Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Oldmittay on February 02, 2010, 09:38:28 AM

Title: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 02, 2010, 09:38:28 AM
Hello, I have the avast! 4.8 home edition, and starting today I have begun receiving avast!Warning messages telling me that the following suspicious file was detected on my computer:

File Name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services

The 1st time I received this warning, I followed the recommended action, which was to ignore, and was then prompted by avast! to run a scan boot, which I did. A few dangerous files were found during the scan, and I elected to delete them all. However, after the scan was finished and my computer rebooted, I received the same avast!Warning for C:\Windows\System32\Drivers\dbliw.sys, and this time I decided to delete the file. I was again prompted to run scan boot, which I did, and this time no dangerous files were found during the scan. After rebooting again, I received the avast!Warning for a 3rd time, and this is where I now stand.

I have done a google search for the file C:\Windows\System32\Drivers\dbliw.sys, but can't seem to find any information about it. Was this a case of a false-positive? Have I done my computer irreparable damage by deleting it? :-[ When I individually scan the file with ad-aware, it tells me no threats were found, but when I do the same with avast! and on virustotal, it says: Scan was completed with error. Error: a device attached to the system is not functioning.

This appears to be much the same issue posted on this thread, except with a different file in question: http://forum.avast.com/index.php?topic=40975.0 (http://forum.avast.com/index.php?topic=40975.0)

Can anyone help me with this problem? Thanks in advance for any and all help. As a huge fan of avast!, I hope this issue can be resolved soon.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Pondus on February 02, 2010, 10:01:20 AM
This post should have been posted in the virus and worm forum



check your computer for malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and tell us if it worked and post your scan logs here
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 02, 2010, 10:17:18 AM
Pondus: Thank you very much for the speedy response; my apologies for not posting this in the correct forum, would you like me to recreate this topic there? I'm pretty new at this.

Quote from: Pondus
come back and tell us if it worked and post your scan logs here

I intend to do just that, but how do I post my scan logs here once I have done them?


Anyone have any other suggestions or have any idea what this file is or what its purpose is? Again, I can't find any information on it using google.

Thanks again for all your help.

Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Pondus on February 02, 2010, 10:42:24 AM
Quote
come back and tell us if it worked and post your scan logs here

I intend to do just that, but how do I post my scan logs here once I have done them?
Copy and paste


And yes, not many hits on google for that file. maybe somone else in here know what it is?


Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Yanto.Chiang on February 02, 2010, 11:13:29 AM
Hi,

Anyway, just one information need to know after Pondus advice.

You should turn off your recovery system, to avoid virus/malware create backup files on your system.

Good luck
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 02, 2010, 08:38:37 PM
Hey guys,

haven't had a chance to run any of those malware scans you suggested above, but now when I try and open avast on my computer, the startup splash screen appears, but it never progresses to the main screen and the splash screen just disappears.

Does this suggest that C:\Windows\System32\Drivers\dbliw.sys is in fact malware, or are there other possible explanations?

Also, my computer has been acting pretty much normal since the warnings first started appearing, about a day ago. Is it still possible that my computer is infected if it is still performing well?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Pondus on February 02, 2010, 08:55:59 PM
Yes...you can have malware and not know it, and if avast wont open that is suspicious, so try the tools suggested
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 02, 2010, 09:57:45 PM
For whatever it's worth, it's always a very bad idea to delete a file until you know for sure what it does. It's too late now but for future reference I would leave it in the Chest and send a copy to Alwil for analysis before deleting.

I second running Malwarebytes if you think you might still be infected. It's a good program. :)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 01:20:22 AM
For whatever it's worth, it's always a very bad idea to delete a file until you know for sure what it does. It's too late now but for future reference I would leave it in the Chest and send a copy to Alwil for analysis before deleting.

You're right Norel, I sort of got worried after ignoring the file didn't fix the problem the first time, so I overreacted and deleted it the second time. At least from this point forward I'll know to always put the suspect files into the quarantine chest rather than delete them, correct?

I completed a malwarebytes' scan, as you guys suggested, and 5 infected files were found and quarantined, including that old familiar nemesis of mine, system32/drivers/dbliw.sys

Here is the log of the scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/2/2010 6:13:58 PM
mbam-log-2010-02-02 (18-13-58).txt

Scan type: Quick Scan
Objects scanned: 104983
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssmsgs (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Hope this is informative for you guys, because it's way over my head. Any suggestions for what needs to be done next?
Again, Pondus, Norel, and Yanto, thank you so much for your advice and help. Cheers.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 01:22:36 AM
P.S. Why don't the two infected files show up on this log?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 02:01:49 AM
After finishing the scan and hitting the "remove selected" button as Pondus suggested, I was prompted by malwarebytes to restart my computer in order to complete the removal process. When I selected yes to continue with the restarting process, however, I was informed that something went wrong with the restarting process, and the computer didn't restart.

I did another malwarebytes' scan, and this time only 1 infected file was found: C:\Windows\System32\Drivers\dbliw.sys
This confused me, since after the first scan I was told that all found infected files had been successfully quarantined, and yet this is one of those found files, and it does not appear to be quarantined. It isn't on my quarantine list on malwarebytes' either, as can be seen here:


I once again hit the "remove selected" button and was once again told that all files were quarantined successfully, but on this attempt however, the computer did in fact restart when I hit the "yes" to proceed with the restart button. Confusing, right?

After the computer finished restarting, I did a malwarebytes' scan for the third time, and again the same infected object, C:\Windows\System32\Drivers\dbliw.sys, was found.

Here is the third scan log after I hit the remove selected button:

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/2/2010 7:00:27 PM
mbam-log-2010-02-02 (19-00-27).txt

Scan type: Quick Scan
Objects scanned: 104910
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\dbliw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


An avast! popup just came up warning of a rootkit, and the file it claimed was a rootkit was the same C:\Windows\System32\Drivers\dbliw.sys, and it suggested that I delete the file immediately, so I did so, but when I looked into my system32\drivers folder, I saw that dbliw.sys changed it size from 0 kb back to 774 kb, the same size it has been since I first discovered it.

Any ideas guys?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 03, 2010, 02:15:11 AM
I have some ideas if you'd like to hear them..

1.disable system restore
2.http://www.filehippo.com/download_superantispyware/  <<<<install thatand update it. if it fails to install, use the portable version here: http://portable.superantispyware.com/sassaferun.php
3.install and update this http://www.filehippo.com/download_asquared/
4.boot into safe mode and run full scans with both of those programs, hopefully that rootkit can be killed in safe mode
   
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 02:59:36 AM
Artemis, thanks for the advice, but before I take any of those actions, I want to be as close to 100% sure as possible that this sys file is in fact a rootkit.

How do I disable system restore?


Does everyone agree that all signs point to C:\Windows\System32\Drivers\dbliw.sys being a rootkit, since the malwarebyte's scans suggest as much and my original avast! scan suggested as much and the recent avast! popup suggested as much, but I can't find any information on this particular file anywhere on google and recent preboot scans by avast! have been unable to find any infested files?

I know I shouldn't count my eggs before they hatch, but I just want to say how thankful I am for everyone's help in resolving this irritating, confusing issue. This is a great forum, and I appreciate the knowledge everyone is willing to share with me.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 03:03:09 AM
Breaking News: An avast!Warning just popped up, saying a rootkit was found. "A suspicious hidden object (rootkit) as been detected...may be a sign of malware infection. It is recommended to remove object immediately"

File name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services
Malware name: Win32:Rootkit-gen [Rtk]


Does this prove that this sys file is in fact a malware file? I once again tried to "delete now", but the file didn't go away. :-\

Also, when I try to upload the file to scan it on either Jotti or Virus Total, it tells me a device attached to the system is not functioning, and it won't let me upload it. ???
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 03, 2010, 03:52:21 AM
disabling system restore depends on what operating system you have.

try uploading the file here and see what results you get


http://camas.comodo.com/   (comodo instant malware analysis)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 04:20:52 AM
I have Windows Vista Home Premium.

And I tried uploading the file there and got the same result: "a device attached to the system is not functioning", and it won't let me upload or scan it. :( Nonetheless, thank you for the continued advice, Artemis. :)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 03, 2010, 04:45:42 AM
click the start button(vista orb) , right click on "computer" and select "properties". on the left pane, one of your choices should say "system protection". choose that and youll see how to do it from there.
do you know how to boot into safe mode? im not trying to talk down to you at all, just asking. in case you dont know, restart and during boot-up,  immediately begin tapping f8 until you get a black screen with text on it. one of your choices will be "safe mode" select it and press "enter"
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 03, 2010, 04:56:07 AM
If deleting your system restore points doesn't do anything, then C:\Windows\System32\Drivers\dbliw.sys might be a protected system file, especially if deleting it with Malwarebytes didn't do anything. I'd send it to Alwil for analysis, it could be a flase positive.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 05:26:02 AM
If deleting your system restore points doesn't do anything...

Wait a second, am I supposed to delete or disable my system restore points?

C:\Windows\System32\Drivers\dbliw.sys might be a protected system file, especially if deleting it with Malwarebytes didn't do anything. I'd send it to Alwil for analysis, it could be a flase positive.

In regards to this, I do have a sort of nagging suspicion it could be a false positive. How do I send it to Alwil for analysis? What is the analysis process like? About how long does it take for this kind of analysis to be done? Should I wait to hear back from Alwil before moving forward with Artemis's suggestions?

Artemis: no offense taken from your step-by-step directions. I did know how to boot into safe mode, but I still appreciate your detailed instructions. Now all I need to know is whether or not to put your ideas into action.


At the risk of making myself look even more incompetent than I already have, I noticed a tiny detail in all of this that probably means nothing but I figured I would run it by you guys just in case its important in some way: When I receive the avast!warning about the rootkit the file looks like this
File name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services
Malware name: Win32:Rootkit-gen [Rtk]


with the Drivers folder with a capital 'D'. However, when I search out the file individually, I go through Windows and System32, but the drivers folder in System32 has a lower case 'd', and there is no file with a capital 'D'. Does this mean anything? Does the fact whether a folder has an upper case or lower case letter mean they are different folders, or am I simply splitting hairs here? :-\
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 03, 2010, 05:35:43 AM
maybe you should wait. im no expert by any means, but ive cleaned a few infections off my machine before. ;D

i'd really hate to give you wrong advice and make things worse. i certainly dont have that file on my pc, for whatever thats worth. the fact that google turns up absolutely nothing when searching the filename is suspicious imho. if it were a windows system file, surely google would produce some results for it
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: cazoza on February 03, 2010, 06:11:50 AM
The path you write about, is ok, if you type that path in your windows explorer, (not internet explorer) you will be redirected to the correct path with "d". And you are supossed to disable restore points, and maybe you should try an autorun cleaner or blocker, like USB threat defender, and a registry cleaner tool like comodo system cleaner, because the problem is that the virus/malware you have on your system, is recreating itself via a registry entry and an autorun file, and is blocking MalwareBytes attempts to delete it, because it's too deep in your system.

If you run those tools, disable restore points, and maybe, you should delete all restore points, but the newest one. Just to be caucious. And then, try again with Malwarebytes, or Super Antispyware, and then make a restore point and call it "Clean" or something like that, and reboot your machine. this should let your system clean. At least i have cleaned some systems using that steps.

To send the file to alwill, just open the virus vault, right click on the virus, and select send to Alwill, and that's all.

Hope this info helps you pal. Take care.

P.S. If you need USB Threat Defender, PM me, or email me. Take Care.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 07:19:00 AM
Cazoza, thanks for all the advice, I really appreciate it. :)


To send the file to alwill, just open the virus vault, right click on the virus, and select send to Alwill, and that's all.


