Author Topic: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"  (Read 30785 times)

0 Members and 1 Guest are viewing this topic.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #15 on: February 03, 2010, 04:20:52 AM »
I have Windows Vista Home Premium.

And I tried uploading the file there and got the same result: "a device attached to the system is not functioning", and it won't let me upload or scan it. :( Nonetheless, thank you for the continued advice, Artemis. :)

ArtemisF0wl

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #16 on: February 03, 2010, 04:45:42 AM »
click the start button(vista orb) , right click on "computer" and select "properties". on the left pane, one of your choices should say "system protection". choose that and youll see how to do it from there.
do you know how to boot into safe mode? im not trying to talk down to you at all, just asking. in case you dont know, restart and during boot-up,  immediately begin tapping f8 until you get a black screen with text on it. one of your choices will be "safe mode" select it and press "enter"

norel

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #17 on: February 03, 2010, 04:56:07 AM »
If deleting your system restore points doesn't do anything, then C:\Windows\System32\Drivers\dbliw.sys might be a protected system file, especially if deleting it with Malwarebytes didn't do anything. I'd send it to Alwil for analysis, it could be a flase positive.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #18 on: February 03, 2010, 05:26:02 AM »
If deleting your system restore points doesn't do anything...

Wait a second, am I supposed to delete or disable my system restore points?

C:\Windows\System32\Drivers\dbliw.sys might be a protected system file, especially if deleting it with Malwarebytes didn't do anything. I'd send it to Alwil for analysis, it could be a flase positive.

In regards to this, I do have a sort of nagging suspicion it could be a false positive. How do I send it to Alwil for analysis? What is the analysis process like? About how long does it take for this kind of analysis to be done? Should I wait to hear back from Alwil before moving forward with Artemis's suggestions?

Artemis: no offense taken from your step-by-step directions. I did know how to boot into safe mode, but I still appreciate your detailed instructions. Now all I need to know is whether or not to put your ideas into action.


At the risk of making myself look even more incompetent than I already have, I noticed a tiny detail in all of this that probably means nothing but I figured I would run it by you guys just in case its important in some way: When I receive the avast!warning about the rootkit the file looks like this
File name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services
Malware name: Win32:Rootkit-gen [Rtk]


with the Drivers folder with a capital 'D'. However, when I search out the file individually, I go through Windows and System32, but the drivers folder in System32 has a lower case 'd', and there is no file with a capital 'D'. Does this mean anything? Does the fact whether a folder has an upper case or lower case letter mean they are different folders, or am I simply splitting hairs here? :-\
« Last Edit: February 03, 2010, 05:33:39 AM by Oldmittay »

ArtemisF0wl

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #19 on: February 03, 2010, 05:35:43 AM »
maybe you should wait. im no expert by any means, but ive cleaned a few infections off my machine before. ;D

i'd really hate to give you wrong advice and make things worse. i certainly dont have that file on my pc, for whatever thats worth. the fact that google turns up absolutely nothing when searching the filename is suspicious imho. if it were a windows system file, surely google would produce some results for it

cazoza

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #20 on: February 03, 2010, 06:11:50 AM »
The path you write about, is ok, if you type that path in your windows explorer, (not internet explorer) you will be redirected to the correct path with "d". And you are supossed to disable restore points, and maybe you should try an autorun cleaner or blocker, like USB threat defender, and a registry cleaner tool like comodo system cleaner, because the problem is that the virus/malware you have on your system, is recreating itself via a registry entry and an autorun file, and is blocking MalwareBytes attempts to delete it, because it's too deep in your system.

If you run those tools, disable restore points, and maybe, you should delete all restore points, but the newest one. Just to be caucious. And then, try again with Malwarebytes, or Super Antispyware, and then make a restore point and call it "Clean" or something like that, and reboot your machine. this should let your system clean. At least i have cleaned some systems using that steps.

To send the file to alwill, just open the virus vault, right click on the virus, and select send to Alwill, and that's all.

Hope this info helps you pal. Take care.

