Cannot delete suspect file

Discussion in 'Malware Help (A Specialist Will Reply)' started by DeeEmmTee, May 1, 2010.

  1. DeeEmmTee

    DeeEmmTee Private E-2

    Hello,
    I had a Google search redirect problem but following the "READ & RUN ME FIRST, Malware Removal Guide" seems to have cured it ... HOWEVER something was left behind ! My AntiVirus scans keep picking up a file that they (and I) cannot remove.

    The file is called epleoghs.sys and is located in the C/Windows/system32/drivers folder. Trying to delete it gives an error message: "Cannot delete epleoghs; Cannot read from the sourcefile or disk." The RootRepeal scan (part of the "Windows XP Cleaning Procedure") also identified the file, stating "EPLEOGHS.SYS - Locked to the Windows API!", but could not delete it.

    I have tried removing it using MalawareBytes 'File Assassin' tool, KillBox, Hitman Pro, CCleaner and Unlocker but to no avail. It won't be moved.

    I can find no reference to "epleoghs" within these forums, nor indeed anywhere on the internet! Any idea what it is, where it came from, what it does and - more importantly - how to get rid of it ?!

    The "Windows XP Cleaning Procedure" scan logs are attached (if required). Any assistance would be gratefully received. Many thanks.

    (MGlogs.zip is attached to a separate post)

    David M Tudor (a.k.a. DeeEmmTee)
     

    Attached Files:

    DeeEmmTee, May 1, 2010
    #1
  2. DeeEmmTee

    DeeEmmTee Private E-2

    Part 2 of the above New Thread - final Scan Log (MGlogs.zip) attached.

    Cheers.
     

    Attached Files:

    DeeEmmTee, May 1, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We have a little work to do.

    Please double-click the RootRepeal.exe previously downloaded.

    * Select File then Scan
    * On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    * When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
    c:\windows\system32\drivers\epleoghs.sys
    * After Wiping all files, immediately reboot your pc!

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
    Close out all other open programs and windows.
    Double click the file to run it and follow any prompts.
    If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.


    *In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

    mbr -f

    Now, please do the Start>Run>mbr -f command a second time.
    Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
    Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.

    No matter what happens with the above, attach the above logs and then immediately continue with the below in normal boot mode!

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
Driver::
23fbe2a5

File::
c:\windows\system32\drivers\23fbe2a5.sys
c:\windows\system32\drivers\eusk3usb.sys
c:\windows\system32\drivers\eusk2par.sys
C:\WINDOWS\Tasks\ParetoLogic Registration.job
C:\Documents and Settings\LocalService\Local Settings\Application Data\AVG
C:\Documents and Settings\David & Julia\Local Settings\Application Data\585449509
C:\Documents and Settings\David & Julia\Local Settings\Application Data\avG
C:\Documents and Settings\David & Julia\Local Settings\Application Data\c7vdif
C:\Documents and Settings\David & Julia\Local Settings\Application Data\VI713260
C:\Documents and Settings\David & Julia\Local Settings\Application Data\w1vjs2h771
C:\Documents and Settings\All Users\Application Data\585449509
C:\Documents and Settings\All Users\Application Data\avG
C:\Documents and Settings\All Users\Application Data\c7vdif
C:\Documents and Settings\All Users\Application Data\VI713260
C:\Documents and Settings\All Users\Application Data\w1vjs2h771
C:\Documents and Settings\David & Julia\Templates\585449509
C:\Documents and Settings\David & Julia\Templates\avG
C:\Documents and Settings\David & Julia\Templates\c7vdif
C:\Documents and Settings\David & Julia\Templates\VI713260
C:\Documents and Settings\David & Julia\Templates\w1vjs2h771
C:\WINDOWS\ivlat31b.dat
C:\WINDOWS\Temp\242782c8e3ba3ca59bb67cd4.tmp
C:\WINDOWS\Temp\2c7f2b4f964356b2c976d15.tmp
C:\WINDOWS\Temp\5da8e7b181ef07350d1216.tmp
C:\WINDOWS\Temp\a32c117e123e3b5f30b08491.tmp
C:\WINDOWS\Temp\be8123e32264a86ae73a4778.tmp
C:\WINDOWS\Temp\c7cad870a77ea55a1551a2a5.tmp
C:\WINDOWS\Temp\d5b3d02fcf059bcc21ad7433.tmp

Folder::
C:\Documents and Settings\HelpAssistant

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 2, 2010
    #3
  4. DeeEmmTee

    DeeEmmTee Private E-2

    Tim,

    A big Thank You! I followed your instructions with the following results:

    1) Running HelpAsst_mebroot_fix.exe did NOT generate any logs. The first run through gave the message "HelpAssistant files to be deleted", but then flagged up "System cannot find the path specified". Running helpasst -mbrt finished by saying "Hit any key to continue" but produced no log. So I ran mbr -f followed (after the requisite reboot and delay) by helpasst -mbrt - but still no log.

    2) Everything else seemed to work ok and - Happy days! - the undeletable "epleoghs.sys" file has finally disappeared. Woo-hoo! (By the way, did you work out what caused it? And what made it so 'sticky'?)

    3) My Google search divert problem has also cleared up so - fingers crossed - it looks like I'm clean.

    I am posting the ComboFix.txt and MGlogs.zip files as requested. As I say, everything looks to have been fixed but do please let me know if there is anything else I should know or do as a result of the attached logs.

    My sincere thanks for sorting out my mess. You are a star!

    Regards.

    DeeEmmTee
     

    Attached Files:

    DeeEmmTee, May 2, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please make sure you have disabled your emulation software:
    It appears as though you once had AVG since there are many traces of it still on your system.
    Please go here and download and run the AVG Removal Tool.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.


    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}

File::
C:\Documents and Settings\David & Julia\Templates\c7vdif
C:\Documents and Settings\David & Julia\Templates\VI713260
C:\Documents and Settings\David & Julia\Templates\w1vjs2h771
C:\WINDOWS\ivlat31b.dat
C:\Documents and Settings\All Users\Application Data\c7vdif
C:\Documents and Settings\All Users\Application Data\VI713260
C:\Documents and Settings\All Users\Application Data\w1vjs2h771
C:\Documents and Settings\David & Julia\Templates\585449509
C:\Documents and Settings\David & Julia\Local Settings\Application Data\c7vdif
C:\Documents and Settings\David & Julia\Local Settings\Application Data\VI713260
C:\Documents and Settings\David & Julia\Local Settings\Application Data\w1vjs2h771
C:\Documents and Settings\All Users\Application Data\585449509
C:\Documents and Settings\David & Julia\Local Settings\Application Data\585449509
C:\WINDOWS\Tasks\ParetoLogic Registration.job

Folder::
C:\Documents and Settings\HelpAssistant
C:\Documents and Settings\LocalService\Local Settings\Application Data\AVG
C:\Documents and Settings\David & Julia\Local Settings\Application Data\avG
C:\Documents and Settings\All Users\Application Data\avG
C:\Documents and Settings\David & Julia\Templates\avG
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 3, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds