Sign of "JS:FakeAV-BF [Trj]"

[rik408]

Dear Techspot,

The Web Shield function of my Avast 4.8 (home edition) said it caught and deleted:
11/22/2009 5:32:54 AM SYSTEM 1256 Sign of "JS:FakeAV-BF [Trj]" has been found in "C:\Documents and Settings\Rick\Local Settings\Application Data\Mozilla\Firefox\Profiles\uw5ntxuo.default\Cache\FAE7D930d01" file.
11/22/2009 5:32:52 AM SYSTEM 1256 Sign of "JS:FakeAV-BF [Trj]" has been found in "http://secoscan.info/25/27-088wLzQzL1EzL==" file.
before it could infect my computer.
Awhile back however, I went thur a nightmare of an infection, having been infected by the "Virut" malware.
I wound up reformatting my HD and reinstalling my OS.
I just don't want to go thru that again :dead:

Followed your "8-Step Program" and have attached all the log files you requested.
I see bdoscandel.exe on the HJT log, but I think that is a part of a BitDefender online scan I did awhile back.

SuperAntiSpyware found and quarantined something, and is noted in the log.
Just wondering what it is, and if it may be a FP.

I am running XP, SP 3.

Thank so very much for your taking the time to lend a hand to me

Rick

 

[Tmagic650]

Remove or fix these entries in the hijackthis log:

"O3 - Toolbar: (no name) - {2E232B17-C00B-44FB-85BD-49F19BF6EDE0} - (no file)"
"O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5 c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68, 00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,57,00,75,00 ,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,7 0,00,00,00 (file missing)"

This could mean that you are still infected, and a more thorough cleaning is in order

 

[rik408]

Hi Tmagic,

Thanks for taking my case.
I deleted the 2 entries as you instructed.
After, I re-ran SuperAntiSpyware and MaywareBytes.
I am enclosing the 3 updated log files along with this message.

Also, what do you think this was, that was deleted in my first SuperAnti scan:
Adware.URLBlaze
HKU\S-1-5-21-1715567821-842925246-725345543-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-ABED-709549C10000}

Could it have been referenced in one of the HJT entries I deleted?

Rick

 

[rik408]

I realize its a holidays and all, and that volunteers staff this board...but is anyone still monitoring and answering these postings?

Thx,
rs

 

[Tmagic650]

This is still showing as nasty and bad:
"23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,70,00,00,00 (file missing)"...

Can you fix or delete it?

How is your system running now?

 

[rik408]

Hi "T" - thanks for getting back to me.

That "O23 - Service: Windows Driver Foundation..." entry is a stubborn one -- I tried to "Fix" it, but it comes back immediately.
What does i pertain to anyway -- I know its registered as a "Service", but...?
(WudSvc.jpg)

I also did an online scan with Bit Defender, but it came up clean.
For what its worth, I also got a clean scan from "Microsoft Windows Malicious Software Removal Tool".

I do not know if this is relevant, but one of my start-up entries (the first one) shows a blank under "Values".
I have attached (start-ups.jpg) a screen cap I took from "CodeStuff Starter" program (lists start-up programs, in case you aren't familiar).
A similar 'blank' also shows up in msconfig startups.

Anyway, I am attaching my latest HJT log (HJT3.log) and am awaiting further instructions.

Rick

 

[kritius]

Copy and paste the following into notepad and save it remove.bat to your desktop

@Echo off
sc stop WudfSvc
sc delete WudfSvc
del remove.bat and exit

Double click it to run

Now fix the entry in HijackThis

 

[rik408]

Hello kritius,

Thanks very much.
I did as you instructed, but did not need to remove "#23: Service: Windows Driver Foundation..." , from HJT, as the .bat file you wrote for me did the job.

I am enclosing my latest HJT log so that a verification that nothing else nasty lies within.

Again, thanks.

Rick

 

[Tmagic650]

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll"
What is this, and what "private firewall" do you have installed?

How is your computer running now?

 

[kritius]

@Tmagic650

Found that answer in about 2 seconds

http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=nwprovau.dll

 

[rik408]

Hi again,

"nwprovau.dll" is apparently a legit file...for those running on a Netware network.
Found a little blurb about it, as it relates to HJT logs:
http://www.pchell.com/support/nwprovau_dll_file.shtml

Now, I am not running Netware, but in the above article, it sounds like a bit of a hassle to remove it, so if you thinks its useless but safe, I think I will just keep it (your call).
(screen cap enclosed)

The Private Firewall is a nice little freeware app from Privacyware :
http://www.privacyware.com/personal_firewall.html

Makes one wonder tho, just how many layers of protection are enough.
In addition to the firewall, I have ThreatFire and Avast constantly monitoring,
MalwareBytes & SuperAntiSpyware running on demand, and Sypware Blaster
blocking notorious sites.
Still, the nasties manage to sneak in!
Am I missing something? lol!

Computer seems to be running ok now, btw...

 

[kritius]

The files legit, leave it.

Out of curiosity,

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

[rik408]

GooredFix.txt attached.

Screen Cap of Firefox Add-Ons attch'd.

 

[Tmagic650]

Thanks kritius for the info, and rik408 it looks like you are keeping XP updated well. A 3rd party firewall is not really necessary with the Windows firewall now. As long as you are happy with the speed and multitasking of your computer, I guess there's no harm running 3rd party firewalls. Most malware these days come in though simple popups or email. Of course, the backdoor Trojan's are very sneaky and plentiful too

 

[rik408]

Hi Tmagic,

Yep - I strive to keep everything up to date for the OS.
I was always OK about doing so, but ever since I was a victim of a "Virut" malware infection, and had to re-format/re-install everything, I have become very vigilant about doing so. Also, prior, I was not running a firewall - just Avast AV with its "On-Access" modules. They are pretty goo, but not fool-proof.

In addition, I no longer go the torrent route to "seek out" software. Not only is that the wrong thing to do, both legally and morally, but its just too darn dangerous! If I can't afford to buy a piece of software, there are plenty of free alternatives out there.
Don't want to spend $500.00 for MS Office?
OpenOffice is almost indistinguishable from the Microsoft version and its cost is $0.00.
Photoshop's $700.00 price tag a bit steep?
Gimp is pretty OK.

Lastly, I installed Suse Linux on a little IBM drive I had lying around.
In a worse case scenario, I can still get online.
Actually, I should not think of Linux as a "last resort" kinda thing - that's being unfair.
Its just that I am more familiar with Windows, and thus default to it.

So, anyway, that's my story and I'm stickin' to it. lol

Rick
.

 

[Tmagic650]

Sounds good Rick,
I use Limewire as my only torrent-like software. Avast free does a pretty good job of keeping track of nasties, along with a paid full version of Advanced SystemCare Pro. CCleaner is free and very nice too. I also prefer to reformat and reinstall of the OS, over trying to remove some virus & malware, in infested computers

 

[rik408]

Tmagic,
I take it then that you have your OS installed on a partition separate from your data then, right?
Dang, I wish I had done that

So guys, did my "GooredFix.txt" check out ok?
I saw it made a couple of notations regarding my Firefox extensions.

 

[Tmagic650]

I still have Vista installed on another hard drive, and Windows 7 is on another hard drive in the same computer. I back up my data on DVD's so a OS re install is easy... I repair and build computers as a hobby now. Most computers I get in get a format and reinstall of the OS. In the past 6 months, out of 20 repaired computers, only 2 were able to be saved without doing an OS reinstall. One had a very important program that had to be saved. Have you tried using Google Chrome? It is way more secure than firefox

 

[kritius]

Gooredfix was fine

 

[rik408]

So it looks like we're good now.

Hey, I want to thank the both of you for your
time and your expertise.
I want you to know, you have my full gratitude!

The happiest of holiday wishes to the two of you!

Rick

 

[Tmagic650]

Same to you Rick. Happy Holidays to you and yours!