Removed: PRAGMAd.sys, datext.dll, napstatxt.exe, datprot.exe (FakeAV – Data Protection)

I will tell you in this post how to fix the issue manually and how to clean it automatically using a special powerful removal tool. You can download the removal program for free here:

Malware: C:\sand-box\ad.exe

Removed: C:\WINDOWS\PRAGMAxdnyribivn\PRAGMAd.sys
C:\Program Files\Data Protection\datext.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\napstatxt.exe
C:\Program Files\Data Protection\datprot.exe



—————————————————————————————————————————-
After first reboot detected by UnHackMe:

Item Name: PRAGMAxdnyribivn
Author:
Related File: C:\WINDOWS\PRAGMAXDNYRIBIVN\PRAGMAD.SYS
Type: Services detected by Partizan

Item Name: SimpleShlExt
Author: Unknown
Related File: C:\PROGRA~1\DATAPR~1\DATEXT.DLL
Type: Context Menu Handlers


Will you remove it?
0 0

Download Removal Tool for Free

People say

Visitor post

Item Name: napstatxt.exe
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\NAPSTATXT.EXE
Type: Registry Run

Item Name: Data Protection
Author: Unknown
Related File: C:\PROGRAM FILES\DATA PROTECTION\DATPROT.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 2
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.05.11 Trojan.Generic.KD.11081
Kaspersky 7.0.0.125 2010.05.11 Trojan-Downloader.Win32.FraudLoad.xcxr
Microsoft 1.5703 2010.05.11 Trojan:Win32/FakeCog
NOD32 5106 2010.05.11 Win32/Adware.DataProtection.AA

—————————————————————————————————————————-
Additional information
File size: 417792 bytes
MD5 : 77ee9903702c33f5c588ca8b3df54a47
SHA1 : b4615db79c2b2c0b215dcafdc2c59a8bf4c0ce38
SHA256: 5362a754744023742a542c7139f0ad9c23808e1a2d1bf3a125e4945607d26a2b
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:20
———————————-
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\SimpleShlExt
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection
HKLM\Software\Data Protection
HKLM\Software\PRAGMA
HKLM\Software\PRAGMA\versions
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000
HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\PCI\VEN_1274&DEV_1371&SUBSYS_13711274&REV_02
HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\PCI\VEN_1274&DEV_1371&SUBSYS_13711274&REV_02\4&47B7341&0&0888
HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\PCI\VEN_1274&DEV_1371&SUBSYS_13711274&REV_02\4&47B7341&0&0888\DirectSound
HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\PCI\VEN_1274&DEV_1371&SUBSYS_13711274&REV_02\4&47B7341&0&0888\DirectSound\Speaker Configuration
HKLM\System\CurrentControlSet\Services\PRAGMAxdnyribivn
HKLM\System\CurrentControlSet\Services\PRAGMAxdnyribivn\modules
HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device

