Author Topic: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"  (Read 30782 times)

0 Members and 1 Guest are viewing this topic.

norel

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #30 on: February 03, 2010, 08:24:07 AM »
If it won't let avast! quarantine it, I would try to nuke it with the Malwarebytes File Assassin tool, it will kill just about anything. :)

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #31 on: February 03, 2010, 08:33:10 AM »
Norel: You're not the only one  :). My apologies for the vague "upload" phrasing; when I said upload, I didn't mean uploading to Alwil for analysis, I meant uploading to Jotti or Virus Total.

When I do a scan on avast! I do indeed hit on it again, but even when I choose the "Move to Chest" action, it's still nowhere to be found in the virus chest.

Here's what it says for the file in the "Results of Last Scan":

Name of File: C:\Windows\System32\Drivers\dbliw.sys

Result: Infection: Win32:Rootkit-gen [Rtk]

Operation: Error occurred during moving file to chest: The system cannot find the file specified.

Strange stuff, considering the scan found the file, did it not? I'm at a little bit of a loss, my friends.

Artemis: To add a further twist to the plot and more mystery: I tried to uninstall dbwil from my computer, and after restarting the computer and starting up device manager, dbwil is nowhere to be found. And yet, dbwil.sys can still be found in the Drivers folder, and avast! scan still detects the file. I'm running a malwarebytes' scan as I type this, but I assume it too will find the file and try, unsuccessfully, to quarantine it. There are too many twists and turns to follow.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #32 on: February 03, 2010, 08:34:08 AM »
If it won't let avast! quarantine it, I would try to nuke it with the Malwarebytes File Assassin tool, it will kill just about anything. :)

Would you mind showing me how to find this? Much appreciated, again.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #33 on: February 03, 2010, 08:37:57 AM »
I have a Win32:Nebuler-B [Drp] and a Win32:Bredolab-BL [Trj] and a JS:Pdfka-US [Expl] in the infected files folder of my virus chest, but no Win32:Rootkit-gen [Rtk] :(

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #34 on: February 03, 2010, 08:44:57 AM »
Follow this guide from essexboy, and post the logs
http://forum.avast.com/index.php?topic=53253.0

Essexboy is the Malware expert in here, when you have posted the logs i will send him a PM
He usually arrives late (Norwegian time ) as he works in several forums

ArtemisF0wl

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #35 on: February 03, 2010, 08:58:04 AM »
you're in good hands now, Oldmittay. essexboy is the man... ;)

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #36 on: February 03, 2010, 09:14:27 AM »
Pondus: Thanks for being willing to call in the cavalry for little old me.

Here is the log of my MBAM scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/3/2010 1:59:58 AM
mbam-log-2010-02-03 (01-59-58).txt

Scan type: Quick Scan
Objects scanned: 104946
Time elapsed: 11 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\dbliw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

A few notes:1. I was asked to restart my computer, and did so immediately
 2. I've done this scan several times, and each time it tells me that the above infected file is quarantined and deleted successfully, but still after each time I can't find the file in quarantine and it is still present in my computer's files.

I will now do the OTL section of essexboy's directions, and post those logs as soon as they are available to me. Again, many thanks.

Artemis: essexboy may be the man, but I felt that I was in good hands under your (and norel's) guidance as well. You're my boy, blue.

norel

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #37 on: February 03, 2010, 10:06:29 AM »
The File Assassin's in the More Tools tab in Malwarebytes.

Vista recreates certain drivers even if they're uninstalled or deleted. This can be a royal pain sometimes or it can be a lifesaver. That could be what's happening here. If you delete it with File Assassin and it comes back I'd say for sure that's what it is.

Time for me to hit the sack. :)


Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #38 on: February 03, 2010, 10:19:58 AM »
Norel: Thanks for all the guidance and advice; its been a privilege having you around to help me.

Artemis: Loving the profile picture. Indescribably clutch.

Pondus: I have attached my two OTL logs. Hope this is what you and essexboy are looking for. Cheers.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #39 on: February 03, 2010, 10:49:58 AM »
Norel: Now that I've posted those Logs, I think I might wait to hear what essexboy has to say before trying anything else out. Still, I am indebted to you, and I'll definitely try out the File Assassin if things don't work out with essexboy's help. The way Artemis lauds him though, I'm feeling pretty happy to have his help on the way.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #40 on: February 03, 2010, 12:03:54 PM »
Norel: Now that I've posted those Logs, I think I might wait to hear what essexboy has to say before trying anything else out. Still, I am indebted to you, and I'll definitely try out the File Assassin if things don't work out with essexboy's help. The way Artemis lauds him though, I'm feeling pretty happy to have his help on the way.
PM to Essexboy is sendt, He is the " Terminator " of malware and soon that rootkit is dead..... ;)

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #41 on: February 03, 2010, 10:23:05 PM »

PM to Essexboy is sendt, He is the " Terminator " of malware and soon that rootkit is dead..... ;)

Awesome. Can't tell you enough how thankful I am for your help, Pondus.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #42 on: February 03, 2010, 10:41:53 PM »
Hi,

Anyway, just one information need to know after Pondus advice.

You should turn off your recovery system, to avoid virus/malware create backup files on your system.

Good luck
I would not recommend that as a bad restore point is better than none

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #43 on: February 03, 2010, 11:20:08 PM »
I do not think File assasisin is man enough to kill a rootkit as there will probably be a respawner there somewhere

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
Code: [Select]
:OTL
O4 - HKCU..\Run: [C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe ] C:\Users\Zach\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYPMOKHT\Mojo_2.2.1[1].exe File not found
[2010/02/03 02:23:02 | 000,792,064 | ---- | M] () -- C:\Windows\System32\drivers\dbliw.sys
[2010/02/02 01:40:27 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/03 02:48:48 | 000,792,064 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\dbliw.sys

:Commands
[purity]
[emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
THEN

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

[color="#FF0000"]Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.[/color]

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Oldmittay

  • Guest
Re: Suspicious file found: "C:\Windows\System32\Drivers\dbliw.sys"
« Reply #44 on: February 03, 2010, 11:25:06 PM »

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Essexboy, really appreciate you stepping in here. Thank you :)

I'm a little confused by the directions I've quoted above. Does this mean that after I click the Run Fix button and the Fix is finished running, I should restart my computer, then do another OTL quick scan like the one I previously did and posted above, with the OTL.txt and Extra.txt?