Malware? - BFFSVC.EXE

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

Malware? - BFFSVC.EXE

Postposted on Sun Feb 27, 2011 6:48 am

I have today discovered a strange file in my Windows directory called "bffsvc.exe". Seemed trivial, I simply deleted it (we'll see if that does anything good or bad to the system). The file tags say "created/modified in 2009" in my personal case, and it suddenly requested internet access one day, according to COMODO Firewall. I didn't recognise the executable name, so I checked the folder:

- bffsvc.exe has a broken (that is, non-standard) icon, yet still sits inside "C:\Windows". The only scenario where this can happen is a funky software or driver installation that puts ridiculous icons inside the Windows folder, but this wasn't the case. Bffsvc.exe used a clean "window" icon, to look "harmless". I smelled a ruse.
- right next to it, there's a legitimate Microsoft-signed executable called bfsvc.exe, or the Boot File Servicing Utility. I smelled foul play.

I was not able to procure any information about this file online. Bing found nothing, while on the other hand, Google found... nothing. Unless you want to call this a "result". They don't even know what it does.
However, denying internet access and simply deleting the file seems to have worked so far. Process Explorer revealed no programs or services linked to a "bffsvc" handle still in the memory.

Does anyone know anything about this file? How do you deal with "random" files you don't recognise and that your antimalware may, or may not, catch?
Meadows
Grand Gerbil Poohbah
Silver subscriber
 
 
Posts: 3190
Joined: Mon Oct 08, 2007 1:10 pm
Location: Location: Location

Re: Malware? - BFFSVC.EXE

Postposted on Sun Feb 27, 2011 7:04 am

Ummmm, bfsvc.exe is a Microsoft executable as you say - It's the boot file servicing utility, and is safe. I have not seen a bffsvc.exe though, you 100% sure it has 2 "f" in the name (sorry, had to ask!)

This smells of dodgyness. I will kill all unknown EXE files (or ones with iffy names) from running using Msconfig to preventing them running at boot. I then use services.msc (run menu) to close off any associated service. I then remove the files. Finally, scan the registry for any strings / keys that point to the EXE's name or folder, and delete those too. All gone with no ill-effects in most cases.
#337 Gamer | Elite Gaming | Join the Fray
Mega Beast - AMD FX-9590 | Gigabyte 990FXA-UD5 | 16GB DDR3 | Tri-Fire R9 290X | Sandisk X300S 512GB
Mini Beast - Intel C2E QX9770 [4.2 Ghz] | Gigabyte X48T-DQ6 | 8GB DDR3 | GTX 750 Ti | Seagate 2TB HDD
geekl33tgamer
Gerbil Elite
Silver subscriber
 
 
Posts: 725
Joined: Tue Aug 25, 2009 7:25 pm
Location: United Kingdom

Re: Malware? - BFFSVC.EXE

Postposted on Sun Feb 27, 2011 7:54 am

rcs2k4 wrote:Ummmm, bfsvc.exe is a Microsoft executable as you say - It's the boot file servicing utility, and is safe. I have not seen a bffsvc.exe though, you 100% sure it has 2 "f" in the name (sorry, had to ask!)

This smells of dodgyness. I will kill all unknown EXE files (or ones with iffy names) from running using Msconfig to preventing them running at boot. I then use services.msc (run menu) to close off any associated service. I then remove the files. Finally, scan the registry for any strings / keys that point to the EXE's name or folder, and delete those too. All gone with no ill-effects in most cases.

I reiterate, there were two files next to each other and I deleted the one with two F's. Since I use the "Tiles" view by default, the other file visibly displayed the Microsoft signature right away so it was a no-brainer.

I'm usually not so elaborate in disinfecting things though, I simply delete a file, then check Process Explorer for remaining traces (and repeat if there were any).
Meadows
Grand Gerbil Poohbah
Silver subscriber
 
 
Posts: 3190
Joined: Mon Oct 08, 2007 1:10 pm
Location: Location: Location

Re: Malware? - BFFSVC.EXE

Postposted on Sun Feb 27, 2011 10:18 am

This is not what I would call truly diagnostic info, but every time I've had to look up (google) a windows system file I've gotten back several paragraphs of good info. If Google is telling you nothing about this one, I think that's probably telling you enough. I'd nuke it.
This problem was caused by Windows, which was created by Microsoft Corporation.
sluggo
Gerbil Jedi
Gold subscriber
 
 
Posts: 1547
Joined: Wed Feb 16, 2005 8:44 pm
Location: under the table and dreaming

Re: Malware? - BFFSVC.EXE

Postposted on Sun Feb 27, 2011 8:30 pm

If it was in the Windows directory, then the system is likely further compromised than just the one file. The Windows directory requires Admin priviledges or better to write into. If it had Admin to install then it had the power to own the box.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3598
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Malware? - BFFSVC.EXE

Postposted on Wed Apr 06, 2011 2:01 am

Ryu Connor wrote:If it was in the Windows directory, then the system is likely further compromised than just the one file. The Windows directory requires Admin priviledges or better to write into. If it had Admin to install then it had the power to own the box.

Thanks to the above bot-necro, I noticed your reply. And in fact, it's false in this case.
Time after time, for years now, I end up with wasted scans and blank results. I've tried Kaspersky (my recommended brand to paranoiacs, in fact), Malwarebytes (favourite as far as my own usage goes), Windows Defender (d'uh), CCleaner to manage and verify startup programs, and never anything happens. Even the "threat" noted in this forum post was idle until it tried to access the network, and Comodo stepped on its toes for that.

I haven't gotten an actual infection since 2007, when I first started using Vista. I never scan for anything, but I do use a reputable firewall behind a basic router. It's just that every 6 months or so, I scan the PC for infections in a sudden surge of the "ohmygods", but my security boner is never satisfied because the results are always blank. If I could, I'd never scan ever, but unfortunately I can't fight that sort of common sense in me.

The computer still starts and stops as fast as ever, there are no startup programs that are malicious - except PunkBuster, screw that crap -, and it's a reliable overclocked machine, never failing and probably getting 1-2 reboots a week, otherwise kept on 24/7. And it wasn't any different with the Vista of yesteryear, which is the explanation of my constant fiery response to Vista trolls. I just didn't get the issue.

In closing, I guess I should thank Comodo Internet Security for being an awesome free product, and take this opportunity to shamelessly advertise it. It has a "just firewall" component that I use, with keylogging protection. You may, however, choose to install the antivirus component, enable sandboxing in a per-process fashion, and more. Just saying, for those of you who are more paranoid. The software's free for personal use.
Meadows
Grand Gerbil Poohbah
Silver subscriber
 
 
Posts: 3190
Joined: Mon Oct 08, 2007 1:10 pm
Location: Location: Location


Return to Windows

Who is online

Users browsing this forum: No registered users and 5 guests