Malicious File?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Plobbleses, Jun 5, 2011.

  1. Plobbleses

    Plobbleses Private E-2

    Hello.
    I accidentally came across this interesting file on my computer (Del Laptop, Windows XP 2003, SP3).

    It's called spoolssz.dll, C:\WINDOWS\system32\spoolssz.dll, 114176 b, created 6/1/2011
    It is completely invisible to windows file system, the only proof that it's there is that when you try and open it (say with the address bar) it says "Access Denied", I try to open it, edit it, copy it etc, and i can't, it's even read locked. (access denied)

    So, I hook the file system to get around these simple windows access denials (like the lock on the system32\config folder), should work. Doesnt. File is still access denied, so i figure that it's a low level restriction. No probs, I kill the handles from the OS, go directly to the HDD and skip the boot-sectors and disk management. So now I have perfect copies of the sectors where the file is stored, I then extract the arrays from the sectors and stick it back together. (minus the hidden-nes bit)

    Turns out that the file is not only super well locked onto my HDD, it's also a hidden, system, read only, and essentially sits on it's own, occupying 28 (114176 b) sectors of my HDD.
    I load up SLAX (UNIX OS, runs straight from read only CD, SUPER-SECURE), this can see the file, however still cannot copy or edit it, let alone delete it. I boot up in Safe Mode, still invisible, can't access it.

    The file is internally signed with stuff like this
    C o m p a n y N a m e M i c r o s o f t C o r p o r a t i o n
    F i l e D e s c r i p t i o n L e x m a r k 3 0 0 0
    the original name is OEMRES, it's internal name is lxysres.dll, these are both Lexmark Drivers. Problem is that I have never owned anything lexmark, never plugged my laptop into anything lexmark, my work has nothing lexmark, there is no bummy lexmark rubbish on the three networks i use (Home, Work, GF's Home), and i've never even installed any lexmark software. Internally, the file isn't really very malicious, it is full of french (?) words for printing things (like Faxia, Envelop)

    so, what i'm wondering is... How the f*** do i get rid of this S***. it is really bugging me that I cannot delete it, It took about 3 hours just to retrieve the sectors. It doesn't look to be malicious, it could just be a ghost file that's sitting on some corrupted bit of my HDD, however, I don't want to risk it being malicious and I can't risk it damaging my computer, I need my Laptop for work, like without it I could even lose my job (If i'm really unlucky). so I really want people's thoughts on how I get rid of this file without reinstalling windows.

    Thanks.
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I normally would tell you to do the Read and Run First instructions, but we can see if we can just remove this file:

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Attach the C:\Avenger.txt log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds