[danjmilos]

I ran my normal daily quick scan with MBAM and found 'fake.drive' MBAM removed it on a restart. Did a full scan after found nothing else. Anyone heard of fake.drive?

[evilfantasy]

Hello danjmilos.

Don't have MBAM fix that, it's a false positive and fixing it will kill your Internet connection. If you did have MBAM fix it then please restore it from the MBAM Quarantine and then update MBAM. Run a new scan and see if it is detected again.

The correct version should be: (or higher)

Malwarebytes' Anti-Malware 1.34
Database version: 1833

[Albert Lionheart]

Not come across this one before EF - what ISP service or process is this associated with?

[evilfantasy]

It's a registry key.

Code:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL

[Albert Lionheart]

Not in my registry (XP Pro SPIII) - is it Vista?

[evilfantasy]

Looking through these logs it seems to be both XP and Vista.

Maybe it's manufacturer specific? Not sure...

[Albert Lionheart]

A Google for it shows it is a nasty!

[evilfantasy]

I think this is the key that's being flagged falsely. Windows Socket 2.0 Non-IFS Service Provider Support Environment - ws2ifsl.sys - Program Information

This is a legitimate service and is used by LSPs which do not use IFS (Installable File System) supported sockets. <- Explains why removing it kills the connection.

[Albert Lionheart]

I googled the registry entry - try it and see?

[evilfantasy]

Maybe by itself it's OK but can be exploited by malware?

Not sure..

I'm off to the dentist. Broke one of my back teeth a few days ago on some butter toffee pop-corn. Trust me I would like to investigate this more rather than see a dentist!

Talk to you later (hopefully )

[Albert Lionheart]

I would not know where to start with it - except maybe ask Kaspersky support who are pretty sharp!
Enjoy dentistry - butter popcorn - mmmm!

[evilfantasy]

Quote:

butter popcorn - mmmm!

Heh, yea now I associate it with the feeling of a baseball bat hitting me across the side of my head.

I'm offff....

[Albert Lionheart]

Best of luck EF!

[danjmilos]

Always keep my MBAM up to date. Had 1.34 1833 when I did my scan last night. MBAM deleted it last night, went last night and now, seems like nothing wrong with the net. I'll mark this in my event log and if I have problems I'll restore to a previous day. I'll let you know if anything funny starts happening.

Thank you all,
Dan

[Blackmirror]

MB is updated as soon as there is a problem reported
the team works hard

[sho-dan]

Quote:

Originally Posted by Blackmirror

MB is updated as soon as there is a problem reported
the team works hard

Hello Bm

Yes they do.

[Gunner]

I saw another MB log:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WS2IFSL (Fake.Driver) -> No action taken.
If it's removed and no probs, no harm and no foul.
It is not a standard XP or Vista entry.

[evilfantasy]

Quote:

Originally Posted by evilfantasy

Maybe by itself it's OK but can be exploited by malware?

Spyware.GuardMon Technical Details | Symantec

Quote:

Creates a service with the following attributes:

Service Name: "WS2IFSL"
Display Name: "Windows Socket 2.0 Non-IFS Service Provider Support Environment"
Path to executable: "%System%\drivers\ws2ifsl.sys"
Startup type: "Manual"

Note: This is a legitimate service and is used by LSPs which do not use IFS (Installable File System) supported sockets.

[danjmilos]

I'll restore it right now.
Thanks,
Dan

10:15PM done

[Albert Lionheart]

So what is the conclusion on this - OK or dangerous?