P.S. If you need USB Threat Defender, PM me, or email me. Take Care.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #21 on: February 03, 2010, 07:19:00 AM »
Cazoza, thanks for all the advice, I really appreciate it. :)


To send the file to alwill, just open the virus vault, right click on the virus, and select send to Alwill, and that's all.


Unfortunately, I can't use this method to send the file to Alwil, as for some reason the file does't show up in my virus chest.

I'm sort of unsure where to go from here: My computer has had short spurts of suspicious behavior, with both avast! and firefox (along with other web browsers) not working at different times, yet at the moment it seems to be working perfectly well, and I'm a little afraid to pursue either cazoza's or Artemis's advice, as I don't want to make things worse.

I can't seem to find any information on the file C:\Windows\System32\Drivers\dbliw.sys, and that would suggest-- as Artemis pointed out-- that it is not a legitimate file. If this file is a protected system file as Norel suggests, you would think you could find some information on it on google, correct?

And yet perhaps this file is legitimate? Earlier I tried to restore my computer to a previous restore point, one from several days ago before the warnings began, and yet for an unspecified reason the restoration did not go through.

I guess I will first try Artemis's advice, and update you guys on the outcome of those steps.

Regardless of whether or not this fixes the problem (if it is indeed a problem), I'm lucky to have your guys' help.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #22 on: February 03, 2010, 07:20:33 AM »
P.S. Does anyone have any idea what these "a device attached to the system is not functioning" messages when I try to upload the sys file or scan it directly with avast could mean?
« Last Edit: February 03, 2010, 07:26:14 AM by Oldmittay »

norel

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #23 on: February 03, 2010, 07:35:29 AM »
Hmmm...sounds like it might be a bug and it's trying to interfere with your ability to get rid of it.

Just so I'm clear, is C:\Windows\System32\Drivers\dbliw.sys quarantined now? If you look it up in its actual folder is it there too or does quarantine move it to the Virus Chest?


norel

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #24 on: February 03, 2010, 07:46:19 AM »
Just out of curiosity, can you directly scan other files or is it just that one that's a problem?

ArtemisF0wl

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #25 on: February 03, 2010, 07:50:05 AM »
another trick: go to device manager and click "view">show hidden devices

browse through the list and see if you can find this file and try to uninstall it from there

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #26 on: February 03, 2010, 07:59:31 AM »
Norel: To the best of my knowledge, C:\Windows\System32\Drivers\dbliw.sys is not quarantined now. When I look it up in its actual folder, it is there, and though both malwarebytes' and avast!'s scans found it and malwarebytes' scan told me "C:\Windows\system32\Drivers\dbliw.sys (Rootkit.Agent) -> Quarantined and deleted successfully", I can't find it in either malwarebytes' quarantine or avast's virus chest.

I tried a handful of other sys files, and it appears that I can directly scan all files except dbliw.sys.

go to device manager and click "view">show hidden devices


Artemis: Sorry to portray myself as the igonoramus that I am, but where is this device manager? :-[

Again, a thousand thanks, you guys.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #27 on: February 03, 2010, 08:03:40 AM »
Artemis: never mind; I found the device manager by using search and I found "dbliw" under the "Non-Plug and Play Drivers".

Here's the information it displays when I right-click and choose properties:

Device Type:Non-Plug and Play Drivers

Manufacturer: Unknown

Location: Unknown

Device Status: This device is working properly


Should I try and uninstall it? What do you guys think?
« Last Edit: February 03, 2010, 08:07:32 AM by Oldmittay »

ArtemisF0wl

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #28 on: February 03, 2010, 08:06:58 AM »
sure y not? ;D i mean, avast and malwarebytes both say its a rootkit. kill it i say

norel

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #29 on: February 03, 2010, 08:10:47 AM »
I guess I'm a little confused. If it's not quarantined, what process did you use to try and upload it?

You might do another scan of your whole system and try to get avast! to hit on it again. If or when it does choose "Move to chest" as the action and see if you can get it quarantined. :)