TR Forums

I have today discovered a strange file in my Windows directory called "bffsvc.exe". Seemed trivial, I simply deleted it (we'll see if that does anything good or bad to the system). The file tags say "created/modified in 2009" in my personal case, and it suddenly requested internet access one day, according to COMODO Firewall. I didn't recognise the executable name, so I checked the folder:

- bffsvc.exe has a broken (that is, non-standard) icon, yet still sits inside "C:\Windows". The only scenario where this can happen is a funky software or driver installation that puts ridiculous icons inside the Windows folder, but this wasn't the case. Bffsvc.exe used a clean "window" icon, to look "harmless". I smelled a ruse.
- right next to it, there's a legitimate Microsoft-signed executable called bfsvc.exe, or the Boot File Servicing Utility. I smelled foul play.

I was not able to procure any information about this file online. Bing found nothing, while on the other hand, Google found... nothing. Unless you want to call this a "result". They don't even know what it does.
However, denying internet access and simply deleting the file seems to have worked so far. Process Explorer revealed no programs or services linked to a "bffsvc" handle still in the memory.

Does anyone know anything about this file? How do you deal with "random" files you don't recognise and that your antimalware may, or may not, catch?

Ummmm, bfsvc.exe is a Microsoft executable as you say - It's the boot file servicing utility, and is safe. I have not seen a bffsvc.exe though, you 100% sure it has 2 "f" in the name (sorry, had to ask!)

This smells of dodgyness. I will kill all unknown EXE files (or ones with iffy names) from running using Msconfig to preventing them running at boot. I then use services.msc (run menu) to close off any associated service. I then remove the files. Finally, scan the registry for any strings / keys that point to the EXE's name or folder, and delete those too. All gone with no ill-effects in most cases.

rcs2k4 wrote:

Ummmm, bfsvc.exe is a Microsoft executable as you say - It's the boot file servicing utility, and is safe. I have not seen a bffsvc.exe though, you 100% sure it has 2 "f" in the name (sorry, had to ask!)

This smells of dodgyness. I will kill all unknown EXE files (or ones with iffy names) from running using Msconfig to preventing them running at boot. I then use services.msc (run menu) to close off any associated service. I then remove the files. Finally, scan the registry for any strings / keys that point to the EXE's name or folder, and delete those too. All gone with no ill-effects in most cases.

I reiterate, there were two files next to each other and I deleted the one with two F's. Since I use the "Tiles" view by default, the other file visibly displayed the Microsoft signature right away so it was a no-brainer.

I'm usually not so elaborate in disinfecting things though, I simply delete a file, then check Process Explorer for remaining traces (and repeat if there were any).

This is not what I would call truly diagnostic info, but every time I've had to look up (google) a windows system file I've gotten back several paragraphs of good info. If Google is telling you nothing about this one, I think that's probably telling you enough. I'd nuke it.

If it was in the Windows directory, then the system is likely further compromised than just the one file. The Windows directory requires Admin priviledges or better to write into. If it had Admin to install then it had the power to own the box.

Ryu Connor wrote:

If it was in the Windows directory, then the system is likely further compromised than just the one file. The Windows directory requires Admin priviledges or better to write into. If it had Admin to install then it had the power to own the box.

Thanks to the above bot-necro, I noticed your reply. And in fact, it's false in this case.
Time after time, for years now, I end up with wasted scans and blank results. I've tried Kaspersky (my recommended brand to paranoiacs, in fact), Malwarebytes (favourite as far as my own usage goes), Windows Defender (d'uh), CCleaner to manage and verify startup programs, and never anything happens. Even the "threat" noted in this forum post was idle until it tried to access the network, and Comodo stepped on its toes for that.

I haven't gotten an actual infection since 2007, when I first started using Vista. I never scan for anything, but I do use a reputable firewall behind a basic router. It's just that every 6 months or so, I scan the PC for infections in a sudden surge of the "ohmygods", but my security boner is never satisfied because the results are always blank. If I could, I'd never scan ever, but unfortunately I can't fight that sort of common sense in me.

The computer still starts and stops as fast as ever, there are no startup programs that are malicious - except PunkBuster, screw that crap -, and it's a reliable overclocked machine, never failing and probably getting 1-2 reboots a week, otherwise kept on 24/7. And it wasn't any different with the Vista of yesteryear, which is the explanation of my constant fiery response to Vista trolls. I just didn't get the issue.

In closing, I guess I should thank Comodo Internet Security for being an awesome free product, and take this opportunity to shamelessly advertise it. It has a "just firewall" component that I use, with keylogging protection. You may, however, choose to install the antivirus component, enable sandboxing in a per-process fashion, and more. Just saying, for those of you who are more paranoid. The software's free for personal use.