Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: SDFSSvc.exe Gone Rogue?

  1. #1
    Junior Member
    Join Date
    Nov 2013
    Posts
    6

    Default SDFSSvc.exe Gone Rogue?

    Hello. My name is Tim Harris, and until last week, I was a satisfied silent user of Spybot S'n'D for years. I am perhaps a little paranoid regarding malware. I use MS Windows Defender (part of MS Windows Vista), MalwareBytes' Anti-Malware Pro, and Norton 360 in addition to Spybot S'n'D Portable. I've had no incompatibility issues between the four suites and considered them a very effective team protecting my system. However, on 2013-Nov-14 (Thu) and -15 (Fri), MBAM intercepted suspicious traffic from an Ecatel Ltd server in the Netherlands to SDFSSvc.exe. Ecatel Ltd is notorious for malware contagion. Because MBAM intercepted the traffic and SDFSSvc.exe had not attempted to respond, I took no action other than to scan the file for infection. WinDef, Norton, and MBAM each verified SDFSSvc.exe as "clean/safe." I filed a Product Support claim using the form on the Safer-Networking web site, but I have yet to receive a response.

    Starting Friday afternoon, MBAM intercepted suspicious traffic to SDFSSvc.exe, but at 23:59:57, MBAM intercepted suspicious traffic from SDFSSvc.exe to a Voxility server in Romania. Like Ecatel Ltd, Voxility is notorious for malware contagion. Over the next 45 minutes, MBAM intercepted a flurry of incoming and outgoing traffic between SDFSSvc.exe and various blacklisted IP addresses. During this exchange at 00:41:32, Norton stopped an attack on my system by 192.185.100.27 (horseracingtomorrow.co.uk/4) in conjunction with SDFSSvc.exe. Suspicious traffic ceased at 00:48:17. I discovered this about 5:00am Saturday. WinDef, Norton, and MBAM once again each verified SDFSSvc.exe as "clean/safe" so I re-booted in safe mode, expunged my previous Spybot S'n'D Portable installation, downloaded and installed a fresh copy of Spybot S'n'D Portable, and re-scanned with WinDef, Norton, and MBAM. All three assured me my entire system was "clean/safe."

    On 2013-Nov-17 (Sun) at 05:33:33, MBAM intercepted more suspicious traffic between SDFSSvc.exe and blacklisted IP addresses. There were 215 such interceptions of incoming and outgoing traffic between then and 12:01:52 when I discovered the activity and immediately quarantined SDFSSvc.exe with Norton. To my amazement, WinDef, Norton, and MBAM -- each with the most up-to-date malware definitions -- still insist SDFSSvc.exe is a "clean/safe" file, but I'm leaving it in quarantine unless/until I am satisfied with an explanation for why it apparently went rogue and at least tried to co-operate with an attack on my system. As far as I am concerned, Safer-Networking has some serious 'splainin' to do. I'm reluctant to give up on Spybot S'n'D after so many years of good service, but this incident has significantly shaken my confidence in the suite. Am I the only person to experience this? Or has SDFSSvc.exe gone rogue on others as well?

    Color me very confused. Help!
    Attached Images Attached Images
    Attached Files Attached Files
    Last edited by the_seeker; 2013-11-18 at 23:01.

  2. #2
    Senior Member
    Join Date
    Sep 2006
    Posts
    456

    Default

    Is your SDFSSvc.exe signed by "Safer Networking Ltd."? Please check this in the Properties dialogue you can reach when you right-click on the file in Windows' File Explorer.

    Background: We do not offer nor support a portable version of Spybot 2.x. It is possible that your version of SDFSSvc.exe was modified.

  3. #3
    Junior Member
    Join Date
    Nov 2013
    Posts
    6

    Default

    Quote Originally Posted by daemon View Post
    Is your SDFSSvc.exe signed by "Safer Networking Ltd."?
    Yes [see pic].
    Spybot S'n'D 2.2 Portable is available for download here >>> http://portableapps.com/apps/security/spybot_portable ...
    I've used Spybot S'n'D for years with no problem in both "regular" and "portable" versions. I'm very surprised by this problem.
    Attached Images Attached Images

  4. #4
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,572

    Default

    The question might appear silly, but have you searched for sdfssvc.exe on your harddisk?

    The *.txt logs do not include any paths (making it kind of useless imho), and I wonder why the filename is all lowercase, while the official file is named SDFSSvc.exe. Using the name of known legit services to trick users/firewalls is a commen behaviour.

    Next thing I would check is in Spybots settings whether the proxy server Spybot offers is active or not, since 21320 is the port it uses. Could it be that some other malware on your system is using this proxy, trying to bypass direct connections to hide itself?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #5
    Junior Member
    Join Date
    Nov 2013
    Posts
    6

    Default

    Quote Originally Posted by PepiMK View Post
    The question might appear silly, but have you searched for sdfssvc.exe on your harddisk?
    No question is silly to me if it helps me resolve this problem.

    SDFSSvc.exe resides on my HD at C:\MyStuff\0\Spybot_Search'n'Destroy\Data\Spybot

    At least it did until I quarantined it with Norton. It's the "official" file installed by Spybot S'n'D Portable, and it appears in Windows Explorer views as SDFSSvc.exe. I don't believe the MBAM logs are particularly respective of case for reason(s) unknown to me, but that's indeed the file both it and Norton identified, and it's the file I quarantined after which all suspicious communication activity stopped. I have no doubt that I quarantined the correct file, and I have no doubt that the file I quarantined is the SDFSSvc.exe that is supposed to be in that folder. SDFSSvc.exe.log is still in that folder.

    FWIW... I use an SDHC ("Squinch") and two SanDisk Cruzer Blade flash drives ("Pinky" and "Brain") to make redundant back-ups of the entire "MyStuff" folder so SDFSSvc.exe also usually resides at the same location on my F:\, G:\, and H:\ drives as well. However, after I quarantined the file with Norton, the back-up update process deleted it from the back-up drives (which is OK with me because that's why I ran it then). SDFSSvc.exe.log still has 3 back-up copies.

    Anyway, an extensive "include non-indexed, hidden, and system files" search of my entire system revealed no other copies of SDFSSvc.exe anywhere with either an all-cap, mixed, or all-lowercase name. Unless we've discovered indirect evidence of a super ninja file, I'm convinced the file in quarantine is the guilty file.

    Also FWIW... WinDef, MBAM, and Norton still insist my entire system is "clean/safe." The Spybot S'n'D Start Center opens, but it informs me "Important files are missing!" Of course it identifies SDFSSvc.exe as the missing file, but I can still open and use the Spybot S'n'D System Scan... which also insists that my entire system is "clean/safe" (with the very slight exception of non-threatening usage tracks it always detects).

    Quote Originally Posted by PepiMK View Post
    Next thing I would check is ... whether the proxy server Spybot offers is active or not, since 21320 is the port it uses.
    It was until I quarantined SDFSSvc.exe. It isn't now because it can't be.

    Quote Originally Posted by PepiMK View Post
    Could it be that some other malware on your system is using this proxy, trying to bypass direct connections to hide itself?
    Theoretically possible, but I believe highly improbable. I'm just shy of OCD about updating my system defense software suites to make certain they are always operating with the most recent detection info. As I joked earlier, any malware resident in my system spoofing SDFSSvc.exe would have to be super ninja malware way ahead of the curve to hide from Windows Defender, Malwarebytes' Anti-Malware, and Norton 360... and for that matter, to have snuck past Spybot S'n'D itself in the first place!

    Maybe I'm being irrationally stubborn in my loyalty, but I remain reluctant to sever ties with Spybot S'n'D. I've experienced no suspicious communication attempts since I put SDFSSvc.exe in quarantine so I could just expunge the entire Spybot S'n'D Portable installation and go on about my business, but I'd rather not do that. Version 2.2 worked fine until last week. I'm hoping to make it work fine again so I can continue using it.

    My position isn't "Spybot S'n'D is horrible."
    My position is "Spybot S'n'D is awesome so why did it do this horrible thing?"
    Hopefully someone will provide a satisfying answer to that question.
    Last edited by the_seeker; 2013-11-20 at 11:17.

  6. #6
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,572

    Default

    Quote Originally Posted by the_seeker View Post
    Anyway, an extensive "include non-indexed, hidden, and system files" search of my entire system revealed no other copies of SDFSSvc.exe anywhere with either an all-cap, mixed, or all-lowercase name. Unless we've discovered indirect evidence of a super ninja file, I'm convinced the file in quarantine is the guilty file.
    While there is no super needed for that (any rootkit can hide easily from standard searches), I think we should look into other directions first...

    Quote Originally Posted by the_seeker View Post
    Maybe I'm being irrationally stubborn in my loyalty
    Many thanks for that

    Quote Originally Posted by the_seeker View Post
    My position is "Spybot S'n'D is awesome so why did it do this horrible thing?"
    Hopefully someone will provide a satisfying answer to that question.
    Since this is about the proxy, the next thing that comes into my mind would be the network connection. The named port offers a http proxy (for scanning stuff you access through your browser). What if Spybot would offer that service on the network interface, and not just on "localhost", due to some bug?

    What's your network configuration? Are you using a router (and have a local-only IP thanks to NAT)? Or are you directly connected to the Internet (meaning your IP can be accessed from the Internet)? Do you have more than one network interface in your computer?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  7. #7
    Junior Member
    Join Date
    Nov 2013
    Posts
    6

    Default

    Direct connection to the internet via cable modem. Dynamic IP assignment (according to my ISP tech support, my IP address gets re-assigned every time I reset my modem or reboot my computer, but I confess I've never actually tested and tracked changes so I have only my ISP's word for that). My only interface is through my network card (NVIDIA nForce 10/100 Mbps Ethernet) to that modem. Wi Fi is disabled on my computer. I have no active HTTP proxy because... umm... I relied on SDFSSvc.exe for that (hence my fervent hope that it can be exonerated of complicity in the attack). Was this info helpful, or did I misunderstand your questions?

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,482

    Default

    SkipHill your post has been split off to a separate topic: http://forums.spybot.info/showthread...ht=#post447204
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #9
    Junior Member
    Join Date
    Nov 2013
    Posts
    6

    Default

    Any further ideas? Should I accept it as a lost cause?

  10. #10
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,572

    Default

    Your information was quite helpful, thank you
    There are about three possibilities right now:
    • Malware on your system communicating using the Spybot proxy
    • Malware on your system mimicking the Spybot proxy
    • The proxy having issues detecting your network configuration and accepting input from the outside (that's why I asked for the network details)


    We haven't found a good way to test which one of these it is with a release version. Would you be willing to test a Spybot 2.3 beta version? Which updated test output to give hints for the third case, and am thinking about adding process detection and logging for the first case.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •