Hello, I have the avast! 4.8 home edition, and starting today I have begun receiving avast!Warning messages telling me that the following suspicious file was detected on my computer:

File Name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services

The 1st time I received this warning, I followed the recommended action, which was to ignore, and was then prompted by avast! to run a scan boot, which I did. A few dangerous files were found during the scan, and I elected to delete them all. However, after the scan was finished and my computer rebooted, I received the same avast!Warning for C:\Windows\System32\Drivers\dbliw.sys, and this time I decided to delete the file. I was again prompted to run scan boot, which I did, and this time no dangerous files were found during the scan. After rebooting again, I received the avast!Warning for a 3rd time, and this is where I now stand.

I have done a google search for the file C:\Windows\System32\Drivers\dbliw.sys, but can’t seem to find any information about it. Was this a case of a false-positive? Have I done my computer irreparable damage by deleting it? :-[ When I individually scan the file with ad-aware, it tells me no threats were found, but when I do the same with avast! and on virustotal, it says: Scan was completed with error. Error: a device attached to the system is not functioning.

This appears to be much the same issue posted on this thread, except with a different file in question: http://forum.avast.com/index.php?topic=40975.0

Can anyone help me with this problem? Thanks in advance for any and all help. As a huge fan of avast!, I hope this issue can be resolved soon.

This post should have been posted in the virus and worm forum

check your computer for malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and tell us if it worked and post your scan logs here

Pondus: Thank you very much for the speedy response; my apologies for not posting this in the correct forum, would you like me to recreate this topic there? I’m pretty new at this.

I intend to do just that, but how do I post my scan logs here once I have done them?

Anyone have any other suggestions or have any idea what this file is or what its purpose is? Again, I can’t find any information on it using google.

Thanks again for all your help.

come back and tell us if it worked and post your scan logs here

I intend to do just that, but how do I post my scan logs here once I have done them?

And yes, not many hits on google for that file. maybe somone else in here know what it is?

Hi,

Anyway, just one information need to know after Pondus advice.

You should turn off your recovery system, to avoid virus/malware create backup files on your system.

Good luck

Hey guys,

haven’t had a chance to run any of those malware scans you suggested above, but now when I try and open avast on my computer, the startup splash screen appears, but it never progresses to the main screen and the splash screen just disappears.

Does this suggest that C:\Windows\System32\Drivers\dbliw.sys is in fact malware, or are there other possible explanations?

Also, my computer has been acting pretty much normal since the warnings first started appearing, about a day ago. Is it still possible that my computer is infected if it is still performing well?

Yes…you can have malware and not know it, and if avast wont open that is suspicious, so try the tools suggested

For whatever it’s worth, it’s always a very bad idea to delete a file until you know for sure what it does. It’s too late now but for future reference I would leave it in the Chest and send a copy to Alwil for analysis before deleting.

I second running Malwarebytes if you think you might still be infected. It’s a good program.

You’re right Norel, I sort of got worried after ignoring the file didn’t fix the problem the first time, so I overreacted and deleted it the second time. At least from this point forward I’ll know to always put the suspect files into the quarantine chest rather than delete them, correct?

I completed a malwarebytes’ scan, as you guys suggested, and 5 infected files were found and quarantined, including that old familiar nemesis of mine, system32/drivers/dbliw.sys

Here is the log of the scan:

Malwarebytes’ Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/2/2010 6:13:58 PM
mbam-log-2010-02-02 (18-13-58).txt

Scan type: Quick Scan
Objects scanned: 104983
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssmsgs (Backdoor.Bot) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Hope this is informative for you guys, because it’s way over my head. Any suggestions for what needs to be done next?
Again, Pondus, Norel, and Yanto, thank you so much for your advice and help. Cheers.

P.S. Why don’t the two infected files show up on this log?

After finishing the scan and hitting the “remove selected” button as Pondus suggested, I was prompted by malwarebytes to restart my computer in order to complete the removal process. When I selected yes to continue with the restarting process, however, I was informed that something went wrong with the restarting process, and the computer didn’t restart.

I did another malwarebytes’ scan, and this time only 1 infected file was found: C:\Windows\System32\Drivers\dbliw.sys
This confused me, since after the first scan I was told that all found infected files had been successfully quarantined, and yet this is one of those found files, and it does not appear to be quarantined. It isn’t on my quarantine list on malwarebytes’ either, as can be seen here:

I once again hit the “remove selected” button and was once again told that all files were quarantined successfully, but on this attempt however, the computer did in fact restart when I hit the “yes” to proceed with the restart button. Confusing, right?

After the computer finished restarting, I did a malwarebytes’ scan for the third time, and again the same infected object, C:\Windows\System32\Drivers\dbliw.sys, was found.