Unfortunately, I can't use this method to send the file to Alwil, as for some reason the file does't show up in my virus chest.

I'm sort of unsure where to go from here: My computer has had short spurts of suspicious behavior, with both avast! and firefox (along with other web browsers) not working at different times, yet at the moment it seems to be working perfectly well, and I'm a little afraid to pursue either cazoza's or Artemis's advice, as I don't want to make things worse.

I can't seem to find any information on the file C:\Windows\System32\Drivers\dbliw.sys, and that would suggest-- as Artemis pointed out-- that it is not a legitimate file. If this file is a protected system file as Norel suggests, you would think you could find some information on it on google, correct?

And yet perhaps this file is legitimate? Earlier I tried to restore my computer to a previous restore point, one from several days ago before the warnings began, and yet for an unspecified reason the restoration did not go through.

I guess I will first try Artemis's advice, and update you guys on the outcome of those steps.

Regardless of whether or not this fixes the problem (if it is indeed a problem), I'm lucky to have your guys' help.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 07:20:33 AM
P.S. Does anyone have any idea what these "a device attached to the system is not functioning" messages when I try to upload the sys file or scan it directly with avast could mean?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 03, 2010, 07:35:29 AM
Hmmm...sounds like it might be a bug and it's trying to interfere with your ability to get rid of it.

Just so I'm clear, is C:\Windows\System32\Drivers\dbliw.sys quarantined now? If you look it up in its actual folder is it there too or does quarantine move it to the Virus Chest?

Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 03, 2010, 07:46:19 AM
Just out of curiosity, can you directly scan other files or is it just that one that's a problem?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 03, 2010, 07:50:05 AM
another trick: go to device manager and click "view">show hidden devices

browse through the list and see if you can find this file and try to uninstall it from there
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 07:59:31 AM
Norel: To the best of my knowledge, C:\Windows\System32\Drivers\dbliw.sys is not quarantined now. When I look it up in its actual folder, it is there, and though both malwarebytes' and avast!'s scans found it and malwarebytes' scan told me "C:\Windows\system32\Drivers\dbliw.sys (Rootkit.Agent) -> Quarantined and deleted successfully", I can't find it in either malwarebytes' quarantine or avast's virus chest.

I tried a handful of other sys files, and it appears that I can directly scan all files except dbliw.sys.

go to device manager and click "view">show hidden devices


Artemis: Sorry to portray myself as the igonoramus that I am, but where is this device manager? :-[

Again, a thousand thanks, you guys.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 08:03:40 AM
Artemis: never mind; I found the device manager by using search and I found "dbliw" under the "Non-Plug and Play Drivers".

Here's the information it displays when I right-click and choose properties:

Device Type:Non-Plug and Play Drivers

Manufacturer: Unknown

Location: Unknown

Device Status: This device is working properly


Should I try and uninstall it? What do you guys think?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 03, 2010, 08:06:58 AM
sure y not? ;D i mean, avast and malwarebytes both say its a rootkit. kill it i say
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 03, 2010, 08:10:47 AM
I guess I'm a little confused. If it's not quarantined, what process did you use to try and upload it?

You might do another scan of your whole system and try to get avast! to hit on it again. If or when it does choose "Move to chest" as the action and see if you can get it quarantined. :)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 03, 2010, 08:24:07 AM
If it won't let avast! quarantine it, I would try to nuke it with the Malwarebytes File Assassin tool, it will kill just about anything. :)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 08:33:10 AM
Norel: You're not the only one  :). My apologies for the vague "upload" phrasing; when I said upload, I didn't mean uploading to Alwil for analysis, I meant uploading to Jotti or Virus Total.

When I do a scan on avast! I do indeed hit on it again, but even when I choose the "Move to Chest" action, it's still nowhere to be found in the virus chest.

Here's what it says for the file in the "Results of Last Scan":

Name of File: C:\Windows\System32\Drivers\dbliw.sys

Result: Infection: Win32:Rootkit-gen [Rtk]

Operation: Error occurred during moving file to chest: The system cannot find the file specified.

