PDA

View Full Version : Virus in Hyberfil.sys ???


Jimmyb
09-21-2010, 07:39 PM
Just a heads up.

I just finished my third tuffy cleanup. Ran all the typical cleaners and anti-virus to no avail. This last one in fact, I had to change mbam name to run. Did not find anything (even after doing Full scan).

Ran Avast pre-boot, deleted one.

Still could not run ComboFix at all.

Was going to give up and do wipe/reload. Decided to try (again would be third computer) deleting the hyberfil.sys file.

Booted to UBCD4Win disk, deleted, rebooted and all gone.

Just thought I would pass this on if it helps. Anyone else finding this?

First computer would not boot pass Log-on screen. Deleted hyberfil and then did cleaning and all is good.

shamrin
09-21-2010, 07:53 PM
If your machine had a file in the root called "Hyberfil.sys" it very well must have been a virus as the the hibernation file is called "hiberfil.sys".

Jimmyb
09-21-2010, 08:06 PM
Sorry mispelled .. will correct

iisjman07
09-21-2010, 08:46 PM
If a virus could execute itself from within the hibernation file I'd be very impressed

Ccomp5950
09-22-2010, 01:59 AM
Really sounds like rootkit activity, try TDSSKiller or GMER next time.

I've pretty much gotten into the habit of running those every time here in the last couple of months.

What pointed you in the direction of that file? Virus software saying it was a problem but unable to do anything about it? If so, it usually works just as well to rename a file instead of deleting. This gives you the added benefit of being able to rename it back if for some reason it wasn't a file you wanted to get rid of (not that you couldn't have gotten this file from elsewhere, just that it's a bit easier than pulling out copies off of disks).

NeutronTech
09-22-2010, 03:37 AM
Just a heads up.

I just finished my third tuffy cleanup. Ran all the typical cleaners and anti-virus to no avail. This last one in fact, I had to change mbam name to run. Did not find anything (even after doing Full scan).

Ran Avast pre-boot, deleted one.

Still could not run ComboFix at all.

Was going to give up and do wipe/reload. Decided to try (again would be third computer) deleting the hyberfil.sys file.

Booted to UBCD4Win disk, deleted, rebooted and all gone.

Just thought I would pass this on if it helps. Anyone else finding this?

First computer would not boot pass Log-on screen. Deleted hyberfil and then did cleaning and all is good.

I know the scanners can come up empty while still being infected, but you didn't see anything suspicious when you attempted a manual removal either?

computerdoc
09-22-2010, 01:55 PM
If a virus could execute itself from within the hibernation file I'd be very impressed

It may be referenced somewhere else such as in the registry and started up from there. However, there would have to be some fancy code to find it without a directory structure.

shamrin
09-23-2010, 12:27 AM
The real hibernation file is one with some pretty strict permissions so it wouldn't be easy to mess with it, but if you replaced it entirely with a bogus file that was the virus. Haven't seen anything quite like that before but it seems possible.

The first thing I do here is delete hiberfil.sys and the page file since the are throw-aways anyway.

Xander
09-23-2010, 01:04 AM
It may be referenced somewhere else such as in the registry and started up from there. However, there would have to be some fancy code to find it without a directory structure.Would that matter? The path always include the root directory so any file in C:\ would be accessible at all times (permissions notwithstanding).

PcTek9
09-23-2010, 01:46 AM
Do keep in mind that avast can scan the os BEFORE windows starts, if you tell it to do so.
You know, have you guys tried hitman pro?
These cloud antivirus programs that scan an entire pc is 10 minutes are pretty amazing.
They can also reduce the time you spend scanning from hours to minutes. [read - make more $$$]
You need to give hitman pro a try.
---- for a complete list of antivirus programs review the first thread in the antivirus & trojan subforum of technibble. I made a list of every antivirus and antitrojan and antirootkit in the world.
But I am impressed with the cloud stuff.

Jimmyb
09-23-2010, 02:19 AM
I only use Avast and because of it's pre-boot scan. I believe it is the best way to root out all the evil :)

Root Repealer kept pointing to hiberfil and further research showed others with the same problem. The first time I changed the name of the hiberfil and saw it was rebuilt, so deleting both that and page file seemed the best course. It was the only way I could get beyond the first computer stalling at Log In screen. After that I was able to finally clean the computer.

I have now run into and cleaned two more computers of similar problems by using ComboFix after getting access and have just yesterday learned of TDSSKiller which is now loaded in my toolbox. The common symptom seems to be cleaning via normal channels but then running ANY browser and getting hijacked. Every time I thought I was done it would hijack the browser and I would start looking again.

Now I just jump to ComboFix the first time it happens and be done.

I appreciate all your input, but felt I just wanted to alert those that may be having that perplexing problem another possible solution. It is very irritating when you cannot boot or get into Safe Mode to do "your thing". Boot discs only allows access but you still need to know where and what to look for.

Tomorrow I have another "all I get is blue screen both in Regular or Safe mode". What are the chances it is the same thing :)

If I have learned anything it is that the baddies are getting better and testing our knowledge and fortitude. I hope we can all keep winning.