wallmg

Is this malware - Safesurf / Surfguard?

Recommended Posts

First, I'm sorry for having to post again so soon since last time, but this install package just appeared on my desktop, and I never clicked it, but apparently it installed itself. I keep getting messages about Safesurf and Surfguard. I went to uninstall them but they didn't show up in Add/Remove Programs. But I found them under Processes in Task Manager and ended the processes. I'm sure they'll show up again when I restart my computer. I don't want them at all, but can't figure out how to uninstall them, so I'm assuming it's malware.

Note: When I changed my Folder Options to Show Hidden Files and Folders, a folder titled "js" showed up on my C drive. In it are the safesurf.exe and surfguard.exe files, among some other files. There is also a SafeSurf ABUSE README.txt document that reads:

ENGLISH VERSION BELOW

Если вы обнаружили этот файл, на вашем копьютере установлена программа SafeSurf, предназначенная для просмотра сайтов пользователями системы JetSwap

Если вы являетесь владельцем компьютера и программа была установлена без вашего согласия или ведома, перейдите по ссылке http://go.jetswap.co...4&authkey=98589

Пользователь будет заблокирован, а программа удалена с компьютера. Приносим Вам свои извинения за действия одного из наших пользователей, нарушающего правила системы.

If you found this file on your computer installed SafeSurf, designed for browsing by users of the system JetSwap

If you own a computer and the program was installed without your consent or knowledge, go to http://go.jetswap.co...4&authkey=98589

The user will be blocked and the program will be deleted from your computer. We apologize for the actions of one of our users who abuse the system.

I don't know if I should trust it enough to go to that website to have it deleted from my computer????

I've attached the EEK and OTL reports. I couldn't find the OTL.txt or the Extras.txt documents anywhere, but when I tried to save to my desktop the OTL.txt report that opened when the scan finished, it asked me if I wanted to overwrite the existing file there, even though I could not find a file there. So I saved it as OTL2.txt instead of overwriting it. I'm sure the Extra.txt file is there somewhere hidden, but I can't find it or see it.

Thanks.

Mark

Share this post


Link to post
Share on other sites

According to this Web Of Trust report the website go.jetswap.com has about a 75% trustworthiness rating (100% is the best possible score, and 0% is the worst possible score).

On my first glance, I am only seeing one entry in your OTL log that appears to be related to this "SafeSurf" application. This ThreatExpert reports shows that parts of SafeSurf are detected by Ikarus and Kaspersky as a "Risk Tool", which means it is most likely unwanted software. This list of analysis reports at VirScan.org does not show consistent detections from anti-virus software, with a detection rate ranging from anywhere between 0% and 43%.

Just for reference, there does appear to be a legitimate program named SafeSurf, so my first recommendation would be to upload the file to VirusTotal at this link and then post a link to the analysis in a reply for me to review. The file that you will want to upload is as follows:

C:\js\safesurf.exe

Share this post


Link to post
Share on other sites

I could have come bundled with something else. Since it does appear to be questionable, lets go ahead and remove it with OTL. I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

  1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
    :OTL
    O4 - HKLM..\Run: [jsafesurf] C:\js\safesurf.exe (JetSwap Inc.)
    [2012/03/11 01:02:54 | 000,000,000 | -H-D | C] -- C:\js
    
    :Commands
    [EMPTYTEMP]


  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

Attached is the log that came up when the computer rebooted. It's not named otl.txt, so not sure if this is what you need. Couldn't find any other logs. Thanks.

Mark

Share this post


Link to post
Share on other sites

Well, that shows that all of the files and folders (as well as the startup entry) related to SafeSurf have been deleted. It shouldn't be bothering you anymore.

If you are satisfied with that, then I can leave my final recommendations and close the topic. ;)

Share this post


Link to post
Share on other sites

Oops, sorry. I had skipped Step 4. Attached is the otl log.

P.S. Why can't I see the log on my desktop? I have to hit save as when the log opens, and when I point to my desktop, it shows that it's already there, but I can't see it on my desktop unless I save it under a different name.

Share this post


Link to post
Share on other sites

Are you sure there isn't already an OTL log saved on your desktop? The only way to save an OTL log with the same name as one that already exists would be to overwrite the old one.

I am seeing some services in that log that are missing files. It may not be related to an infection, however it is best to repair them anyway.

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

ComboFix log is attached.

I meant to mention before that I've been experiencing some strange automatic log-offs on my computer system. This started happening before I noticed the SafeSurf/SurfGuard references. Sometimes I will come in to my office and find my computer at the log-in window, which means it had to have logged off on it's own. On this log-in screen, however, there sometimes two log-in options instead of the usual one: one option is as "Administrator," the other is my normal log-in as myself. It says something to the effect, that in order to keep the files I had open, I must log in as administrator. But when I log in as Administrator, the desktop and icons look different than usual, and the files are not open that I had open originally. And if I remember correctly, it won't let me log in as myself. I basically have to reboot the computer to get back to a normal log-in screen. Does this sound like some kind of malware doings, or some other problem?

Thanks for your help!

Mark

Share this post


Link to post
Share on other sites

Have you made any modifications to your Windows System Files? There are certain files that people like to patch with third-party fixes for certain issues, and I just want to make sure that you haven't done something like that before I write a fix script.

Share this post


Link to post
Share on other sites

The only things I remember doing were running the MicrosoftFixit program in January, I think for networking problems, and then I had to update .NET Framework in an unconventional way, and I remember deleting a couple of entries in the registry that supposedly were leftover from an uninstalled program and were causing error message.

Mark

Share this post


Link to post
Share on other sites

OK, I have written a script that will tell ComboFix how to delete some stuff I saw in your log. Here are instructions on what to do with the script:

  1. Download an updated version of ComboFix from one of the following links:
    [list=]
  2. BleepingComputer
  3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7588-is-this-malware-safesurf-surfguard/

KillAll::

FCopy::
c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

File::
c:\windows\$NtUninstallKB951748_0$\tcpip.sys
c:\windows\ERDNT\cache\tcpip.sys
c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

CFScriptB-4.gif

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

Share this post


Link to post
Share on other sites

OK, that log looks better. I take it that you are no longer having trouble with SafeSurf and that everything looks OK on your end?

Share this post


Link to post
Share on other sites

OK, here's some final instructions for you:

1. Make Sure Java is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Add or Remove Programs
    .

  4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.

  5. Click on
    this link
    and download and install the latest Java (the
    Windows Online
    download will be faster).

2. Make Sure Adobe Flash is Updated:

  1. Click on
    this link
    and download the latest version of Adobe Flash Player for your web browser.

  2. You will need to close your web browser when installing Flash.

3. Make Sure Adobe Acrobat Reader is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Add or Remove Programs
    .

  4. Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you
    do not
    need to uninstall it).

  5. Click on
    this link
    to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader.

(please note that some people do prefer to use third-party PDF viewers such as
PDF X-Change Viewer
and
Foxit Reader
which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader)

4. Make Sure Your Computer Has The Latest Windows Updates:

  1. Click on the
    Start
    button.

  2. Go to
    All Programs
    .

  3. Click on
    Windows Update
    .

  4. If you have never run Windows Update, then it will probably need to install an ActiveX control and update the Windows Update software before it can continue, so make sure you keep an eye out for that pale-yellow bar that pops up at the top of the page when Windows Update needs to install a new component, and click on the yellow bar and select to allow it.

  5. Once it is loaded, click on the
    Express
    button.

  6. It will check for available updates, and once it is done you can click the
    Install Updates
    button.

  7. It may ask you to accept a license agreement before it installs, so make sure you say
    Yes
    .

  8. When it is done installing updates, it may ask you to restart your computer, so close anything you are working on and allow it to restart.

  9. Note that the update process can take a while, and you may need to run it several times before all of the updates get installed.

5. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click
this link
and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

6. Empty The System Restore:

  1. Click on the
    Start
    button.

  2. Right-click on
    My Computer

  3. Select
    Properties
    from the list.

  4. In the window that pops up, click on the
    System Restore
    tab.

  5. Click the check box to
    Turn off System Restore
    .

  6. Click the
    Apply
    button at the bottom-right, and answer
    Yes
    to the question.

  7. Depending on how much data is saved in the System Restore, it could take more than a few minutes to empty it.

  8. Click the check box to
    Turn off System Restore
    again and click
    OK
    to turn the System Restore back on.

  9. Click on the
    Start
    button again.

  10. Go to
    All Programs
    .

  11. Go to
    Accessories
    .

  12. Go to
    System Tools
    .

  13. Click on
    System Restore
    .

  14. Select
    Create a restore point
    on the right, and click
    Next
    at the bottom.

  15. Enter a description for the restore point, and click
    Create
    .

  16. Click
    Close
    to finish the process.

Share this post


Link to post
Share on other sites

Your Java link pointed me to version 6, but I have version 7.2 installed. Are you saying I should install an older version? Is it more stable or something?

Mark

Share this post


Link to post
Share on other sites

Your Java link pointed me to version 6, but I have version 7.2 installed. Are you saying I should install an older version? Is it more stable or something?

Mark

Quoting from the Java.com FAQ for Java 7:

"The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version. If you are interested in trying Java SE 7 it can be
downloaded
from Oracle.com"

Feel free to use Java 7 if you want, however please make sure to keep it updated as a lot of exploits love to use Java these days (although from what I am hearing from researchers it sounds like the latest versions of the Blackhole exploit try to hit you with Java, Flash, and Adobe Acrobat vulnerabilities all at the same time in the hopes of finding something exploitable). That reminds me that I need to add Adobe Acrobat to my update instructions. If you haven't already done so, you may wish to uninstall any old versions of Adobe Acrobat Reader that you have installed, and download and install the latest version from Adobe at this link. You may also wish to use a third-party PDF viewer such as PDF-XChange Viewer (free and premium versions) and Foxit Reader (free).

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.