TechSpot

Sign of "JS:FakeAV-BF [Trj]"

By rik408
Nov 22, 2009
  1. Dear Techspot,

    The Web Shield function of my Avast 4.8 (home edition) said it caught and deleted:
    11/22/2009 5:32:54 AM SYSTEM 1256 Sign of "JS:FakeAV-BF [Trj]" has been found in "C:\Documents and Settings\Rick\Local Settings\Application Data\Mozilla\Firefox\Profiles\uw5ntxuo.default\Cache\FAE7D930d01" file.
    11/22/2009 5:32:52 AM SYSTEM 1256 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://secoscan.info/25/27-088wLzQzL1EzL==" file.

    before it could infect my computer.
    Awhile back however, I went thur a nightmare of an infection, having been infected by the "Virut" malware.
    I wound up reformatting my HD and reinstalling my OS.
    I just don't want to go thru that again :dead:

    Followed your "8-Step Program" and have attached all the log files you requested.
    I see bdoscandel.exe on the HJT log, but I think that is a part of a BitDefender online scan I did awhile back.

    SuperAntiSpyware found and quarantined something, and is noted in the log.
    Just wondering what it is, and if it may be a FP.

    I am running XP, SP 3.

    Thank so very much for your taking the time to lend a hand to me :)

    Rick
     
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Remove or fix these entries in the hijackthis log:

    "O3 - Toolbar: (no name) - {2E232B17-C00B-44FB-85BD-49F19BF6EDE0} - (no file)"
    "O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5 c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68, 00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,57,00,75,00 ,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,7 0,00,00,00 (file missing)"


    This could mean that you are still infected, and a more thorough cleaning is in order
     
  3. rik408

    rik408 TS Rookie Topic Starter

    Hi Tmagic,

    Thanks for taking my case.
    I deleted the 2 entries as you instructed.
    After, I re-ran SuperAntiSpyware and MaywareBytes.
    I am enclosing the 3 updated log files along with this message.

    Also, what do you think this was, that was deleted in my first SuperAnti scan:
    Adware.URLBlaze
    HKU\S-1-5-21-1715567821-842925246-725345543-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-ABED-709549C10000}

    Could it have been referenced in one of the HJT entries I deleted?

    Rick
     
  4. rik408

    rik408 TS Rookie Topic Starter

    I realize its a holidays and all, and that volunteers staff this board...but is anyone still monitoring and answering these postings?

    Thx,
    rs
     
  5. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    This is still showing as nasty and bad:
    "23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,70,00,00,00 (file missing)"...

    Can you fix or delete it?

    How is your system running now?
     
  6. rik408

    rik408 TS Rookie Topic Starter

    Hi "T" - thanks for getting back to me.

    That "O23 - Service: Windows Driver Foundation..." entry is a stubborn one -- I tried to "Fix" it, but it comes back immediately.
    What does i pertain to anyway -- I know its registered as a "Service", but...?
    (WudSvc.jpg)

    I also did an online scan with Bit Defender, but it came up clean.
    For what its worth, I also got a clean scan from "Microsoft Windows Malicious Software Removal Tool".

    I do not know if this is relevant, but one of my start-up entries (the first one) shows a blank under "Values".
    I have attached (start-ups.jpg) a screen cap I took from "CodeStuff Starter" program (lists start-up programs, in case you aren't familiar).
    A similar 'blank' also shows up in msconfig startups.

    Anyway, I am attaching my latest HJT log (HJT3.log) and am awaiting further instructions.

    Rick
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Copy and paste the following into notepad and save it remove.bat to your desktop

    Double click it to run

    Now fix the entry in HijackThis
     
  8. rik408

    rik408 TS Rookie Topic Starter

    Hello kritius,

    Thanks very much.
    I did as you instructed, but did not need to remove "#23: Service: Windows Driver Foundation..." , from HJT, as the .bat file you wrote for me did the job.

    I am enclosing my latest HJT log so that a verification that nothing else nasty lies within.

    Again, thanks.

    Rick
     
  9. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll"
    What is this, and what "private firewall" do you have installed?

    How is your computer running now?
     
