Author Topic: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"  (Read 25660 times)

0 Members and 1 Guest are viewing this topic.

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« on: February 02, 2010, 09:38:28 AM »
Hello, I have the avast! 4.8 home edition, and starting today I have begun receiving avast!Warning messages telling me that the following suspicious file was detected on my computer:

File Name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services

The 1st time I received this warning, I followed the recommended action, which was to ignore, and was then prompted by avast! to run a scan boot, which I did. A few dangerous files were found during the scan, and I elected to delete them all. However, after the scan was finished and my computer rebooted, I received the same avast!Warning for C:\Windows\System32\Drivers\dbliw.sys, and this time I decided to delete the file. I was again prompted to run scan boot, which I did, and this time no dangerous files were found during the scan. After rebooting again, I received the avast!Warning for a 3rd time, and this is where I now stand.

I have done a google search for the file C:\Windows\System32\Drivers\dbliw.sys, but can't seem to find any information about it. Was this a case of a false-positive? Have I done my computer irreparable damage by deleting it? :-[ When I individually scan the file with ad-aware, it tells me no threats were found, but when I do the same with avast! and on virustotal, it says: Scan was completed with error. Error: a device attached to the system is not functioning.

This appears to be much the same issue posted on this thread, except with a different file in question: http://forum.avast.com/index.php?topic=40975.0

Can anyone help me with this problem? Thanks in advance for any and all help. As a huge fan of avast!, I hope this issue can be resolved soon.
« Last Edit: February 02, 2010, 10:21:41 AM by Oldmittay »
When you're this incompetent, it helps to have intelligent friends.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36932
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #1 on: February 02, 2010, 10:01:20 AM »
This post should have been posted in the virus and worm forum



check your computer for malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and tell us if it worked and post your scan logs here

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #2 on: February 02, 2010, 10:17:18 AM »
Pondus: Thank you very much for the speedy response; my apologies for not posting this in the correct forum, would you like me to recreate this topic there? I'm pretty new at this.

Quote from: Pondus
come back and tell us if it worked and post your scan logs here

I intend to do just that, but how do I post my scan logs here once I have done them?


Anyone have any other suggestions or have any idea what this file is or what its purpose is? Again, I can't find any information on it using google.

Thanks again for all your help.

When you're this incompetent, it helps to have intelligent friends.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36932
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #3 on: February 02, 2010, 10:42:24 AM »
Quote
come back and tell us if it worked and post your scan logs here

I intend to do just that, but how do I post my scan logs here once I have done them?
Copy and paste


And yes, not many hits on google for that file. maybe somone else in here know what it is?



Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1369
  • Soli Deo Gloria
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #4 on: February 02, 2010, 11:13:29 AM »
Hi,

Anyway, just one information need to know after Pondus advice.

You should turn off your recovery system, to avoid virus/malware create backup files on your system.

Good luck
Yanto Chiang | IT Security Consultants | AVAST Premium Security | Soli Deo Gloria

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #5 on: February 02, 2010, 08:38:37 PM »
Hey guys,

haven't had a chance to run any of those malware scans you suggested above, but now when I try and open avast on my computer, the startup splash screen appears, but it never progresses to the main screen and the splash screen just disappears.

Does this suggest that C:\Windows\System32\Drivers\dbliw.sys is in fact malware, or are there other possible explanations?

Also, my computer has been acting pretty much normal since the warnings first started appearing, about a day ago. Is it still possible that my computer is infected if it is still performing well?
When you're this incompetent, it helps to have intelligent friends.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36932
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #6 on: February 02, 2010, 08:55:59 PM »
Yes...you can have malware and not know it, and if avast wont open that is suspicious, so try the tools suggested

Offline norel

  • Sr. Member
  • ****
  • Posts: 333
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #7 on: February 02, 2010, 09:57:45 PM »
For whatever it's worth, it's always a very bad idea to delete a file until you know for sure what it does. It's too late now but for future reference I would leave it in the Chest and send a copy to Alwil for analysis before deleting.

I second running Malwarebytes if you think you might still be infected. It's a good program. :)

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #8 on: February 03, 2010, 01:20:22 AM »
For whatever it's worth, it's always a very bad idea to delete a file until you know for sure what it does. It's too late now but for future reference I would leave it in the Chest and send a copy to Alwil for analysis before deleting.

You're right Norel, I sort of got worried after ignoring the file didn't fix the problem the first time, so I overreacted and deleted it the second time. At least from this point forward I'll know to always put the suspect files into the quarantine chest rather than delete them, correct?

I completed a malwarebytes' scan, as you guys suggested, and 5 infected files were found and quarantined, including that old familiar nemesis of mine, system32/drivers/dbliw.sys

Here is the log of the scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/2/2010 6:13:58 PM
mbam-log-2010-02-02 (18-13-58).txt

Scan type: Quick Scan
Objects scanned: 104983
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssmsgs (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Hope this is informative for you guys, because it's way over my head. Any suggestions for what needs to be done next?
Again, Pondus, Norel, and Yanto, thank you so much for your advice and help. Cheers.
When you're this incompetent, it helps to have intelligent friends.

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #9 on: February 03, 2010, 01:22:36 AM »
P.S. Why don't the two infected files show up on this log?
When you're this incompetent, it helps to have intelligent friends.

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #10 on: February 03, 2010, 02:01:49 AM »
After finishing the scan and hitting the "remove selected" button as Pondus suggested, I was prompted by malwarebytes to restart my computer in order to complete the removal process. When I selected yes to continue with the restarting process, however, I was informed that something went wrong with the restarting process, and the computer didn't restart.

I did another malwarebytes' scan, and this time only 1 infected file was found: C:\Windows\System32\Drivers\dbliw.sys
This confused me, since after the first scan I was told that all found infected files had been successfully quarantined, and yet this is one of those found files, and it does not appear to be quarantined. It isn't on my quarantine list on malwarebytes' either, as can be seen here:


I once again hit the "remove selected" button and was once again told that all files were quarantined successfully, but on this attempt however, the computer did in fact restart when I hit the "yes" to proceed with the restart button. Confusing, right?

After the computer finished restarting, I did a malwarebytes' scan for the third time, and again the same infected object, C:\Windows\System32\Drivers\dbliw.sys, was found.

Here is the third scan log after I hit the remove selected button:

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/2/2010 7:00:27 PM
mbam-log-2010-02-02 (19-00-27).txt

Scan type: Quick Scan
Objects scanned: 104910
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\dbliw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


An avast! popup just came up warning of a rootkit, and the file it claimed was a rootkit was the same C:\Windows\System32\Drivers\dbliw.sys, and it suggested that I delete the file immediately, so I did so, but when I looked into my system32\drivers folder, I saw that dbliw.sys changed it size from 0 kb back to 774 kb, the same size it has been since I first discovered it.

Any ideas guys?
When you're this incompetent, it helps to have intelligent friends.

Offline ArtemisF0wl

  • Full Member
  • ***
  • Posts: 175
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #11 on: February 03, 2010, 02:15:11 AM »
I have some ideas if you'd like to hear them..

1.disable system restore
2.http://www.filehippo.com/download_superantispyware/  <<<<install thatand update it. if it fails to install, use the portable version here: http://portable.superantispyware.com/sassaferun.php
3.install and update this http://www.filehippo.com/download_asquared/
4.boot into safe mode and run full scans with both of those programs, hopefully that rootkit can be killed in safe mode
   
Hp Envy 8gig Ram Intel Corei7
Windows7 Home Premium x64
Avast 6 Free, Comodo Firewall 5.8 , MBAM Pro, SuperAntispyware Free, Hostsman

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #12 on: February 03, 2010, 02:59:36 AM »
Artemis, thanks for the advice, but before I take any of those actions, I want to be as close to 100% sure as possible that this sys file is in fact a rootkit.

How do I disable system restore?


Does everyone agree that all signs point to C:\Windows\System32\Drivers\dbliw.sys being a rootkit, since the malwarebyte's scans suggest as much and my original avast! scan suggested as much and the recent avast! popup suggested as much, but I can't find any information on this particular file anywhere on google and recent preboot scans by avast! have been unable to find any infested files?

I know I shouldn't count my eggs before they hatch, but I just want to say how thankful I am for everyone's help in resolving this irritating, confusing issue. This is a great forum, and I appreciate the knowledge everyone is willing to share with me.
« Last Edit: February 03, 2010, 03:06:55 AM by Oldmittay »
When you're this incompetent, it helps to have intelligent friends.

Offline Oldmittay

  • Jr. Member
  • **
  • Posts: 32
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #13 on: February 03, 2010, 03:03:09 AM »
Breaking News: An avast!Warning just popped up, saying a rootkit was found. "A suspicious hidden object (rootkit) as been detected...may be a sign of malware infection. It is recommended to remove object immediately"

File name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services
Malware name: Win32:Rootkit-gen [Rtk]


Does this prove that this sys file is in fact a malware file? I once again tried to "delete now", but the file didn't go away. :-\

Also, when I try to upload the file to scan it on either Jotti or Virus Total, it tells me a device attached to the system is not functioning, and it won't let me upload it. ???
« Last Edit: February 03, 2010, 03:42:09 AM by Oldmittay »
When you're this incompetent, it helps to have intelligent friends.

Offline ArtemisF0wl

  • Full Member
  • ***
  • Posts: 175
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #14 on: February 03, 2010, 03:52:21 AM »
disabling system restore depends on what operating system you have.

try uploading the file here and see what results you get


http://camas.comodo.com/   (comodo instant malware analysis)
Hp Envy 8gig Ram Intel Corei7
Windows7 Home Premium x64
Avast 6 Free, Comodo Firewall 5.8 , MBAM Pro, SuperAntispyware Free, Hostsman