security 2012/2013
Win 7/XP/Vista Home Security 2012/2013
Win 7/XP/Vista Total Security
Win 7/XP/Vista Security Cleaner
Win 7/XP/Vista Defender
Screenshots of various user interfaces used by rogue antivirus programs from the FakeRean/Braviax family:
Fake security warning messages used to trick computer users into purchasing bogus antivirus programs:
Activate your copy right now and get full real-time protection with [Fake Antivirus Name]!
ALERT! System scan for spyware, adware, Trojans and viruses is complete. [Fake Antivirus Name]! detected 30 critical system objects. These security breaches may be exploited and lead to the following:
Your system becomes a target for spam and bulky, intruding ads
Browser crashes frequently and web access speed decreases
Your personal files, photos, documents and passwords get stolen
Your computer is used for criminal activity behind your back
Bank details and credit card information gets disclosed
Click REGISTER to register your copy of Fake Antivirus Name]! and perform threat removal on your system. The list of infections and vulnerabilities detected will become available after registration.
Fake Antivirus Name]! Alert - [Fake Antivirus Name]! has blocked a program from accessing the Internet
This program is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.
Name: Microsoft Windows Operating System
Company: Microsoft Corporation
Windows recommend Activate [Fake Antivirus Name]!
Click "Yes, Activate…" to register your copy of [Fake Antivirus Name]! and perform threat removal on your system.
Yes, activate [Fake Antivirus Name]! (Recommended)
No, Continue unprotected (Dangerous)
Rogue antivirus programs from FakeRean/Braviax family removal:
Cyber criminals who create these fake antivirus programs use an identical license key for most of them. Entering one of these keys makes removal of the fake antivirus program less complicated. Entering these keys forces the fake antivirus program into behaving as if you have purchased the license key and allows execution of installed programs (including legitimate antivirus and anti-spyware software).
IMPORTANT! Before downloading: Click the "Registration" button located at the top right corner of the fake antivirus main window, and when the registration window opens, enter this registry key in the "Reg key" field and click "Activate":
When the registration key is entered, the fake antivirus program will behave as if you have purchased the full version and will cease generating fake security warning messages. It will also allow you to run programs and anti-spyware software. Note that registering this program will not remove it from your PC, it will simply disable the fake pop-up windows and allow to access the Internet. After you enter this key, you can download the recommended spyware remover (use the button below) and remove this bogus antivirus software.
NOTE: If you cannot run remover, right-click on it and select "Run as administrator". If installation of spyware remover fails, or you cannot open .exe files, try the Customized installer built by our technicians to bypass spyware infections and install removers regardless. It is a DOS program, that most spyware does not block.
If, after or before, removal of this scam you are unable to run your installed programs, the fake antivirus program has modified your operating system's .exe file associations. When you try to run any executable, Windows will open the "select program" dialogue and will not execute the program. To fix this, download a registry fix (link below). Save it to your computer, double click it, click yes and then ok. After rebooting your PC, file associations should function normally.
If you cannot open your browser (Internet explorer, Firefox, Google Chrome, or Opera):
Fake antivirus programs from this family hijacks Internet browsers, modify registry settings and disable execution of programs. For such cases, our developers have developed a custom installer. It is useful when you are unable to browse the Internet or run .exe files. It starts like MS-Dos program, runs some registry fixes, and then initiates execution of a installer. When tested, this installer worked on the Windows 7, Windows Vista and XP operating systems infected with most common spyware infections.
To use this installer, click Windows logo button (Start)
In the search field, enter this link: www.pcrisk.com/installer.com and then press ENTER.
The fake antivirus program will generate a fake warning after pressing ENTER. Ignore it and click "No, stay unprotected..." on this message.
File download dialogue will appear, reporting that you are downloading file installer.com. Click Run, wait for download to finish, and then follow the on-screen instructions. Windows may warn you that opening unknown files may be unsafe. Ignore these warnings.
If your Internet browsers work, use this button to download customized installer.
Manual removal of fake antivirus programs from the FakeRean/Braviax family:
Some spyware block the download of spyware removers. If you are unable to download it using the default location, try one of the alternative download locations below:
- Location 1 (the file is renamed to "iexplore.exe", since most spyware does not block this file)
- Location 2
If installation of the remover fails, try downloading the customized installer, which was built by our technicians to bypass spyware infections. Download customized installer
If you are still unable to download or run spyware-removing software, please perform these steps:
Download the registry fix. This fix removes registry entries that disallow execution of programs in some variants of this spyware. To download it, click the link below. After downloading, double click win7_av_fix.reg file, click Yes when requested and then click OK.
Some variants of this spyware modify the system proxy settings to prevent access to the Internet, or website addresses are redirected to malicious or phishing websites. To reset proxy settings to default, download and run this tool:
Fake antivirus programs from this family modify the system Hosts file. The Hosts file is used to resolve canonical names of websites to IP addresses. When it is changed, the user may be redirected to malicious sites, despite seeing legitimate URLs in address bar. It is difficult to determine sites are genuine when the Hosts file is modified. To fix this, please download the Microsoft Fix It tool, that restores your Hosts file to the Windows default. Run this tool when downloaded and follow the on-screen instructions. Download link below:
That's It! You can now try to download Spyware remover or install and run it if already downloaded. In most cases, this leads to success, however, if not, please describe your problem in our FORUM and our technicians will try to help.
Other tools known to remove fake antivirus programs from the FakeRean/Braviax family: