Suspicious file found - zciff.sys

Dear All,

I get the Avast message Suspicious file found - zciff.sys a little while after starting Windows Vista on my partner’s Advent laptop. This is after Windows Defender found and removed Win32/Bredolab and Win32/Hiloti.gen!A

I have tried both delete and (reccommended) ignore options but the file zciff.sys is always found next time.
Then I get the message “virus in operating memory… …schedule boot time scan and restart”. The first time I did this a couple of temporary files were moved to the chest. Subsequent times nothing is found.

I’ve searched for zciff.sys on the net, virtually no hits are returned and certainly none relevant.

What do I do to resolve this issue, please?

regards,
Colin Smith

Quote:
Microsoft Malware Protection Senter

Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host.

Trojan:Win32/Hiloti.gen!A is a generic detection for a family of trojans that may download potentially malicious files from a remote server and report system information back to the server. This trojan has been observed in the wild being dropped by Win32/FakePowav.

Trojan:Win32/FakePowav Aliases

Win Antivirus 2008 (other) SpyShredder (other)
WinXProtector (other)
Rapid Antivirus (other)
Security 2009 (other)
Power Antivirus 2009 (other)
WinXDefender (other)
SpyProtector (other)
SpyGuarder (other)
MSAntiMalware (other)

Try scanning with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and post scan logs here

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. So the two applications suggested could help in finding that other element.

What is your firewall ?
As that plays a part in preventing unauthorised outbound connections, to download malware, etc.

Dear Both,

ETA how could I be so impolite as to forget to thank you both first :slight_smile:

Malwarebytes’ Anti-Malware 1.42
Database version: 3352
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

13/12/2009 16:12:44
mbam-log-2009-12-13 (16-12-44).txt

Scan type: Quick Scan
Objects scanned: 93441
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Superantispyware only found some minor tracking cookies.

The firewall is Windows Defender,

regards,
Colin Smith

As far as I’m aware windows defender doesn’t have a firewall function.

Windows XP’s firewall is inbound protection only, so you need to consider a 3rd party firewall that provided outbound protection, more later.

Your OS is out of date SP3 has been out for well over a year and it closed vulnerabilities. So I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

Many forum users are using These:

  • PC Tools Firewall seems to have the least user headaches as it doesn’t seem to be constantly asking the user questions about this and that.
  • Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
  • Comodo is now a suite and you have to do a custom install so as not to install the antivirus element (or use the add remove programs to remove the AV element if already installed), of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used (Defense+), so it could be daunting for those not to familiar with firewalls or their systems.
  • Outpost Firewall 2009 free, a cut down version of the Outpost Firewall Pro version, which should still provide good protection, http://free.agnitum.com/. Download, http://www.filehippo.com/download_outpost_firewall/

Dear Both,

I’ve run both the recommended programmes, deleted the files and rebooted but Avast still reports zciff.sys (which I again deleted) with a boot scan required (I’m running it now and expect it to be clear again, I’m replying on my desktop).
Re-running malwarebytes no longer finds anything.

David, the OS is Vista not XP.
The laptop has windows update turned on and as far as I am aware has been updating regularly.
I connected Windows Defender in my mind with the firewall in Windows security centre, it is on.
Is this insufficient in your opinion even in Vista?

Any other ideas, please?

regards,
Colin Smith

edited to clarify firewall

OK, thanks, just got blinded by SP2, which as it is Vista is correct, still worth a visit to secunia as vulnerabilities are often exploited and the entry point for malware. This site checks applications that aren’t covered by windows update.

However, the Vista firewall has outbound protection disabled by default - You could also enable the outbound protection of the Vista firewall, but it isn’t very friendly, is rule based and you have to create the rules. - Vista Firewall Control, http://www.sphinx-soft.com/Vista/index.html and this, http://www.sphinx-soft.com/Vista/faq.html. Also check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0. Or you could try one of the other firewalls.

Other than cookies (not an issue) did SAS find anything else ?

Where was this zciff.sys reported, I’m thinking the \system32\drivers folder ?
If that is the case it is very suspicious to not get any worthwhile information about a file in that location on a google search.

So I’m leaning towards this probably being protected by rootkit if it isn’t one itself.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

Dear David,

no worries, I’m off out pub quizzing directly so maybe another try tomorrow.

SAS found only cookies.

zciff.sys is indeed reported in the drivers folder.

Ouch that rootkit looks nasty, I’ll fight it another day :frowning:

regards and thanks again for your help,
Colin

No problem.

Dear All,

I’ve tried rootrepeal twice but it freezes with vast amounts of memory used.
Attached are screenshots of a box which appeared the first time and where it froze the second time. I was able to press the stop button the second time but it froze again. Had to kill with task mangler.

So I am still infected. Any more idease, please?

regards,
Colin

Dear All,

I’ve also tried antirootkit - operating system not supported
and rootkitbuster - unable to copy driver to system32\drivers verify your logged on as administrator, program will now terminate.
Tricomm service cannot be installed or does not exist.

Woe is me,

regards,
Colin

I see nothing obvious in the 2nd image, I don’t know how much RAM rootrepeal uses perhaps you are running out of resources. Have you tried the Trend Micros or f-secure anti-rootkit tools yet ?

Are you able to find the zciff.sys file in the drivers folder ?

Is it running as a Process in the Task Manager ?

Dear David,

good evening :slight_smile:

regards,
Colin

If you only have 600MB of RAM (a strange figure), you may well be running out of resources.

Lets see what f-secure’s blacklight brings.

Dear David,

f-secure is similar to the trendmicro in that it says it requires administrator - I am! I’ve checked the user profile and it indeed says I am one.

The 600M is what rootrepeal is using,

ETA off to bed now, I’m beat(en:(),

regards,
Colin

OK.

When you try the ones that asked/said you need administrator privileges, Right click on the File and select Run As, now you should be able to either select the Administrator account or one with Administrator privileges and see if that allows it/them to run.

Dear All,

run as admin worked, thanks, but…
…neither blacklight nor rootkitbuster found anything.

Avast’s found message has changed though - it now recognises zciff.sys as a rootkit and recommends deletion.
Still no hits on Google though beyond this thread.

Any more ideas?

regards,
Colin

Try uploading the file to VirusTotal,

http://www.virustotal.com/

click browse, then in the file name box, copy/paste the location, eg
C:\Windows\System32\drivers\zciff.sys then open and send file. See if that works and report the findings

The reason for the change is that when first detected and Ignore was the recommended action, it also asks that you allow it and details to be sent to avast for analysis. I would say as a result of this analysis instead of being suspicious, but of being a rootkit.

Once you have uploaded zciff.sys to virustotal for confirmation, I would follow the advice of avast to delete it.