Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan/Virus (I think); "personalprotector.exe"


  • Please log in to reply

#1
thnikkaman

thnikkaman

    New Member

  • Member
  • Pip
  • 6 posts
So I let my brother on my computer; and next time I turn it on, it is much slower, has random popups, and has a 'personal protector' application. I am also unable to open Taskmanager because "the file is infected. please activate your antivirus software" I came here last time many years ago when I had a similar problem (trojandownloader.xs), and you guys helped, so I am trying again.

I followed the directions in the 'malware and spyware cleaning guide,' but was unable to get Malwarebytes' Anti-Malware to work. I tried skipping that step, but when firefox would coincidentally close every time i clicked on the avast! link, I gave up on the process. I even tried to create a log using OTL, but that would freeze after around 2 minutes.

I apologize for the fact that I can't help any more, and thank you in advance for the trouble you'll be going through.

P.S: this computer is running Windows XP

EDIT: i've tried to download the other antispyware programs you suggest, and all of them end up closing firefox unexpectedly.

EDIT: So i was FINALLY able to circumvent the irritating spyware, downloaded a random-named MBAM.exe and ran a test. Most things SEEM to be in order now. Here is the log it gave me. PLEASE respond (Its been 18 hours since I first posted)

Malwarebytes' Anti-Malware 1.41
Database version: 3257
Windows 5.1.2600 Service Pack 2

11/29/2009 2:43:48 PM
mbam-log-2009-11-29 (14-43-48).txt

Scan type: Quick Scan
Objects scanned: 122267
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 2
Registry Keys Infected: 38
Registry Values Infected: 6
Registry Data Items Infected: 17
Folders Infected: 4
Files Infected: 45

Memory Processes Infected:
C:\Program Files\Personal Protector\personalprotector.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\winscent.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\funesabo.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f1e9e080-4317-4dd8-ae87-2feeba5c09a3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{66088452-09c8-41ca-9e1c-76251dcdc1ac} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\apar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\parttimeb (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4cbcc4e2-073c-4109-a719-458d8cf9900e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ae17dd77-e0f3-44dd-8cba-1ebce6b5ed55} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{506cd401-5203-4b27-bb5a-03c97758fd02} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\personal protector (Rogue.PersonalProtector) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veduhagud (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\internetprovider (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalprotector (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{66088452-09c8-41ca-9e1c-76251dcdc1ac} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vayefurab (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pufikere.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\pufikere.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\sonosuje.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\sonosuje.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harrison Weigel\Start Menu\Programs\Personal Protector (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector (Rogue.PersonalProtector) -> Delete on reboot.
C:\Program Files\Personal Protector\q (Rogue.PersonalProtector) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\pufikere.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\Personal Protector\personalprotector.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\winscent.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jetebusu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonosuje.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\0e528dfb8424d63b37ea5b059c1e2136.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\TEMP\7d342a41cfa90e8bb30b632aaea3965c.exe (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\rdlD4.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\6R01QFU7\u488[1].exe (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\LLZLLIAL\PersonalProtector[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harrison Weigel\Start Menu\Programs\Personal Protector\Personal Protector.lnk (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harrison Weigel\Start Menu\Programs\Personal Protector\Uninstall.lnk (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\base.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\baseadd.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\conf.wcf (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\quarant.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\queue.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\un.exe (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\certofSystem.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Explorers.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Microsoftdefend.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\regp.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\secureit.com (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\spoos.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harrison Weigel\Desktop\Personal Protector.lnk (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harrison Weigel\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\binosino.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fivipute.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\funesabo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ligamosa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\rdlD3.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Microsoft PData\track.wid (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Also, the 'RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/29 14:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9870000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A85000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8590
Image Path: \Driver\PCI_PNP8590
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8A0E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spfx.sys
Image Path: spfx.sys
Address: 0xF72FB000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42cdba

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c398

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c9da

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42d568

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c0fa

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42de20

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42cfa0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42bcca

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42d1e4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42d394

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42bb7c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spfx.sys" at address 0xf731aca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spfx.sys" at address 0xf731b032

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42dac0

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42cbe4

#: 119 Function Name: NtOpenKey
Status: Hooked by "spfx.sys" at address 0xf72fc0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42b8c6

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c87e

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42ba24

#: 160 Function Name: NtQueryKey
Status: Hooked by "spfx.sys" at address 0xf731b10a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spfx.sys" at address 0xf731af8a

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42d91e

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c210

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c55a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42dc60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42d72e

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c70c

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42c772

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa9fed660

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaa42be92

==EOF==

OTL still freezes for some reason.
Also, Task manager can be openned now.

Basically, my computer SEEMS fixed, I am now just wondering if it is really completely virus-free.

Edited by thnikkaman, 29 November 2009 - 01:59 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP