Go Back   Technibble Forums > General Computers > Tech-to-Tech Computer Help

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 09-21-2010, 08:39 PM
Jimmyb Jimmyb is offline
 
Join Date: Apr 2009
Location: Tinley Park, IL
Posts: 66
Jimmyb is an unknown quantity at this point
Default Virus in Hiberfil.sys ???

Just a heads up.

I just finished my third tuffy cleanup. Ran all the typical cleaners and anti-virus to no avail. This last one in fact, I had to change mbam name to run. Did not find anything (even after doing Full scan).

Ran Avast pre-boot, deleted one.

Still could not run ComboFix at all.

Was going to give up and do wipe/reload. Decided to try (again would be third computer) deleting the hyberfil.sys file.

Booted to UBCD4Win disk, deleted, rebooted and all gone.

Just thought I would pass this on if it helps. Anyone else finding this?

First computer would not boot pass Log-on screen. Deleted hyberfil and then did cleaning and all is good.
__________________
<a href ="http://pcpharmacy.us/press">

Last edited by Jimmyb; 09-21-2010 at 09:07 PM.
Reply With Quote
  #2  
Old 09-21-2010, 08:53 PM
shamrin shamrin is offline
 
Join Date: Dec 2009
Location: Lexington, Ky
Posts: 790
shamrin will become famous soon enough
Default

If your machine had a file in the root called "Hyberfil.sys" it very well must have been a virus as the the hibernation file is called "hiberfil.sys".
__________________
Campus Computer Repair, Lexington, Ky 40507
(859) 475-5805
CampusComputerRepair.net
Reply With Quote
  #3  
Old 09-21-2010, 09:06 PM
Jimmyb Jimmyb is offline
 
Join Date: Apr 2009
Location: Tinley Park, IL
Posts: 66
Jimmyb is an unknown quantity at this point
Default

Sorry mispelled .. will correct
__________________
<a href ="http://pcpharmacy.us/press">
Reply With Quote
  #4  
Old 09-21-2010, 09:46 PM
iisjman07's Avatar
iisjman07 iisjman07 is offline
 
Join Date: Jul 2009
Location: South End Of The UK
Posts: 3,045
iisjman07 has a spectacular aura aboutiisjman07 has a spectacular aura about
Default

If a virus could execute itself from within the hibernation file I'd be very impressed
__________________
put that in your pipe and grep it
Reply With Quote
  #5  
Old 09-22-2010, 02:59 AM
Ccomp5950's Avatar
Ccomp5950 Ccomp5950 is offline
 
Join Date: Sep 2010
Location: Marshall, Texas
Posts: 892
Ccomp5950 will become famous soon enough
Default

Really sounds like rootkit activity, try TDSSKiller or GMER next time.

I've pretty much gotten into the habit of running those every time here in the last couple of months.

What pointed you in the direction of that file? Virus software saying it was a problem but unable to do anything about it? If so, it usually works just as well to rename a file instead of deleting. This gives you the added benefit of being able to rename it back if for some reason it wasn't a file you wanted to get rid of (not that you couldn't have gotten this file from elsewhere, just that it's a bit easier than pulling out copies off of disks).
Reply With Quote
  #6  
Old 09-22-2010, 04:37 AM
NeutronTech's Avatar
NeutronTech NeutronTech is offline
 
Join Date: Apr 2010
Location: Grayling, Michigan
Posts: 1,355
NeutronTech will become famous soon enough
Send a message via Yahoo to NeutronTech
Default

Quote:
Originally Posted by Jimmyb View Post
Just a heads up.

I just finished my third tuffy cleanup. Ran all the typical cleaners and anti-virus to no avail. This last one in fact, I had to change mbam name to run. Did not find anything (even after doing Full scan).

Ran Avast pre-boot, deleted one.

Still could not run ComboFix at all.

Was going to give up and do wipe/reload. Decided to try (again would be third computer) deleting the hyberfil.sys file.

Booted to UBCD4Win disk, deleted, rebooted and all gone.

Just thought I would pass this on if it helps. Anyone else finding this?

First computer would not boot pass Log-on screen. Deleted hyberfil and then did cleaning and all is good.
I know the scanners can come up empty while still being infected, but you didn't see anything suspicious when you attempted a manual removal either?
Reply With Quote
  #7  
Old 09-22-2010, 02:55 PM
computerdoc computerdoc is offline
 
Join Date: Sep 2009
Posts: 256
computerdoc is on a distinguished road
Default

Quote:
Originally Posted by iisjman07 View Post
If a virus could execute itself from within the hibernation file I'd be very impressed
It may be referenced somewhere else such as in the registry and started up from there. However, there would have to be some fancy code to find it without a directory structure.
Reply With Quote
  #8  
Old 09-23-2010, 01:27 AM
shamrin shamrin is offline
 
Join Date: Dec 2009
Location: Lexington, Ky
Posts: 790
shamrin will become famous soon enough
Default

The real hibernation file is one with some pretty strict permissions so it wouldn't be easy to mess with it, but if you replaced it entirely with a bogus file that was the virus. Haven't seen anything quite like that before but it seems possible.

The first thing I do here is delete hiberfil.sys and the page file since the are throw-aways anyway.
__________________
Campus Computer Repair, Lexington, Ky 40507
(859) 475-5805
CampusComputerRepair.net
Reply With Quote
  #9  
Old 09-23-2010, 02:04 AM
Xander Xander is offline
Banned
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,870
Xander is just really niceXander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Quote:
Originally Posted by computerdoc View Post
It may be referenced somewhere else such as in the registry and started up from there. However, there would have to be some fancy code to find it without a directory structure.
Would that matter? The path always include the root directory so any file in C:\ would be accessible at all times (permissions notwithstanding).
Reply With Quote
  #10  
Old 09-23-2010, 02:46 AM
PcTek9's Avatar
PcTek9 PcTek9 is offline
 
Join Date: Nov 2009
Location: Mobile, AL
Posts: 1,085
PcTek9 has a spectacular aura aboutPcTek9 has a spectacular aura about
Default

Do keep in mind that avast can scan the os BEFORE windows starts, if you tell it to do so.
You know, have you guys tried hitman pro?
These cloud antivirus programs that scan an entire pc is 10 minutes are pretty amazing.
They can also reduce the time you spend scanning from hours to minutes. [read - make more $$$]
You need to give hitman pro a try.
---- for a complete list of antivirus programs review the first thread in the antivirus & trojan subforum of technibble. I made a list of every antivirus and antitrojan and antirootkit in the world.
But I am impressed with the cloud stuff.
__________________
First in Research & Development of Magical Technology.
http://www.technibble.com/forums/image.php?type=sigpic&userid=11296&dateline=127803  7559
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:02 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.