PDA

View Full Version : Impossible-to-remove malware



BBalazs
2007-12-16, 16:00
I have a problem with a piece of malicious code that made its way into my PC. Spybot S&D does not detect it (yet), but I also checked advanced mode. In advanced mode, under BHOs, I found a 'blank' BHO which refers to C:\Windows\system32\deskper.dll. On clicking the 'Remove' button, Spybot is unable to remove the entry.

Deskper.dll has no information about its purpose and author, unlike other dlls in the system32 folder, which is another reason why I find it suspicious. It can -not- be deleted (access denied), not even in safe mode, or safe mode command prompt only.

BHOs also have a registry entry. I made a search for it, found it, (yes, it does refer to deskper.dll) - and tried to delete it. Regedit was unable to do it. Not even in safe mode, or safe mode command prompt. Renaming is of no use either - it doesn't work.

Please - is there any way to get rid of this 'thing'? I tried everything I could so far...

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-29 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-04-18 advcheck.dll (1.5.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-12-12 Includes\Cookies.sbi
2007-10-31 Includes\Dialer.sbi
2007-12-12 Includes\DialerC.sbi
2007-11-07 Includes\Hijackers.sbi
2007-12-12 Includes\HijackersC.sbi
2007-10-04 Includes\Keyloggers.sbi
2007-12-12 Includes\KeyloggersC.sbi
2004-05-12 Includes\LSP.sbi
2007-11-07 Includes\Malware.sbi
2007-12-12 Includes\MalwareC.sbi
2007-10-24 Includes\PUPS.sbi
2007-12-12 Includes\PUPSC.sbi
2007-12-12 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi
2007-12-12 Includes\SecurityC.sbi
2007-11-07 Includes\Spybots.sbi
2007-12-12 Includes\SpybotsC.sbi
2007-11-06 Includes\Tracks.uti
2007-12-12 Includes\Trojans.sbi
2007-12-12 Includes\TrojansC.sbi
2007-06-06 Plugins\TCPIPAddress.dll

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2004.05.12. 0:03:00
Date (last access): 2007.12.16. 14:16:04
Date (last write): 2005.05.31. 1:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0\bin\
Long name: ssv.dll
Short name:
Date (created): 2007.02.22. 15:02:36
Date (last access): 2007.12.16. 14:16:46
Date (last write): 2007.02.22. 15:02:36
Filesize: 501384
Attributes: archive
MD5: 55A2F8AE42C4B347173F1AEDE5061BE3
CRC32: E41413E9
Version: 6.0.0.105

{CC59E0F9-7E43-44FA-9FAA-8377850BF205} (FDMIECookiesBHO Class)
BHO name:
CLSID name: FDMIECookiesBHO Class
Path: C:\Program Files\Free Download Manager\
Long name: iefdmcks.dll
Short name:
Date (created): 2006.10.18. 17:00:30
Date (last access): 2007.12.16. 14:16:48
Date (last write): 2006.08.10. 1:54:42
Filesize: 81920
Attributes: archive
MD5: D6E11FC501D14F5C5CDA50CF3F8FE202
CRC32: D66BCAA0
Version: 480.0.0.0

{F5AB3D08-AFEC-4D52-8662-080BF2D6E1AF} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: deskper.dll
Short name:
Date (created): 2007.12.15. 13:24:28
Date (last access): 2007.12.16. 13:56:34
Date (last write): 2001.10.26. 13:00:00
Filesize: 84992
Attributes: archive
MD5: BCF3A381BBE26D9C1EC24BAC8B18F567
CRC32: 160A89E9


If you wish, I could try to export the registry entry and make a copy of the dll - and then make it available to you in some way.

(By the by, some time ago I found that TeaTimer has been removed from the list of automatically starting applications. I restarted it from within Spybot. On starting 'My Computer' (note: this applies also when opening a folder of any kind - thus, the execution of explorer.exe is likely to trigger the event) something tries to remove TeaTimer from automatic start. I blacklisted this event. Yet sometimes I found that I still have to start TeaTimer manually.. somehow it is still removed at times. I am not convinced that it is caused by deskper.dll too, but - it might be possible...)

Any help greatly appreciated - if you need further information, I'm glad to provide it.

tashi
2007-12-16, 18:38
Hello.

This is the malware removal forum and the procedure is here: "BEFORE you POST"(READ this Procedure before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Spybot-S&D Forums (http://forums.spybot.info/forumdisplay.php?f=4)

Spybot-S&D is now at Version 1.5

Spybot - Search & Destroy Version 1.5 Download (http://www.spybot.info/en/download/index.html)



Uninstall previous version (http://www.safer-networking.org/en/howto/uninstall.html)



Tutorial (http://www.spybot.info/en/tutorial/index.html)


Available as a Beta which resolves some minor issues found in the first release: http://forums.spybot.info/showthread.php?t=20250

There may be another beta released around Christmas time.

Beta Forum: http://forums.spybot.info/forumdisplay.php?f=12

To receive assistance in this malware removal forum, copy/paste the logs requested into a new topic, then I will close this one as helpers look for zero response. ;)

Best regards.