PDA

View Full Version : safesurf.exe and surfguard.exe on web server environment


RossWindows
2010-09-24, 20:08
These viruses (or singular) have found a home in my web/terminal server. It goes without saying, I need to remove them asap. The server has been disconnected from other machines for the time-being, just in case.

Also, I ran MalwareByte's Anti-Malware and it cleaned this:
Files Infected: C:\Windows\System32\ICH.exe (Spyware.Password) -> Quarantined and deleted successfully.

I also ran SpyBot S&D and it cleaned this:
DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)

Here is my DDS Log:
I read conflicting information as to whether or not to include attach.zip so let me know if you need it.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 9:44:48.21 on Fri 09/24/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Server® 2008 Datacenter 6.0.6002.2.1252.1.1033.18.3325.2308 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k TabletInputServiceGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k WebClientGroup
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\xampp\apache\bin\httpd.exe
C:\Windows\system32\svchost.exe -k apphost
C:\xampp\xampp_service_mercury.exe
C:\xampp\MercuryMail\mercury.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\xampp\tomcat\bin\tomcat6.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\system\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\xampp\apache\bin\httpd.exe
C:\Windows\System32\svchost.exe -k tapisrv
C:\Windows\System32\msdtc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\drivers\safesurf.exe
C:\Windows\System32\drivers\surfguard.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = res://iesetup.dll/SoftAdmin.htm
uDefault_Page_URL = res://iesetup.dll/SoftAdmin.htm
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_ActiveX.exe -update activex
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [jsafesurf] c:\windows\system32\drivers\safesurf.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {604AE398-4709-4244-8F57-ABEB3DDD4110} = 192.168.2.1
TCP: {EF89F355-3605-4643-818E-5CB642DE4D99} = 192.168.2.1
LSA: Notification Packages = scecli RASSFM
mASetup: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
mASetup: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-8-21 29416]
R2 Mercury;Mercury;c:\xampp\xampp_service_mercury.exe [2010-8-21 78480]
R2 Tomcat6;Apache Tomcat;c:\xampp\tomcat\bin\tomcat6.exe [2009-8-6 57344]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]
R2 Win_Updater;Win32 Updater;c:\windows\system32\system\svchost.exe [2010-9-11 1405440]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S0 sacdrv;sacdrv;c:\windows\system32\drivers\sacdrv.sys [2008-1-19 88632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-9-23 1153368]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-8-19 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-1-18 21504]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-18 21504]
S3 RSoPProv;Resultant Set of Policy Provider;c:\windows\system32\rsopprov.exe [2010-8-14 78336]
S3 sacsvr;Special Administration Console Helper;c:\windows\system32\svchost.exe -k netsvcs [2008-1-18 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\drivers\bxvbdx.sys [2008-1-19 396288]
S4 ioatdma;Intel(R) QuickData Technology Device;c:\windows\system32\drivers\qd26032.sys [2008-1-19 31232]
S4 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2008-1-19 37320]
S4 vmbus;VMBus;c:\windows\system32\drivers\vmbus.sys [2008-1-19 185032]

=============== Created Last 30 ================

2010-09-24 06:00:59 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-24 06:00:59 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-09-24 05:37:41 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-09-24 05:37:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-24 05:37:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 05:37:33 0 d-----w- c:\programdata\Malwarebytes
2010-09-24 05:37:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 23:50:58 0 d-----w- c:\programdata\Google
2010-09-22 22:13:51 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-09-15 21:37:35 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-15 21:37:34 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 21:37:33 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 21:37:31 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-14 22:42:32 0 d-----w- c:\program files\Lionhead Studios
2010-09-14 16:30:06 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-09-14 16:30:04 0 d-----w- c:\program files\DAEMON Tools Lite
2010-09-14 16:29:17 0 d-----w- c:\users\admini~1\appdata\roaming\DAEMON Tools Lite
2010-09-14 16:29:15 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-09-14 16:10:11 19456 ----a-w- c:\windows\system32\drivers\surfguard.exe
2010-09-14 16:10:11 158720 ----a-w- c:\windows\system32\drivers\skybound.gecko.dll
2010-09-14 16:09:53 16896 ----a-w- c:\windows\system32\drivers\up.exe
2010-09-14 16:09:53 0 d-----w- c:\windows\system32\drivers\f
2010-09-14 16:09:20 4286 ----a-w- c:\windows\system32\ico.ico
2010-09-14 16:09:20 0 d-----w- c:\windows\system32\system
2010-09-12 00:20:24 757766 ----a-w- c:\windows\system32\Upder.exe
2010-09-04 18:09:31 0 d-----w- c:\program files\Exifer
2010-09-03 21:27:48 0 d-----w- c:\programdata\WinZip
2010-08-30 20:54:54 0 d-----w- c:\program files\VLC
2010-08-29 04:49:42 356352 ----a-w- c:\windows\system32\nvudisp.exe
2010-08-29 04:49:27 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-08-27 00:23:34 644400 ----a-w- c:\windows\system32\mscomct2.ocx
2010-08-26 06:17:49 0 d-----w- C:\temp
2010-08-26 00:51:54 0 d-----w- c:\users\administrator\.yawcam
2010-08-26 00:51:44 0 d-----w- c:\program files\Yawcam

==================== Find3M ====================

2010-09-24 05:51:23 86016 ----a-w- c:\windows\inf\infstor.dat
2010-09-24 05:51:23 51200 ----a-w- c:\windows\inf\infpub.dat
2010-09-24 05:51:22 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-09-04 18:10:35 30 ----a-w- c:\program files\Exiferupdate.ini
2010-09-02 18:55:05 211968 ----a-w- c:\windows\system32\drivers\safesurf.exe
2010-08-17 23:54:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 12:15:28 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-08-15 12:12:29 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-08-14 04:38:37 29779 ----a-w- c:\windows\fonts\GlobalSerif.CompositeFont
2010-08-14 04:38:37 26489 ----a-w- c:\windows\fonts\GlobalSansSerif.CompositeFont
2010-08-14 04:38:37 26040 ----a-w- c:\windows\fonts\GlobalMonospace.CompositeFont
2008-01-19 11:45:04 174 --sha-w- c:\program files\desktop.ini
2008-01-19 11:33:22 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2008-01-19 11:33:22 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2008-01-19 11:33:22 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2008-01-19 11:33:22 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-01-19 11:28:23 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:45:12.60 ===============
Blade81
2010-09-28, 08:27
Hi,

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Copy-paste following contents into custom scan -area:
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\System32\Wbem\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
Blade81
2010-10-06, 07:26
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.