Strange stuff, considering the scan found the file, did it not? I'm at a little bit of a loss, my friends.

Artemis: To add a further twist to the plot and more mystery: I tried to uninstall dbwil from my computer, and after restarting the computer and starting up device manager, dbwil is nowhere to be found. And yet, dbwil.sys can still be found in the Drivers folder, and avast! scan still detects the file. I'm running a malwarebytes' scan as I type this, but I assume it too will find the file and try, unsuccessfully, to quarantine it. There are too many twists and turns to follow.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 08:34:08 AM
If it won't let avast! quarantine it, I would try to nuke it with the Malwarebytes File Assassin tool, it will kill just about anything. :)

Would you mind showing me how to find this? Much appreciated, again.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 08:37:57 AM
I have a Win32:Nebuler-B [Drp] and a Win32:Bredolab-BL [Trj] and a JS:Pdfka-US [Expl] in the infected files folder of my virus chest, but no Win32:Rootkit-gen [Rtk] :(
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Pondus on February 03, 2010, 08:44:57 AM
Follow this guide from essexboy, and post the logs
http://forum.avast.com/index.php?topic=53253.0

Essexboy is the Malware expert in here, when you have posted the logs i will send him a PM
He usually arrives late (Norwegian time ) as he works in several forums
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 03, 2010, 08:58:04 AM
you're in good hands now, Oldmittay. essexboy is the man... ;)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 09:14:27 AM
Pondus: Thanks for being willing to call in the cavalry for little old me.

Here is the log of my MBAM scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/3/2010 1:59:58 AM
mbam-log-2010-02-03 (01-59-58).txt

Scan type: Quick Scan
Objects scanned: 104946
Time elapsed: 11 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\dbliw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

A few notes:1. I was asked to restart my computer, and did so immediately
 2. I've done this scan several times, and each time it tells me that the above infected file is quarantined and deleted successfully, but still after each time I can't find the file in quarantine and it is still present in my computer's files.

I will now do the OTL section of essexboy's directions, and post those logs as soon as they are available to me. Again, many thanks.

Artemis: essexboy may be the man, but I felt that I was in good hands under your (and norel's) guidance as well. You're my boy, blue.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 03, 2010, 10:06:29 AM
The File Assassin's in the More Tools tab in Malwarebytes.

Vista recreates certain drivers even if they're uninstalled or deleted. This can be a royal pain sometimes or it can be a lifesaver. That could be what's happening here. If you delete it with File Assassin and it comes back I'd say for sure that's what it is.

Time for me to hit the sack. :)

Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 10:19:58 AM
Norel: Thanks for all the guidance and advice; its been a privilege having you around to help me.

Artemis: Loving the profile picture. Indescribably clutch.

Pondus: I have attached my two OTL logs. Hope this is what you and essexboy are looking for. Cheers.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 10:49:58 AM
Norel: Now that I've posted those Logs, I think I might wait to hear what essexboy has to say before trying anything else out. Still, I am indebted to you, and I'll definitely try out the File Assassin if things don't work out with essexboy's help. The way Artemis lauds him though, I'm feeling pretty happy to have his help on the way.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Pondus on February 03, 2010, 12:03:54 PM
Norel: Now that I've posted those Logs, I think I might wait to hear what essexboy has to say before trying anything else out. Still, I am indebted to you, and I'll definitely try out the File Assassin if things don't work out with essexboy's help. The way Artemis lauds him though, I'm feeling pretty happy to have his help on the way.
PM to Essexboy is sendt, He is the " Terminator " of malware and soon that rootkit is dead..... ;)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 10:23:05 PM

PM to Essexboy is sendt, He is the " Terminator " of malware and soon that rootkit is dead..... ;)

Awesome. Can't tell you enough how thankful I am for your help, Pondus.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: essexboy on February 03, 2010, 10:41:53 PM
Hi,

Anyway, just one information need to know after Pondus advice.

