Hiberfil.sys

When i make boot time scan with avast 6.0.1203 it found that c:\hiberfil.sys is infected with win32:fakevimes-B [trj] and says that the operation to go to chest failed because the disk is full.

When i scan my pc when i am login in the windows with avast it says my pc is clean (it founds it only on boot scan).Also it comes clean with malwarebytes,superantispyware,immunet,hitman pro, comodo essentials {all with full scans}.

It is a false positive? It is safe to delete? And if it is safe how?

Soz for my english and thnx for ur time.

upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here so we can see

alternativ
Jotti`s http://virusscan.jotti.org/en
VirSCAN http://virscan.org/

I cant upload it it is 1.572.136 kbytes.very big Also it is system file.
Also i found this on google:
http://www.windows7hacker.com/index.php/2009/05/what-is-hiberfilsys-and-how-to-delete-in-windows-7-free-up-hard-drive-space/

It is a system file for hybernation.

Use 7-zip to make a compact 7z file of it. Run it as admin to be able to do it.
http://www.7zip.com/

yes was looking at the same… looks as you can just delete it

never done it…will try

If you want to delete it, run as admin:
powercfg.exe /hibernate off

To enable it again and recreate a clean hiberfil file, admin:
powercfg.exe /hibernate on

I dont use hybernation so i typed in cmd {owercfg.exe -h off}, and the system deleted that file.
So i am ok. Thnks for u help and for ur time :slight_smile:

You’re welcome :slight_smile:

just tested here and worked fine…then i run Powercfg.exe -h on and the file is back

try a scan with avast now and see what result you get now

Malware info: Win32/FakeVimes = Rogue security programs
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2FFakeVimes
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFakeVimes

I had started a new boot time scan and i wait for the results.
But hybarnation and fake antivirus i havent seen it before.
One a month i scan my pc with 4 diferents progrmmes.(avast,malwarebytes,superantispyware,comodo),so very strange, but whatever :stuck_out_tongue:

Results all clean. Thanks Pondus

your wellcome :wink:

just to check for any rootkit:

download dr.web from here:
https://www.freedrweb.com/download+cureit+free/?lng=en

do an update and perform a full scan

it will cure any infection that it finds.

post logs on next reply if possible.

Hi com155,

You should not do this. First run DrWebCureIt and ask the victim to cure if it finds anything.
The victim is not able to establish for himself what he should do. First analyze the log, then a qualified malware remover should give advice what to do. As you mix up this sequence totally, it proofs that you are not a qualified remover (like essexboy, oldman and others). If you go on giving advice with third party removal tools you know the answer now to another question you have asked here.
If you do not know issues, ask first and do later, do not be so nosewise and a risk to victim computers. If you cannot handle it yet, stay out until later,

polonus

now i have modified it is it okay?

Sorry, but I never saw the original post pre-modification, but to me it is just as bad/dangerous.

It is still diving in with a tool that could well harm the users system, not to mention what has already been suggested as a first step, disabling the hibernate feature (when the OP said they don’t use it) will do no harm.

The disabling of the hibernate feature should remove the hiberfil.sys without harm to the system and then it is a watching brief, does avast find anything else or further applications like MBAM scan to see if anything is found or are there any strange symptoms on the system. Then it would be the use of other analysis tools and NOT jumping in with both feet and a slew of removal tools.

So your first action should always be ‘first do no harm’ and that is where the use of conventional applications like MBAM for general secondary; then if necessary this is where the use of analysis tools come in; gather the information before making any decision on the use of tools.

Hi com155,

Totally agree with DavidR here. Third party stand-alone tools like DrWebCureIt should be advised to be used and used strictly only under guidance of a qualified remover. People that are being trained elsewhere, like you at geek2go, are completely forbidden to remove malware elsewhere for the time of their outbuilding, and on the training site after some time are allowed to perform malware cleansing under guidance of a qualified remover/teacher. I have understood that essexboy has not yet introduced you here as a qualified malware remover, so until that day and moment you should absolutely not mingle into malware cleansing routines or start any.

As far as third party stand alone tools are concerned like DrWebCureIt. These tools can be advized to be used by a qualified remover as they could have additional technology (DrWebCureIt now has a specifically secure load that freezes the desktop). DrWebCureIt has some very strong sides, but also its rather weaks sides in case of false positives. Whether the finds/flags of the scan should be quarantined, fixed or left, that is up to be decided by the qualified malware remover that was trained to know these things. Ill or bad adviced cleansing with DrWebCureIt could ruin a computer beyond rebuilding or leave it without critical files if these were falsely flagged. The stand-alone-tool could be run in various settings and the tool should be downloaded from a site without the additional DrWeb nagging and asking for a private data. For instance this is a reliable download link here: http://majorgeeks.com/Dr._Web_CureIT_d4783.html

So, com155, first finish your training, during that time refrain from malware removal advice,
and after that come back,

polonus

// *** Dr.Web CureIt!® has some very strong sides, but also its rather weaks sides in case of false positives.***//

I would like to say a few words in defense of Dr.Web, it’s just words nothing more than unsupported by.

Any anti-virus false positives is … and I think c: \ hiberfil.sys is infected with win32: fakevimes-B [trj] is a false alarm.

Hi Dim@rik,

Well I should not have said that as a general statement, as this is so for all av solutions, but this had been my personal experience with DrWebCureIt. I cannot speak other than from personal experience, but recent experiences were better in that respect.

DrWebCureIt is one of the best stand-alone scanners, and I have a deep respect for the Sint-Petersburg developers of this fine av solution.
Remember that I was one of the first to praise this: http://online.us.drweb.com/?url=1 as a browser extension, as it found particular online issues where avast did not.

The new features of DrWebCureIt are great, selfprotection is unique, enhanced anti-blocker mode operational, the WinRAR unpacker has been greatly improved, the unique blocker neutralization mode has been implemented (specifically against trojan.Winlock). It has an enhanced protection mode and a standard mode, and the user is notified when to change from one to the other mode. So DrWebCureIt has gotten a complete make-over with this newest version,
and… yes, polonus uses it himself as an on demand scanner from time to time.
This program is “хорошая”,

polonus

This program is "хорошая",

hehe

CureIt should be used only in serious infections (Sality, Virut …)

Profi Instructions for CureIt


Link  ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe


Restart the computer in Safe Mode

Double-click the Start launch.exe, after which they will see a Welcome window - click Start

Appear to notice of the initiation of preliminary scan - click OK

Wait a few minutes to make Dr.Web CureIt Scan Express, if malware is found, click the Yes to All button in the window that appears, allow the program to carry out disinfection

Click Settings> Change settings F9; in the window that opens, Uncheck the option Heuristic Analysis and then click Yes

In the main window, bookmark option Complete Scan and then click the Dr.Web CureIt scan will begin

If malware is found, click the Yes to All button in the window that appears, allow the program to carry out disinfection

When the scan is complete, click the Select all button (if available), and then click the Cure,
in the menu that opens, click Move incurable:

Google translate ;D

Text can be edited.