———————————-
Values added:59
———————————-
HKLM\Software\f7c5da73-b4a5-4947-8f40-08f2871eb36b: “”
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\SimpleShlExt\: “{5E2121EE-0300-11D4-8D3B-444553540000}”
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\: “C:\PROGRA~1\DATAPR~1\datext.dll”
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\ThreadingModel: “Apartment”
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\: “SimpleShlExt Class”
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt\: “{5E2121EE-0300-11D4-8D3B-444553540000}”
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr: 0×00000001
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}: “Data Protection extension”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection\DisplayIcon: “C:\Program Files\Data Protection\datprot.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection\DisplayName: “Data Protection”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection\DisplayVersion: “1.0″
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection\Publisher: “Data Protection”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection\UninstallString: “C:\Program Files\Data Protection\Pklkvqdii+`}`”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Data Protection\URLInfoAbout: “”
HKLM\Software\Data Protection\Settings_0: 0×00000001
HKLM\Software\Data Protection\SecStatus_3: 0×00000001
HKLM\Software\Data Protection\SecStatus_4: 0×00000001
HKLM\Software\Data Protection\SecStatus_5: 0×00000001
HKLM\Software\Data Protection\FD: 0×00000000
HKLM\Software\Data Protection\GUID: “455459944554590445545814″
HKLM\Software\Data Protection\Data: “:1932:2298:2420:2542:2664:2786:2908:3152:3274:3396:”
HKLM\Software\Data Protection\swver: “4.0″
HKLM\Software\Data Protection\dbver: “1.1″
HKLM\Software\Data Protection\dbsigns: “62577″
HKLM\Software\Data Protection\dbverf: “1.1″
HKLM\Software\Data Protection\dbsignsf: “62577″
HKLM\Software\PRAGMA\affid: “traf”
HKLM\Software\PRAGMA\subid: “pragma”
HKLM\Software\PRAGMA\type: “no”
HKLM\Software\PRAGMA\build: “bbr”
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 50 52 41 47 4D 41 38 36 61 34 2E 74 6D 70 00 00 00
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000\Service: “PRAGMAxdnyribivn”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000\DeviceDesc: “PRAGMAxdnyribivn”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAXDNYRIBIVN\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\PCI\VEN_1274&DEV_1371&SUBSYS_13711274&REV_02\4&47B7341&0&0888\DirectSound\Speaker Configuration\Speaker Configuration: 0×00140004
HKLM\System\CurrentControlSet\Services\PRAGMAxdnyribivn\modules\PRAGMAd: “\systemroot\PRAGMAxdnyribivn\PRAGMAd.sys”
HKLM\System\CurrentControlSet\Services\PRAGMAxdnyribivn\modules\PRAGMAc: “\systemroot\PRAGMAxdnyribivn\PRAGMAc.dll”
HKLM\System\CurrentControlSet\Services\PRAGMAxdnyribivn\start: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAxdnyribivn\type: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAxdnyribivn\imagepath: “\systemroot\PRAGMAxdnyribivn\PRAGMAd.sys”
HKCU\Software\24d1ca9a-a864-4f7b-86fe-495eb56529d8: “”
HKCU\Software\7bde84a2-f58f-46ec-9eac-f1f90fead080: “”
HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\FriendlyName: “Default MidiOut Device”
HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\CLSID: “{07B65360-C445-11CE-AFDE-00AA006C14F4}”
HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\FilterData: 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 38 00 00 00 48 00 00 00 6D 69 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\MidiOutId: 0xFFFFFFFF
HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\FriendlyName: “Default DirectSound Device”
HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\CLSID: “{79376820-07D0-11CF-A24D-0020AFD79767}”
HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\FilterData: 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 A8 00 00 00 B8 00 00 00 31 74 79 33 00 00 00 00 A8 00 00 00 C8 00 00 00 32 74 79 33 00 00 00 00 A8 00 00 00 D8 00 00 00 33 74 79 33 00 00 00 00 A8 00 00 00 E8 00 00 00 34 74 79 33 00 00 00 00 A8 00 00 00 F8 00 00 00 35 74 79 33 00 00 00 00 A8 00 00 00 08 01 00 00 36 74 79 33 00 00 00 00 A8 00 00 00 18 01 00 00 37 74 79 33 00 00 00 00 A8 00 00 00 28 01 00 00 61 75 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71 01 00 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71 09 00 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71 03 00 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71 92 00 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71 40 02 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71 41 02 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71 64 01 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71 49 02 00 00 00 00 10 00 80 00 00 AA 00 38 9B 71
HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\DSGuid: “{00000000-0000-0000-0000-000000000000}”
HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest: “Yes”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\napstatxt.exe: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\napstatxt.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Data Protection: “”C:\Program Files\Data Protection\datprot.exe” -noscan”

———————————-
Values modified:1
———————————-
(-) HKLM\System\CurrentControlSet\Services\wscsvc\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\wscsvc\Start: 0×00000004

———————————-
Files added:44
———————————-
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Protection.lnk
C:\Documents and Settings\Administrator\Desktop\Data Protection Support.lnk
C:\Documents and Settings\Administrator\Desktop\Data Protection.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\4otjesjty.mof
C:\Documents and Settings\Administrator\Local Settings\Temp\841a.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\8de3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\93e9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\94f3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\961c.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\asd2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\dat.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\datr.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\kernel64xp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\napstatxt.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\PRAGMA86a4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\PRAGMA8915.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\wscsvc32.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\About.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\Activate.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\Buy.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\Data Protection Support.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\Data Protection.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\Scan.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\Settings.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection\Update.lnk
C:\Program Files\Data Protection\about.ico
C:\Program Files\Data Protection\activate.ico
C:\Program Files\Data Protection\buy.ico
C:\Program Files\Data Protection\dat.db
C:\Program Files\Data Protection\datext.dll
C:\Program Files\Data Protection\dathook.dll
C:\Program Files\Data Protection\datprot.exe
C:\Program Files\Data Protection\datprot.exe_
C:\Program Files\Data Protection\help.ico
C:\Program Files\Data Protection\scan.ico
C:\Program Files\Data Protection\settings.ico
C:\Program Files\Data Protection\splash.mp3
C:\Program Files\Data Protection\Uninstall.exe
C:\Program Files\Data Protection\update.ico
C:\Program Files\Data Protection\virus.mp3
C:\WINDOWS\PRAGMAxdnyribivn\PRAGMAc.dll
C:\WINDOWS\PRAGMAxdnyribivn\PRAGMAcfg.ini
C:\WINDOWS\PRAGMAxdnyribivn\PRAGMAd.sys
C:\WINDOWS\PRAGMAxdnyribivn\PRAGMAsrcr.dat

———————————-
Files deleted:1
———————————-
C:\sand-box\ad.exe

———————————-
Files [attributes?] modified:3
———————————-
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

———————————-
Folders added:3
———————————-
C:\Documents and Settings\Administrator\Start Menu\Programs\Data Protection
C:\Program Files\Data Protection
C:\WINDOWS\PRAGMAxdnyribivn

———————————-
Folders attributes changed:2
———————————-
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

———————————-
Total changes:133
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning ads and viruses from my friend's computers, because it is extremely fast and effective.




STEP 1: Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

STEP 2: Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed the first Scan will start automatically

Review the detected threats

STEP 3: Carefully review the detected threats!

Click Remove button or False Positive.

Enjoy!

3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...