When AntiSpy Protector 2009 is installed on your computer it looks like every other rogue. It shows fake security alerts, displays fake scan alerts, and is a general nuisance. It is only when you try to remove this malware that you notice that your programs no longer work. While testing this program, I noticed that any program I ran to remove this malware was terminated, and then when I tried to run it again, I was told I did not have permission. It was then that I realized that something a little more devious was going on.
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7BE7000 Size: 20480 File Visible: No Signed: -
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF48DC000 Size: 61440 File Visible: No Signed: -
Status: Locked to the Windows API!
At this point I knew we had a rootkit on our hand. After investigating further, I saw that the C:\Windows\System32\netlogon.dll was replaced by a malware file. This malware file having a size of 60,416 bytes, while the legitimate program is 407,040 bytes. After speaking to some security professionals, I learned that the files that were substituted are the actual loading point of the infection and if we replace them with the legitimate file, then the rootkit will be disabled. Other files that are substituted by this rootkit include scecli.dll and eventlog.dll.
Luckily for us, a process has been developed to remove this infection, but it requires a customized solution for each person who may be infected. Therefore, I am unable to write a self-help guide on how to remove AntiSpy Protector 2009 or the rootkit defending it. If you are infected with this rogue, or your computer starts exhibiting the behavior of security programs terminating and then getting permission denied when you try to run them again, then there is a good chance you have this rootkit on your computer.
If that is the case, I suggest that you create a new topic in our Malware Removal section in order to receive help cleaning your computer.
On a last note, I strongly suggest that you do not delete the files listed above unless you are 100% sure that they are not the legitimate ones as doing so could affect the proper performance of your computer.