You should turn off your recovery system, to avoid virus/malware create backup files on your system.

Good luck
I would not recommend that as a bad restore point is better than none
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: essexboy on February 03, 2010, 11:20:08 PM
I do not think File assasisin is man enough to kill a rootkit as there will probably be a respawner there somewhere

Run OTL.exe
Code: [Select]
:OTL
O4 - HKCU..\Run: [C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe ] C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe File not found
[2010/02/03 02:23:02 | 000,792,064 | ---- | M] () -- C:\Windows\System32\drivers\dbliw.sys
[2010/02/02 01:40:27 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/03 02:48:48 | 000,792,064 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\dbliw.sys

:Commands
[purity]
[emptytemp]
THEN

Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

[color="#FF0000"]Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.[/color]

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.Once the scan is complete, you may receive another notice about rootkit activity.
Post the contents of GMER.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 11:25:06 PM

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Essexboy, really appreciate you stepping in here. Thank you :)

I'm a little confused by the directions I've quoted above. Does this mean that after I click the Run Fix button and the Fix is finished running, I should restart my computer, then do another OTL quick scan like the one I previously did and posted above, with the OTL.txt and Extra.txt?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: essexboy on February 03, 2010, 11:35:23 PM
Aye it should reboot automatically as I have told it to clear the temp files - you will lose desktop icons as it does this, as all processes will be killed

There will be no extras text on the second run - just run the quick scan  ;D then GMER
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 11:52:14 PM
Quick scan in progress  :)

Here's the log I got from the fix, in case you're curious/it tells you anything you need to know:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1 not found.
File C:\Windows\System32\drivers\dbliw.sys not found.
C:\ProgramData\ezsidmv.dat moved successfully.
File C:\Windows\System32\drivers\dbliw.sys not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33213 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: Zach
->Temp folder emptied: 574694934 bytes
->Temporary Internet Files folder emptied: 1917477278 bytes
->Java cache emptied: 1477446 bytes
->FireFox cache emptied: 72160181 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 122 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 47571898 bytes
RecycleBin emptied: 50208861 bytes
 
Total Files Cleaned = 2,540.00 mb
 
 
OTL by OldTimer - Version 3.1.27.1 log created on 02032010_162853

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


This is of course coming from a person who has no idea what they're talking about, but I find it curious that the fix couldn't find "File C:\Windows\System32\drivers\dbliw.sys", considering it is in plain sight in that folder, both the malwarebytes' and avast's scans find it, and I can find it without too much trouble. Is it the rootkit's method of self-protection to stop certain executions from detecting it, or something like that?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: essexboy on February 03, 2010, 11:55:46 PM
That means it is "hidden" and protected - if you could run GMER I may be able to see what is protecting it
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 03, 2010, 11:57:42 PM
Should I wait for the quick scan to complete before downloading/running GMER?
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 12:02:59 AM
Essexboy: Here is the OTL log for the quick scan that just completed; I'll begin the GMER process now. Cheers, my friend.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: essexboy on February 04, 2010, 12:12:07 AM
Quote
C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe
This one is also protected - so there is probably a hidden driver or service
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: cazoza on February 04, 2010, 12:14:38 AM
I have found this info for Mojo 221.exe Hope this can help you guys:

Mojo_2.2.1.exe

En nuestras pruebas, esta descarga resultó estar libre de software publicitario, software espía y otros programas no deseados.
.Puntuación de molestias
 
¿Cómo modifica esto el sistema?
•Los programas siguientes se registraron en nuestro Agregar o quitar programas:

Mojo 2.2.1, Bonjour 1.0.104

•Se han agregado los siguientes iconos a nuestro escritorio:

Bonjour Printer Wizard.lnk, Mojo.lnk

En nuestras pruebas, Mojo_2.2.1.exe no realizó ningún cambio en el registro del sistema.

En nuestras pruebas, Mojo_2.2.1.exe no realizó ningún cambio en el disco duro.

