Jump to content

It all started with safesurf.exe

Recommended Posts

Hello All.

I have a customers Windows 2003 Standard R2 server that had no anti virus (expired avg business edition).

On friday 17th august I installed ESET Endpoint Antivirus Version 5.0.2126.0 and after the initial scan, it found safesurf.exe and safeguard.exe

in the system32/SD folder I had the files "SafeSurf.exe" and "surfguard.exe".

I quarantined the files through ESET and removed them but couldnt remove the sd folder and some text files. (Trying to delete the folder came up with a message stating a file was in use and the text files kept coming back after i deleted them). I eventually deleted the folder after stopping a process called xstarter.

I thought that was it until i received a call from the customer saying the server had frozen (RDP displayed a grey screen) and a hard reboot was the only option to fix. The server came back up but since then it freezes once every morning at no particular time and after a reboot is ok until the next day when it freezes again.

I tried installing Malwarebytes but tells me 'windows cannot access the specified device path or file you may not have appropriate permissions'

I have run the mbam chameleon program with the mbam-setup.exe in the same folder and copied mbam.exe renamed as iexplorer.exe in there too with the following output:

MBAM-Chameleon ver. 1.62.0

Press any key to continue

Driver is already loaded

Enabling driver...


Trying to update Malwarebytes Anti-Malware, please wait..


Killing known malicious processes, please wait...


Trying to run Malwarebytes Anti-Malware , please wait...

Failed to run Malwarebytes Anti-Malware

Disabling protection driver...


Press any key to continue

I also tried running the DDS report but it wont run on Windows 2003 R2

I dont know if there is something still lurking but im getting lots of stick from the customer so any help would be appreciated! If ive posted in the wrong place, i apologise. Ive just joined!

Link to post
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.