  10. kritius

    kritius TS Guru Posts: 2,084

  11. rik408

    rik408 TS Rookie Topic Starter

    Hi again,

    "nwprovau.dll" is apparently a legit file...for those running on a Netware network.
    Found a little blurb about it, as it relates to HJT logs:
    http://www.pchell.com/support/nwprovau_dll_file.shtml

    Now, I am not running Netware, but in the above article, it sounds like a bit of a hassle to remove it, so if you thinks its useless but safe, I think I will just keep it (your call).
    (screen cap enclosed)

    The Private Firewall is a nice little freeware app from Privacyware :
    http://www.privacyware.com/personal_firewall.html

    Makes one wonder tho, just how many layers of protection are enough.
    In addition to the firewall, I have ThreatFire and Avast constantly monitoring,
    MalwareBytes & SuperAntiSpyware running on demand, and Sypware Blaster
    blocking notorious sites.
    Still, the nasties manage to sneak in!
    Am I missing something? lol!

    Computer seems to be running ok now, btw...
     
  12. kritius

    kritius TS Guru Posts: 2,084

    The files legit, leave it.

    Out of curiosity,

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
     
  13. rik408

    rik408 TS Rookie Topic Starter

    GooredFix.txt attached.

    Screen Cap of Firefox Add-Ons attch'd.
     

    Attached Files:

  14. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Thanks kritius for the info, and rik408 it looks like you are keeping XP updated well. A 3rd party firewall is not really necessary with the Windows firewall now. As long as you are happy with the speed and multitasking of your computer, I guess there's no harm running 3rd party firewalls. Most malware these days come in though simple popups or email. Of course, the backdoor Trojan's are very sneaky and plentiful too
     
  15. rik408

    rik408 TS Rookie Topic Starter

    Hi Tmagic,

    Yep - I strive to keep everything up to date for the OS.
    I was always OK about doing so, but ever since I was a victim of a "Virut" malware infection, and had to re-format/re-install everything, I have become very vigilant about doing so. Also, prior, I was not running a firewall - just Avast AV with its "On-Access" modules. They are pretty goo, but not fool-proof.

    In addition, I no longer go the torrent route to "seek out" software. Not only is that the wrong thing to do, both legally and morally, but its just too darn dangerous! If I can't afford to buy a piece of software, there are plenty of free alternatives out there.
    Don't want to spend $500.00 for MS Office?
    OpenOffice is almost indistinguishable from the Microsoft version and its cost is $0.00.
    Photoshop's $700.00 price tag a bit steep?
    Gimp is pretty OK.

    Lastly, I installed Suse Linux on a little IBM drive I had lying around.
    In a worse case scenario, I can still get online.
    Actually, I should not think of Linux as a "last resort" kinda thing - that's being unfair.
    Its just that I am more familiar with Windows, and thus default to it.

    So, anyway, that's my story and I'm stickin' to it. lol

    Rick
    .
     
  16. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Sounds good Rick,
    I use Limewire as my only torrent-like software. Avast free does a pretty good job of keeping track of nasties, along with a paid full version of Advanced SystemCare Pro. CCleaner is free and very nice too. I also prefer to reformat and reinstall of the OS, over trying to remove some virus & malware, in infested computers
     
  17. rik408

    rik408 TS Rookie Topic Starter

    Tmagic,
    I take it then that you have your OS installed on a partition separate from your data then, right?
    Dang, I wish I had done that :(

    So guys, did my "GooredFix.txt" check out ok?
    I saw it made a couple of notations regarding my Firefox extensions.
     
  18. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    I still have Vista installed on another hard drive, and Windows 7 is on another hard drive in the same computer. I back up my data on DVD's so a OS re install is easy... I repair and build computers as a hobby now. Most computers I get in get a format and reinstall of the OS. In the past 6 months, out of 20 repaired computers, only 2 were able to be saved without doing an OS reinstall. One had a very important program that had to be saved. Have you tried using Google Chrome? It is way more secure than firefox
     
  19. kritius

    kritius TS Guru Posts: 2,084

    Gooredfix was fine
     
  20. rik408

    rik408 TS Rookie Topic Starter

    So it looks like we're good now.

    Hey, I want to thank the both of you for your
    time and your expertise.
    I want you to know, you have my full gratitude! :)

    The happiest of holiday wishes to the two of you!

    Rick
     
  21. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Same to you Rick. Happy Holidays to you and yours!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...