jcizwsfz.sys - rootkit?

Viruses and worms
1

Hi guys,

I do have a problem since yesterday… Having connected to the internet my PC opens tons of UDP/TCP connections and it seems the notebook is sending spamemails to everyone :slight_smile:

Avast is detecting the file “jcizwsfz.sys” as a possible Malware Infection through heuristic methods (it is a hidden service) and recommends a boot-scan. Unfortunately the scan does not find anything…

It can be found in the registry under HKLM/System/CurrentControlSet/Enum/Root/Legacy_JCIZWSFZ

Anyone any idea how to deal with this kind of file? Unfortunately I am unable to copy the file/rename it (even in safe mode), I tried freefixer and tdsskiller, nothing works… I do have a old Knoppix CD but unfortunately the file is on a NTFS system, so I wasnt able to rename it.

Hope, someone can help me.

Thank you so much,

Hans

2

Check your computer for Malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found, and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and post the scan logs here

3

Hi hanshimmel,

Well there is a case where this isn’t malware: if you have an sptd.sys driver (driver of CD/DVD emulator; installed with Alcohol 120%, Daemon Tools and some others), then your randomly named hidden driver (“aa9ak670.sys”) is not a malicious and it is not a rootkit (just using rootkit technologies) – it’s a part of sptd.sys. This behavior (hide a dropped driver and kill the body of the driver) was made by authors of SPTD to prevent CD-copy protectors, who trying to detect and doesn’t allow to work a CD-emulator software, in that case it is a FP…

polonus

4

First of all thank you so much for your help.

I tried MBAM, it found something AFTER the update (the signature file from the link was too old in order to detect something):

C:\WINDOWS\system32\drivers\jcizwsfz.sys (Rootkit.Agent) ->Delete on reboot

Unfortunately, MBAM was not able to delete the file while rebooting. The file is still in the folder and constantly changing date and time, very suspicious…

The next try will be superantispyware, I will post the log file in a few minutes.

Thanks a lot in advance for every help,

Hans

5

Just another comment:

It seems that a lot of people have similar problems… e.g. http://forum.avast.com/index.php?topic=53050.0

May be a new one?!?

6

Hi lets try to kill this - first I will need to do an anlysis to determine what the problem actually is. Once I have done that I will then remove the files with the analysis tool or one that is a tad stronger

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[]Under Additional Scans check the following:
[]Reg - Shell Spawning
[]File - Lop Check
[]File - Purity Scan
[*]Evnt - EvtViewer (last 10)

[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

7

SUPERAntiSpyware: nothing found…

Next one is OTS :slight_smile:

Thanks again for all your help!!!

8

I be here for the next hour or so ;D

9

Well, it says “Scans complete”, but I am still waiting for the notepad window :slight_smile:

10

Has it not produced a log ? It should have, look in C:_OTL

11

Ah… sometimes I am a bit slow :slight_smile:

Voila: http://www.mediafire.com/?nkywjg1ewgh

Hope, it is useful…

12

OK run this

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\WINDOWS\Temp\~TM2CC.tmp" -> C:\WINDOWS\Temp\~TM2CC.tmp [C:\WINDOWS\Temp\~TM2CC.tmp:*:Enabled:services]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{acbec130-3f06-11d9-8916-400084ee5b20}\Shell\AutoRun\command -> 
YY -> \{acbec130-3f06-11d9-8916-400084ee5b20}\Shell\AutoRun\command\\"" -> F:\loader.exe [F:\loader.exe]
[Files/Folders - Created Within 30 Days]
NY ->  !_RECYCLER_! -> C:\!_RECYCLER_!
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  jcizwsfz.sys -> C:\WINDOWS\System32\drivers\jcizwsfz.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
NY ->  1421 C:\Dokumente und Einstellungen\root\Lokale Einstellungen\Temp\*.tmp files -> C:\Dokumente und Einstellungen\root\Lokale Einstellungen\Temp\*.tmp
NY ->  1421 C:\Dokumente und Einstellungen\root\Lokale Einstellungen\Temp\*.tmp files -> C:\Dokumente und Einstellungen\root\Lokale Einstellungen\Temp\*.tmp
NY ->  11 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  11 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files - No Company Name]
NY ->  jcizwsfz.sys -> C:\WINDOWS\System32\drivers\jcizwsfz.sys
NY ->  fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

13

Back again :slight_smile:

Post that information back here along with a new OTS log
Attached the requested information:

OTS Fix-Log: http://www.mediafire.com/?gzjjzmdudm0
New OTS Scan-Log: Well, it sounds strange, but I am not able to generate a new log-file. OTS performs a scan without any problems, but does not produce any new log-file (…and this time I looked indeed into the “_OTS” folder…) Any idea?!?

Nevertheless, unfortunately the suspicious file/process is still active, it seems that OTS was not able to delete it :frowning:

Afterwards I started ComboFix. It run without any problems, attached the log-File:
ComboFIX Log-File: http://www.mediafire.com/?mjanxmjttzi

As you see, the process is still active and the PC shows the same behaviour connected to the internet. Any further ideas?

Thank you again so much for all your efforts,

Hans

14

That was ONE too much… This f… stu… Rootkit made me angry… REALLY angry…

So what I finally did was, I restarted with the windows recovery console and simply renamed the file… Fortunately Windows is still starting and this f… service is deactivated… Okay, I will sent a copy to avast, I just analyzed the filew with an online scanner and it seems a few antivirusprograms are already detecting the new rootkit.

So, finally, i was able to fix the computer with your help in a first step. But what else have I got to do? Run again OTS or ComboFix without this f… stu… process in the background???

Thank you so much for all your help,

a very, very happy Hans - indeed! :slight_smile:

15

Hi Hans,

Good that you could finally lame the file to deactivate that process. Also assume that the average user would lack the insight to do what you did, and good you reported it here. Also shows what kind of “Dreck” we are up against and it is like a perpetual chess-game between malcreant and eliminator,

polonus

16

This was sneaky and was running from several locations with some backups

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


KillAll::

File::
c:\windows\system32\drivers\jcizwsfz.sys
c:\dokumente und einstellungen\root\Startmenü\Programme\Autostart\!_siszyd32.VIR_!
c:\windows\pss\!_siszyd32.VIR_!Startup
c:\windows\pss\siszyd32.exeStartup
c:\windows\pss\siszyd32.exe
c:\dokumente und einstellungen\root\Startmenü\Programme\Autostart\siszyd32.exe


Driver::
jcizwsfz

Registry::
[-HKLM\~\startupfolder\C:^Dokumente und Einstellungen^root^Startmenü^Programme^Autostart^!_siszyd32.VIR_!]
[-HKLM\~\startupfolder\C:^Dokumente und Einstellungen^root^Startmenü^Programme^Autostart^siszyd32.exe]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jcizwsfz]

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.
17

Hi essexboy,

“Errare humanum est. Perseverare diabolicum” - but your second strike was fatal to the malware,

polonus

18

I love you, guys :slight_smile:

The first log-file: http://www.mediafire.com/?zhxhijmlgfy

I will do OTS tomorrow, for today it is enough for me…

Thank you again for your great help!

H

19

That looked darn good to I ;D