f04566ea.sys

Viruses and worms
1

Avast came up with a virus warning for the following file location:

C:\windows\system32\drivers\f04566ea.sys

Is this a file that should be deleted?

Thanks.

Leukon

2

What is the malware name is the file?

I need to see the warning text file.

C:/Program Files/Alwil Software/Avast/DATA/log/warning.txt

3

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

4

Based on the file name looks randomly generated its location and the only hits on google are for this topic, I would say it is highly likely it is a good detection.

So I strongly doubt it is a false positive detection.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

You should upload it to virus total - You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Post the results as the results are likely to give other aliases (what other scanners called it, we need to know what avast called it too).

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the [b]Standard Shield, Customize, Advanced, Add[/b], type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
5

Thank you Jtaylor83, Tech and DavidR for your quick replies!

I see the need to submit the file for examination. However, I located the file, copied it, but could not paste it into the Suspect folder. Do I need to do this in Safe Mode? I am not sure what is meant by “exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect*”. Please explain.

Thanks.

Leukon

6

Which is this suspect folder? David was just saying an example, not a real folder…
Don’t change your Exclusion lists right now, seems the file is really infected.
Is it into avast Chest (Quarantine)?
You can extract it from there and submit it to www.virustotal.com to know more.

7

You’re welcome.

If avast is alerting when you try to copy it to the suspect folder, you have to have first created the exclusion for the folder, this is what to copy and paste into the standard shield exclusion c:\Suspect* Open the on-access protection scanner window, left click the avast icon, select the Standard Shield, Customize button, Advanced Tab, Add and now paste the c:\Suspect* text into that box, see image.

@ Tech
It is a real folder created by the user which can be excluded from scans so it can be moved and uploaded to virus total so avast doesn’t alert, without having to disable/pause the avast standard shield.

8

I know, but the user can create another folder and do the same… it’s just an example…

9

I ran a scan on the file and it says it does not exist. I was sure I clicked on Ignore when the virus notification showed up. Maybe not? So I cannot upload the file to Avast! I’m sorry.

This whole thing started with an error message This system is shutting down… Please save all… Error 1073741819. I Googled the error and found several suggestions for remedying the error, though none of them applied to the situation at hand or none of them worked. Finally, assuming that a virus was causing the problem, I removed the Norman antivirus on the system and installed Avast! It found the f04566ea.sys file. Even though that file is gone, the error message 1073741819 pops up every now and then. But, if I change my dial-up to another server, I don’t have that error. Then, the next time I start up the browser with the original server, the browser starts to work without the error. I don’t know if it is the server or something else. This seems to be a nebulous problem.

DavidR, thank you for the explanation of how to take care of a suspect file. I will place this in My Documents for future reference.

Again, thanks to all of you for your prompt assistance.

Leukon

10

I suggest two sets of procedures:

A. General cleaning methods:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

B. Full computer on-line scanning:

Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

11

Thank you, Tech. I appreciate the disinfection steps, very thorough. I’ll see what I can do. When the Avast! warning first came up, it gave me two options: Ignore or Delete. The first time I clicked on Ignore, but the second time I must have clicked on Delete.

Leukon

12

You should have more options than that, send to the chest for example.

Is this the alert you got, see image example ?

13

DavidR,

No, that was not the alert I had on my screen. It was a simple tan rectangle notifying me that a suspicious file had been found at the location I indicated in my first post, and it gave me only two buttons, Ignore or Delete. It said Avast! on it.

Leukon

14

OK sounds like it was detected on the anti-rootkit scan 8 minutes after the boot. Doews that sound about right for the time frame ?

If as you say you probably deleted it second time around, I can only assume that you are no longer getting any alert on or shortly after boot ?

Yes it seems that the “error message 1073741819” appears to be quite common, lots of google hits and “pops up every now and then.”

I did notice one google hit which mentioned antivirus 2008 and allied the avast finding something suspect (hidden) on the anti-rootkit scan, this antivirus 2008 style rogue program has been seen to have a rootkit to protect it. So I think it would be wise to do additional steps Tech has listed.

Are you getting any other strange occurrences on your system ?

15

Hmmm… try an scanning with Malwarebytes Antimalware to know if you’re clean…

16

JUst a newbie question here
If the file was in the Chest would the search show it not to exist?
go peek in the chest and see if it is there with your own eyes
only if you clicked delete would it not exist- and even then sometimes we find them (or copies) in system restore or temp or countless other places like trashcan

17

A search wouldn’t find the name you are searching on if it were in the chest as the file name is changed in the chest and the file is also encrypted.

You only need to use windows explorer and navigate to the chest to see the file names (see image).

The chest retains all information so that when you open the chest using avast it displays the correct file name, but from the outside that isn’t seen. This and the encryption are just part of the protection process.

18

Post 8
“I ran a scan on the file and it says it does not exist. I was sure I clicked on Ignore when the virus notification showed up. Maybe not? So I cannot upload the file to Avast! I’m sorry.”

My point was the file would not be found if it were in the chest unless the chest was opened and scanned

I ran a scan on the file and it says it does not exist.
We do not know where (on which folder- drive- chest) this “scan” was run

I was sure I clicked on Ignore when the virus notification showed up. Maybe not?

“So I cannot upload the file to Avast! I’m sorry.”

so maybe he can upload by using extract
I’m not convinced by the record that the file does not exist

19

It will be encrypted into the \DATA\chest folder. It can’t be searched.

avast really deletes (erases) the file. It won’t be on other folders, at least, not in recycle bin. In temp or system restore could have a copy, but the file is not ‘send’ to there.

20

The Chest can only be scanned by itself, withing it (right clicking the file). It can’t and won’t be scanned even by avast on-demand (the file is encrypted). The fact of opening the Chest does not extract the file to outside scanners.