Otras informaciones
■El título no se ha podido determinar.
■No se ha podido determinar la URL del publicador de la descarga.
■URL de la descarga: http://www.deusty.com/mojo/win/Mojo_2.2.1.exe
■Nombre de archivo: Mojo_2.2.1.exe
■Tamaño de archivo: 5868618
■Suma de comprobación completa (MD5): b1ab619be32c919125324158de0ad62a
■ID de programa de SiteAdvisor: 18066359
■SiteAdvisor ha comprobado finalmente esta descarga: 2008 diciembre
■SiteAdvisor comprobó este vínculo por última vez: 2009 mayo
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: essexboy on February 04, 2010, 12:16:34 AM
It is the name of a legitimate file - but, it should not run from the temporary folder  ;D  Probably a misdirection
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 12:26:35 AM
Essexboy: My computer crashed the first time I tried to run GMER. I'm about to give it another try; we'll see how this one goes.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 12:46:01 AM
Essexboy: During the 1st attempt at running GMER, my computer froze up right after I clicked NO at this stage:

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO

During the 2nd attempt, I made it past this phase to this point:

  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
While the scan was in progress, an avast!warning popped up for a rootkit, C:\Windows\System32\drivers\dbliw.sys, and before I had a chance to do anything, my entire computer screen went blue with little white lines interspersed in it, and then my computer restarted automatically.

I guess I'll try the GMER scan again?

3rd Attempt: Got as far as I did on the second attempt, except this time there was no pop-up avast!warning, the screen just suddenly turned blue with short white lines again, and the computer restarted on its own. Should I keep trying to run a successful scan?

Side note: I tried running the GMER scan in Safe Mode and each time I do at first I am told that GMER has stopped working and windows closes it automatically, and then when I try again the "blue screen" appears and restarts my computer automatically.

Also, I ran the malwarebytes' scan while in safe mode and no infections were found. Not sure if this tells us anything, but I figured I'd post it in case it's relevant in any way
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Derelict_AZ on February 04, 2010, 01:22:57 AM
If you're just trying to delete C:\Windows\System32\Drivers\dbliw.sys, I would give XueTr (http://forum.sysinternals.com/forum_posts.asp?TID=19584) a try.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 03:53:28 AM
Derelict: To be honest, I'm not 100% sure what exactly I'm trying to do; just following the directions of essexboy as best I can.
Thank you for the suggestion, though. :)

These are probably silly questions, but are we 100% sure at this point that C:\Windows\System32\Drivers\dbliw.sys is in fact a malicious file/rootkit/something I want to get rid of?

And is it evident that this protected file "C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe is also something I should get rid of?

Just want to make sure we (or really just I) know what we're dealing with here.  ;)

Also, I followed Norel's advice and tried to use File Assassin to delete dbliw.sys, but when I try to select the file to have the File Assassin tool do it's work on it, the computer won't let me. A Windows popup appears with the heading Open, and beside a black exclamation point with a yellow triangle background it says:
dbliw.sys
A device attached to the system is not functioning

So evidently I can't use File Assassin even if it would work. :'(

Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: ArtemisF0wl on February 04, 2010, 05:05:07 AM
just wait for essexboy and do whatever he says. im sure whatever problems you are having with the removal of this rootkit, he has seen it before.

i think if it were not a malicious file, essexboy would have told you so. patience, grasshopper. there's more than one way to skin a cat. ;)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 05:52:18 AM
I appreciate your reassuring presence, Artemis.

If only patience didn't have to be earned. :-\
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 06:48:56 AM
It would appear that the act of opening GMER alone is enough to cause my computer to act incredibly slowly, and to eventually freeze completely. I have on several occasions made it considerably far into the scanning process, but each time GMER eventually freezes up and I am forced to force-restart my computer, losing all the progress and information GMER has made up to that point.

