need help removing up.new.exe

Status
Not open for further replies.
ESET found 5 infected files. 4 were in the OTL moved files and one was c:\windows\system32\upn.exe

Here is the log from ESET. I hope this is what you wanted cause it seems a bit short to me.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

Here is the log from the OTS scan:
 
Start OTS.

Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< Vista Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
YY -> \List\\"" -> C:\windows\system32\drivers\safesurf.exe [C:\\windows\\system32\\drivers\\safesurf.exe:*:Enabled:Updater Service]
YY -> \List\\"C:\Windows\system32\system\svchost.exe" -> C:\Windows\SysNative\system\svchost.exe [C:\Windows\system32\system\svchost.exe:*:Enabled:Updater Service]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "" -> C:\windows\system32\drivers\safesurf.exe [C:\\windows\\system32\\drivers\\safesurf.exe:*:Enabled:Updater Service]
YY -> "C:\Windows\system32\system\svchost.exe" -> C:\Windows\SysWow64\system\svchost.exe [C:\Windows\system32\system\svchost.exe:*:Enabled:Updater Service]
[Files/Folders - Created Within 30 Days]
NY -> safesurf.exe -> C:\Windows\SysWow64\drivers\safesurf.exe
[Files/Folders - Modified Within 30 Days]
NY -> safesurf.exe -> C:\Windows\SysWow64\drivers\safesurf.exe
[Alternate Data Streams]
NY -> @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:2E224648
NY -> @Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:A1023D41
NY -> @Alternate Data Stream - 96 bytes -> C:\ProgramData\Temp:BFC41B39
Click to expand...



The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
 
OTS log:

[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\\\List"" not found.
C:\windows\system32\drivers\safesurf.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\\\List"C:\Windows\system32\system\svchost.exe" not found.
File C:\Windows\SysNative\system\svchost.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\ deleted successfully.
File C:\windows\system32\drivers\safesurf.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\system32\system\svchost.exe deleted successfully.
File C:\Windows\SysWow64\system\svchost.exe not found.
[Files/Folders - Created Within 30 Days]
File C:\Windows\SysWow64\drivers\safesurf.exe not found!
[Files/Folders - Modified Within 30 Days]
File C:\Windows\SysWow64\drivers\safesurf.exe not found!
[Alternate Data Streams]
ADS C:\ProgramData\Temp:2E224648 deleted successfully.
ADS C:\ProgramData\Temp:A1023D41 deleted successfully.
ADS C:\ProgramData\Temp:BFC41B39 deleted successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.38.1 fix logfile created on 10122010_093620
 
seems ok, but give me at least 24 hours to observe my system and see if I get any odd pop-up warnings or any odd behavior.

I did notice in that c:\windows\syswow64\drivers\f folder there are 2 files. One is called Jet and it is an app and the other is called sfa and it is a txt.

If you think we need to deal with these as they may be related to the jetswap and safesurf stuff let me know. I will check back in the morning after some observation.

Thanks so much for your help. It was very good. Straight and to the point and it got results. :thanks:

I'll check in the morning and see if you have a reply. If not I will post again in about 24 hours from now and confirm if my system is clean and back to normal.
 
Hi,

You can open that SFA file and see what it is, it maybe related to some games you installed.



You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


C:\Windows\SysWow64\drivers\f\jet.exe

If the site is busy you can try this one

http://virusscan.jotti.org/en
 
Here is the VirusTotal results:

Antivirus Version Last Update Result
AhnLab-V3 2010.10.13.01 2010.10.13 -
AntiVir 7.10.12.196 2010.10.13 -
Antiy-AVL 2.0.3.7 2010.10.13 -
Authentium 5.2.0.5 2010.10.13 -
Avast 4.8.1351.0 2010.10.13 -
Avast5 5.0.594.0 2010.10.13 -
AVG 9.0.0.851 2010.10.13 -
BitDefender 7.2 2010.10.13 -
CAT-QuickHeal 11.00 2010.10.13 -
ClamAV 0.96.2.0-git 2010.10.13 -
Comodo 6376 2010.10.13 -
DrWeb 5.0.2.03300 2010.10.13 -
Emsisoft 5.0.0.50 2010.10.13 -
eTrust-Vet 36.1.7908 2010.10.13 -
F-Prot 4.6.2.117 2010.10.12 -
Fortinet 4.2.249.0 2010.10.13 -
GData 21 2010.10.13 -
Ikarus T3.1.1.90.0 2010.10.13 -
Jiangmin 13.0.900 2010.10.13 -
K7AntiVirus 9.65.2733 2010.10.12 -
Kaspersky 7.0.0.125 2010.10.13 -
McAfee 5.400.0.1158 2010.10.13 -
McAfee-GW-Edition 2010.1C 2010.10.13 -
Microsoft 1.6201 2010.10.13 -
NOD32 5527 2010.10.13 -
Norman 6.06.07 2010.10.12 -
nProtect 2010-10-13.01 2010.10.13 -
Panda 10.0.2.7 2010.10.12 -
PCTools 7.0.3.5 2010.10.13 -
Prevx 3.0 2010.10.13 -
Rising 22.69.02.04 2010.10.13 -
Sophos 4.58.0 2010.10.13 -
Sunbelt 7048 2010.10.13 -
SUPERAntiSpyware 4.40.0.1006 2010.10.13 -
Symantec 20101.2.0.161 2010.10.13 WS.Reputation.1
TheHacker 6.7.0.1.056 2010.10.13 -
TrendMicro 9.120.0.1004 2010.10.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.13 -
VBA32 3.12.14.1 2010.10.13 -
ViRobot 2010.9.25.4060 2010.10.13 -
VirusBuster 12.67.14.0 2010.10.12 -
Additional information
Show all
MD5 : 6282da97178f2112b74b4a4a60e80ce6
SHA1 : c1bbbe736d4571a95df41d169eb73fe1de294a00
SHA256: e7cc335432f36a6cd6f46ffeff8f9a40cdd864a165e5604fc505ad009dfd8470
ssdeep: 196608:eQm77vDObREIXome180a3o87bj0mDFeMj6gpjRMmbscXF0ADDyIM3xJckCiY:eQmnvDA
EIYNE3o8PBPugR+mJ10kDx/
File size : 9655677 bytes
First seen: 2010-09-06 00:25:21
Last seen : 2010-10-13 12:31:35
TrID:
WinRAR Self Extracting archive (95.7%)
Win32 Executable Generic (1.5%)
Win32 Dynamic Link Library (generic) (1.4%)
Win32 Executable Watcom C++ (generic) (0.4%)
Generic Win/DOS Executable (0.3%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (F-Prot): RAR, UTF-8, SFX
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1000
timedatestamp....: 0x48CFC008 (Tue Sep 16 14:17:44 2008)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x14000, 0x13A00, 6.48, d9c3b0b82d7da6d18b0896fb360cea84
.data, 0x15000, 0x8000, 0xA00, 4.93, 568dd221456d807ca821813c84d65e70
.idata, 0x1D000, 0x2000, 0x1200, 4.79, bc7806e1c1ce9ebfd00ad834c1f7a647
.rsrc, 0x1F000, 0x4000, 0x3C00, 5.04, 3c8f0ed4321b54bfacbe419b46569c90

[[ 8 import(s) ]]
ADVAPI32.DLL: AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, SetFileSecurityA, SetFileSecurityW
KERNEL32.DLL: CloseHandle, CompareStringA, CreateDirectoryA, CreateDirectoryW, CreateFileA, CreateFileW, DeleteFileA, DeleteFileW, DosDateTimeToFileTime, ExitProcess, ExpandEnvironmentStringsA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, FindResourceA, FreeLibrary, GetCPInfo, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcess, GetDateFormatA, GetFileAttributesA, GetFileAttributesW, GetFileType, GetFullPathNameA, GetLastError, GetLocaleInfoA, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetNumberFormatA, GetProcAddress, GetProcessHeap, GetStdHandle, GetSystemTime, GetTempPathA, GetTickCount, GetTimeFormatA, GetVersionExA, GlobalAlloc, HeapAlloc, HeapFree, HeapReAlloc, IsDBCSLeadByte, LoadLibraryA, LocalFileTimeToFileTime, MoveFileA, MoveFileExA, MultiByteToWideChar, ReadFile, SetCurrentDirectoryA, SetEndOfFile, SetEnvironmentVariableA, SetFileAttributesA, SetFileAttributesW, SetFilePointer, SetFileTime, SetLastError, Sleep, SystemTimeToFileTime, WaitForSingleObject, WideCharToMultiByte, WriteFile, lstrcmpiA, lstrlenA
COMCTL32.DLL: -
COMDLG32.DLL: CommDlgExtendedError, GetOpenFileNameA, GetSaveFileNameA
GDI32.DLL: DeleteObject
SHELL32.DLL: SHBrowseForFolderA, SHChangeNotify, SHFileOperationA, SHGetFileInfoA, SHGetMalloc, SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA
USER32.DLL: CharToOemA, CharToOemBuffA, CharUpperA, CopyRect, CreateWindowExA, DefWindowProcA, DestroyIcon, DestroyWindow, DialogBoxParamA, DispatchMessageA, EnableWindow, EndDialog, FindWindowExA, GetClassNameA, GetClientRect, GetDlgItem, GetDlgItemTextA, GetMessageA, GetParent, GetSysColor, GetSystemMetrics, GetWindow, GetWindowLongA, GetWindowRect, GetWindowTextA, IsWindow, IsWindowVisible, LoadBitmapA, LoadCursorA, LoadIconA, LoadStringA, MapWindowPoints, MessageBoxA, OemToCharA, OemToCharBuffA, PeekMessageA, PostMessageA, RegisterClassExA, SendDlgItemMessageA, SendMessageA, SetDlgItemTextA, SetFocus, SetMenu, SetWindowLongA, SetWindowPos, SetWindowTextA, ShowWindow, TranslateMessage, UpdateWindow, WaitForInputIdle, wsprintfA, wvsprintfA
OLE32.DLL: CLSIDFromString, CoCreateInstance, CreateStreamOnHGlobal, OleInitialize, OleUninitialize
ExifTool:
file metadata
CodeSize: 81920
EntryPoint: 0x1000
FileSize: 9.2 MB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 32768
LinkerVersion: 5.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:09:16 16:17:44+02:00
UninitializedDataSize: 0
 
Well if that file is OK and everything else looks OK to you and my system and AV aren't giving me pop-up warnings I guess we are finished here.

Thanks so much for all the help and excellent work. I appreciate all your time and effort. :2thumb:
 
Your very welcome :)

You can open up OTL and click on the Cleanup Feature and it will remove some of the tools we used to clean your system along with any backups they may have created.


System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:
  1. Click Start > Run > copy and paste the following into the run box:
    %SystemRoot%\System32\restore\rstrui.exe
  2. Press OK. Choose Create a Restore Point then click Next.
  3. Name it (something you'll remember) and click Create.
  4. When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points
  1. Click Start > Run > copy and paste the following into the run box:
    cleanmgr
  2. Choose to scan drive C:\ (if C:\ is your main drive).
  3. At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
  4. Click on the Yes button.
  5. When finished, click on Cancel button to exit.




 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top