I get the Avast message Suspicious file found - zciff.sys a little while after starting Windows Vista on my partner’s Advent laptop. This is after Windows Defender found and removed Win32/Bredolab and Win32/Hiloti.gen!A
I have tried both delete and (reccommended) ignore options but the file zciff.sys is always found next time.
Then I get the message “virus in operating memory… …schedule boot time scan and restart”. The first time I did this a couple of temporary files were moved to the chest. Subsequent times nothing is found.
I’ve searched for zciff.sys on the net, virtually no hits are returned and certainly none relevant.
Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host.
Trojan:Win32/Hiloti.gen!A is a generic detection for a family of trojans that may download potentially malicious files from a remote server and report system information back to the server. This trojan has been observed in the wild being dropped by Win32/FakePowav.
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. So the two applications suggested could help in finding that other element.
What is your firewall ?
As that plays a part in preventing unauthorised outbound connections, to download malware, etc.
As far as I’m aware windows defender doesn’t have a firewall function.
Windows XP’s firewall is inbound protection only, so you need to consider a 3rd party firewall that provided outbound protection, more later.
Your OS is out of date SP3 has been out for well over a year and it closed vulnerabilities. So I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
Many forum users are using These:
PC Tools Firewall seems to have the least user headaches as it doesn’t seem to be constantly asking the user questions about this and that.
Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
Comodo is now a suite and you have to do a custom install so as not to install the antivirus element (or use the add remove programs to remove the AV element if already installed), of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used (Defense+), so it could be daunting for those not to familiar with firewalls or their systems.
I’ve run both the recommended programmes, deleted the files and rebooted but Avast still reports zciff.sys (which I again deleted) with a boot scan required (I’m running it now and expect it to be clear again, I’m replying on my desktop).
Re-running malwarebytes no longer finds anything.
David, the OS is Vista not XP.
The laptop has windows update turned on and as far as I am aware has been updating regularly.
I connected Windows Defender in my mind with the firewall in Windows security centre, it is on.
Is this insufficient in your opinion even in Vista?
OK, thanks, just got blinded by SP2, which as it is Vista is correct, still worth a visit to secunia as vulnerabilities are often exploited and the entry point for malware. This site checks applications that aren’t covered by windows update.
However, the Vista firewall has outbound protection disabled by default - You could also enable the outbound protection of the Vista firewall, but it isn’t very friendly, is rule based and you have to create the rules. - Vista Firewall Control, http://www.sphinx-soft.com/Vista/index.html and this, http://www.sphinx-soft.com/Vista/faq.html. Also check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0. Or you could try one of the other firewalls.
Other than cookies (not an issue) did SAS find anything else ?
Where was this zciff.sys reported, I’m thinking the \system32\drivers folder ?
If that is the case it is very suspicious to not get any worthwhile information about a file in that location on a google search.
So I’m leaning towards this probably being protected by rootkit if it isn’t one itself.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
I’ve tried rootrepeal twice but it freezes with vast amounts of memory used.
Attached are screenshots of a box which appeared the first time and where it froze the second time. I was able to press the stop button the second time but it froze again. Had to kill with task mangler.
I’ve also tried antirootkit - operating system not supported
and rootkitbuster - unable to copy driver to system32\drivers verify your logged on as administrator, program will now terminate.
Tricomm service cannot be installed or does not exist.
I see nothing obvious in the 2nd image, I don’t know how much RAM rootrepeal uses perhaps you are running out of resources. Have you tried the Trend Micros or f-secure anti-rootkit tools yet ?
Are you able to find the zciff.sys file in the drivers folder ?
When you try the ones that asked/said you need administrator privileges, Right click on the File and select Run As, now you should be able to either select the Administrator account or one with Administrator privileges and see if that allows it/them to run.
run as admin worked, thanks, but…
…neither blacklight nor rootkitbuster found anything.
Avast’s found message has changed though - it now recognises zciff.sys as a rootkit and recommends deletion.
Still no hits on Google though beyond this thread.
click browse, then in the file name box, copy/paste the location, eg
C:\Windows\System32\drivers\zciff.sys then open and send file. See if that works and report the findings
The reason for the change is that when first detected and Ignore was the recommended action, it also asks that you allow it and details to be sent to avast for analysis. I would say as a result of this analysis instead of being suspicious, but of being a rootkit.
Once you have uploaded zciff.sys to virustotal for confirmation, I would follow the advice of avast to delete it.