I eagerly anticipate future guidance, essexboy, and truly appreciate the help you have given me up to this point. Thank you for lending your expertise to this issue on my behalf. Meanwhile, it might be time to read a book to calm my nerves; I'm letting this sneaky file get under my skin a little too much.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: norel on February 04, 2010, 07:35:02 AM
I've had viruses and I've had files that were just hard to delete. In my experiences it's the viruses that act like this dbliw.sys is acting. Causing your system to act weird, aggressively preventing the antivrus from working right and even preventing you from uploading it.

But there are a lot of things I haven't experienced so I can't say with 100% certainty what you have Oldmittay. Hopefully essexboy will be able to help you fix it. :)
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 12:11:55 PM
Well everyone, while I want to restrain myself from jumping to any conclusions, there appears to be a sign for tempered optimism, at least on the dbliw.sys front (still not sure what to think about the C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe file):

I decided to run another boot-time avast! scan, on the extremely unlikely chance that this time around, it would find dbliw.sys and succeed in quarantining it. Wouldn't you know it, it just might have worked! The file was found during the scan and I tried to move it to the chest, thinking I was setting myself up for another disappointment. However, I ran malwarebytes' and avast scans when the computer was rebooted, and neither found any infected items. I took a look through my avast! Virus chest, and low and behold, there is dbliw.sys in the infected files list. :) :)

one addendum: dbliw is still on the list of non-plug and play drivers in the Device Manager. What do you guys think, should I try uninstalling it again, now that I have dbliw.sys in the virus chest?

Essexboy: What steps do I still need to take? Is there a way I can check to make sure my system is clear? Re-run OTL perhaps?

I'm trying to hold back here, but maybe-- just maybe-- we're getting somewhere finally, and from the most unlikely of sources to boot, one I thought I had already exhausted!
I'll post an update on the situation early in the afternoon (USA East Coast Time).

 
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Derelict_AZ on February 04, 2010, 02:43:25 PM
(still not sure what to think about the C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe file):

I would delete this file. Based on the file path, it can't be anything but bad news. If you can't delete it with Explorer, then I would again suggest getting XueTr (http://forum.sysinternals.com/forum_posts.asp?TID=19584) and deleting it with that. XueTr (http://forum.sysinternals.com/forum_posts.asp?TID=19584) has a File tab where you can browse to this file and delete it. You can also schedule a delete on the next boot, using the Delay Delete context-menu item.

one addendum: dbliw is still on the list of non-plug and play drivers in the Device Manager. What do you guys think, should I try uninstalling it again, now that I have dbliw.sys in the virus chest?

I would uninstall it from the Device Manager. Alternatively, you could search the registry and delete the service keys manually.

I'm glad that avast! was finally able to quarantine that file for you. Have you ever used Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)? You should run it and make sure you don't have any suspicious entries. It would also be a good idea to look into getting a HIPS product to avoid things sneaking onto your system in the future. There will be a learning curve, but IMHO it will be time well spent.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Oldmittay on February 04, 2010, 10:54:52 PM
essexboy, do you agree with Derelict's advice?

Also, I was using my computer earlier today to check this forum and my email when avast detected a virus in my system and automatically restarted my computer, running a boot-time scan, but no infected items were found, so I'm not sure what to think at this point.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Derelict_AZ on February 05, 2010, 02:29:58 PM
It sounds like you've still got a problem. I would try scanning your system offline. You can do this with a bootable CD, such as Avira's Rescue CD (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html). If you have a clean system to create the CD from, that would be best. I would also recommend a backup system if you don't already have one in place.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: cazoza on February 07, 2010, 05:32:31 AM
I suggest you do the same with a Bootlable Antivirus Cd like the one they posted up. But i need to remember to all members, u need to take care of what you post, because i had a friend here at forum, that posted twice, all bootable antivirus cd, and the moderators banned him from the forum. And i don't know why, because he was just cooperating to the community by posting that tools. And now the cant log in anymore.
Title: Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
Post by: Derelict_AZ on February 07, 2010, 06:54:57 AM
Thanks for the advice. I didn't think trying to help other avast! users would be a bad thing, but I guess I can see how recommending a competitor's product would be frowned upon. I'll be more careful in the future because I certainly don't want to be banned! :-[