Win32:Driver-BVO [Trj] in C:\hiberfil.sys

system · November 5, 2011, 9:35pm

Hi guys,

My computer (Vista) was being slower than usual for a few days, so I ran an avast boot scan. Avast found that C:\hiberfil.sys is infected with Win32:Driver-BVO [Trj]. The file was obviously too big to be moved to the chest. Avast can’t repair the file either, saying “Error: The system cannot find the file specified”.

I found that it is possible to get rid of C:\hiberfil.sys all together through command prompt, but it didn’t work: after I entered the powercfg -h off command, I read that it couldn’t do it because of “one or more legacy drivers installed”;“an internal system component has disabled hibernation”. The hiberfil.sys file is still there. I do seem to be able to send it to the recycling bin, however. Perhaps it is a good idea?

If you have encountered this problem before, please let me know how to deal with it. Keep in mind that my priority is to get rid of Win32:Driver-BVO [Trj], I don’t care what happens to hiberfil as long as it isn’t infected anymore.

Thank you.

Pondus · November 5, 2011, 9:48pm

why did you do a boot scan…have any problems ?

system · November 5, 2011, 9:57pm

I do boot scans when my computer is unusually slow or has other symptoms of malware.

Boot scans have twice before found rootkits and trojans of the Win32 kind, but have always managed to isolate the file into the virus chest before.

Pondus · November 5, 2011, 10:01pm

The boot-time scanner is an expert feature, and was designed to be used when there’s something bad going on on the system.

https://blog.avast.com/2010/02/04/v5-bts-auto-actions/

if you search the forum for “C:\hiberfil.sys” you find more cases

is this detected if you do a default quick or full scan ?

system · November 5, 2011, 10:09pm

Dear Pondus, I like the BootScan feature because it has happened before that the regular scan didn’t find the problem, while the bootscan did and eliminated it.

This time around, I admit I did the BootScan right away. Are you saying that I should do a regular scan and stop worring about it if it comes up clean? I understand there is a risk of a false positive with the BootScan, but when I read Win32:Driver-BVO [Trj], I tend to worry. Am I wrong?

I looked at the other threads and most of them revolve around removing hiberfil alltogether. Could you tell me your opinion on doing so? I will take another look at the topics, however.

Pondus · November 5, 2011, 10:28pm

well…i would be suspicious if i dont have any problems, and then suddenly bootscan tell me that i am infected but the default scan made for routine scan are not

do you have latest virus update?

have you run a quick scan with Malwarebytes for a second opinion ?

system · November 5, 2011, 10:32pm

Yes, I have the updates. The (regular) scan is running now. Once again, do you think I should not be worried about the BootScan and the trojan if the regular scan comes up clean?

I also re-read the other hiberfil.sys topics.

The most constructive solution seems to be disabling-enabling hibernation, making Windows create a new hiberfil.sys file. I would like some help with that, seeing as I have Vista and the command prompt doesn’t let me disable hibernation (see earlier post).

The hibernation option does appear in the Start menu despite what was written in command prompt.

system · November 5, 2011, 10:43pm

I am running Ad-Aware as a second opinion.

If you believe I should get Malwarebytes, I will, but it does not solve anything. If it finds the Trojan too, I doubt it will remove it if Avast can’t. If it doesn’t find it, then I am still going to be worried because of that one Boot Scan.

I do not understand why I can’t seem to get rid of hiberfil.sys when other people have without problem. What does “an internal system compound has disabled hibernation” mean?

Pondus · November 5, 2011, 10:44pm

follow this guide and attach the logs http://forum.avast.com/index.php?topic=53253.0

Then Essexboy the malware remover expert will have a look at it tomorrow

I will send him a PM so he see this…

system · November 5, 2011, 10:56pm

Ok, thanks Pondus.

Update: I am running the scans now, so I’ll post the logs later today.

system · November 6, 2011, 4:07pm

mbam log:

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8096

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088

06/11/2011 11:04:21 AM
mbam-log-2011-11-06 (11-04-21).txt

Scan type: Quick scan
Objects scanned: 176950
Time elapsed: 21 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib{27BA317E-7BBD-4EBE-A06A-47F076D9D6F7} (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{2574231F-9D6F-4B0E-9041-5DD7484564AD} (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MinBHO.ShowBarObj.1 (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MinBHO.ShowBarObj (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{2863E737-DD3F-4280-9AF8-E9E79C16F312} (Adware.SkyMediaPack) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SkyMedia (Adware.SkyMedia) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\musicfrost\music frost toolbar\MinBHO.dll (Adware.SkyMediaPack) → Quarantined and deleted successfully.

system · November 6, 2011, 4:10pm

I guess this looks like there’s nothing to worry about…

Pondus · November 6, 2011, 4:17pm

attach OTL and aswMBR log so essexboy can check

system · November 6, 2011, 5:13pm

Ok, here are the OTL logs. I’ll post the aswMBR as soon as I have them.

essexboy · November 6, 2011, 5:17pm

Log looks OK - turn of the hibernation function - reboot and then turn it on again, that should clear any problems

system · November 6, 2011, 6:22pm

Ok, here is the aswMBR log. I will try to disable hibernation now.

system · November 6, 2011, 6:34pm

The solution seems to have worked!

It’s strange that I couldn’t disable hibernate from Safe mode with command prompt, but managed to do it through the regular command prompt. Maybe it was a glitch that got fixed by one of the scans I ran.

I think this is all for now. Thank you for your help!

essexboy · November 6, 2011, 10:49pm

Hibernation is not accessible in safe mode

Logs still look good

Win32:Driver-BVO [Trj] in C:\hiberfil.sys

Announcements