Here is the third scan log after I hit the remove selected button:

Malwarebytes’ Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/2/2010 7:00:27 PM
mbam-log-2010-02-02 (19-00-27).txt

Scan type: Quick Scan
Objects scanned: 104910
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\dbliw.sys (Rootkit.Agent) → Quarantined and deleted successfully.

An avast! popup just came up warning of a rootkit, and the file it claimed was a rootkit was the same C:\Windows\System32\Drivers\dbliw.sys, and it suggested that I delete the file immediately, so I did so, but when I looked into my system32\drivers folder, I saw that dbliw.sys changed it size from 0 kb back to 774 kb, the same size it has been since I first discovered it.

Any ideas guys?

I have some ideas if you’d like to hear them…

1.disable system restore
2.http://www.filehippo.com/download_superantispyware/ <<<<install thatand update it. if it fails to install, use the portable version here: http://portable.superantispyware.com/sassaferun.php
3.install and update this http://www.filehippo.com/download_asquared/
4.boot into safe mode and run full scans with both of those programs, hopefully that rootkit can be killed in safe mode

Artemis, thanks for the advice, but before I take any of those actions, I want to be as close to 100% sure as possible that this sys file is in fact a rootkit.

How do I disable system restore?

Does everyone agree that all signs point to C:\Windows\System32\Drivers\dbliw.sys being a rootkit, since the malwarebyte’s scans suggest as much and my original avast! scan suggested as much and the recent avast! popup suggested as much, but I can’t find any information on this particular file anywhere on google and recent preboot scans by avast! have been unable to find any infested files?

I know I shouldn’t count my eggs before they hatch, but I just want to say how thankful I am for everyone’s help in resolving this irritating, confusing issue. This is a great forum, and I appreciate the knowledge everyone is willing to share with me.

Breaking News: An avast!Warning just popped up, saying a rootkit was found. “A suspicious hidden object (rootkit) as been detected…may be a sign of malware infection. It is recommended to remove object immediately”

File name: C:\Windows\System32\Drivers\dbliw.sys
Type: hidden services
Malware name: Win32:Rootkit-gen [Rtk]

Does this prove that this sys file is in fact a malware file? I once again tried to “delete now”, but the file didn’t go away. :-\

Also, when I try to upload the file to scan it on either Jotti or Virus Total, it tells me a device attached to the system is not functioning, and it won’t let me upload it. ???

disabling system restore depends on what operating system you have.

try uploading the file here and see what results you get

http://camas.comodo.com/ (comodo instant malware analysis)

I have Windows Vista Home Premium.

And I tried uploading the file there and got the same result: “a device attached to the system is not functioning”, and it won’t let me upload or scan it. Nonetheless, thank you for the continued advice, Artemis.

click the start button(vista orb) , right click on “computer” and select “properties”. on the left pane, one of your choices should say “system protection”. choose that and youll see how to do it from there.
do you know how to boot into safe mode? im not trying to talk down to you at all, just asking. in case you dont know, restart and during boot-up, immediately begin tapping f8 until you get a black screen with text on it. one of your choices will be “safe mode” select it and press “enter”

If deleting your system restore points doesn’t do anything, then C:\Windows\System32\Drivers\dbliw.sys might be a protected system file, especially if deleting it with Malwarebytes didn’t do anything. I’d send it to Alwil for analysis, it could be a flase positive.

Wait a second, am I supposed to delete or disable my system restore points?

In regards to this, I do have a sort of nagging suspicion it could be a false positive. How do I send it to Alwil for analysis? What is the analysis process like? About how long does it take for this kind of analysis to be done? Should I wait to hear back from Alwil before moving forward with Artemis’s suggestions?

Artemis: no offense taken from your step-by-step directions. I did know how to boot into safe mode, but I still appreciate your detailed instructions. Now all I need to know is whether or not to put your ideas into action.

At the risk of making myself look even more incompetent than I already have, I noticed a tiny detail in all of this that probably means nothing but I figured I would run it by you guys just in case its important in some way: When I receive the avast!warning about the rootkit the file looks like this

with the Drivers folder with a capital ‘D’. However, when I search out the file individually, I go through Windows and System32, but the drivers folder in System32 has a lower case ‘d’, and there is no file with a capital ‘D’. Does this mean anything? Does the fact whether a folder has an upper case or lower case letter mean they are different folders, or am I simply splitting hairs here? :-\

maybe you should wait. im no expert by any means, but ive cleaned a few infections off my machine before. ;D

i’d really hate to give you wrong advice and make things worse. i certainly dont have that file on my pc, for whatever thats worth. the fact that google turns up absolutely nothing when searching the filename is suspicious imho. if it were a windows system file, surely google would produce some results for it