surfsidekick 1

[koresnordic]

Sorry if this is an oldy but I can't find any reference in the forum for it.
I have been passed a computer that is infested with surfsidekick 3. It is running widows XP SP1. I have removed lots of other rubbish from this machine, but this one is difficult to remove. I have tried using msconfig to stop it from loading, but it just puts itself back. I have tried deleting the directory but the files are in use. I have tried to update to SP2, but it deletes the installation files. I have done all the above in safe mode. I have also gone through the registry removing all references to ssk.exe and they get put back. I have found other sites that talk about a dll called repair[number]. I have tried all I can to remove this, but again it is locked. Any ideas on this please. I have struggled for 2 days and unfortunatly they insist it cannto be reformated and re-installed as they "luike the feel too much t have to go through all the bits to get that way again", and they have forgotten half the passwords stored in the password manager in IE !!!!



Graham

 

[pechenegs]

have you tried deleting it from add/remove and then deleting it's folder from C:\program files!

Download and run these tools! Also download hijack this, run a scan and make a log and click the entries for surfsidekick and clck the fix button options!


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

* Click the Free Trial link under "Downloads/SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.




Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.



* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.



download cleanup

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET



* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop



* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.



reboot to normal mode and run a few online scans!



Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs


Also post a new Hijack This log.

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[electronicsfreak]

pechenegs just wondering on something, you say spysweeper has a 14 day trial, I downloaded it on brand new system that has never used it before and it asked to purchase in order to remove anything it finds. Just wondering whens the last time you checked on it or if im doing something wrong?

 

[koresnordic]

Sorry for the delay in getting back - work wents haywire. Anyways, went through it all and spysweeper removed not just surfsidekick but also a rootkit that I suspected nut couldn't prove. Excellent result. No logs I am afraid as the user was desperate to get back to thier msn account



Graham

 

[pechenegs]

Tell them to run this as I suspect they had the nasty apropos rootkit, which spysweeper does pick up which many don't!



Apropos fix


You may want to print out these instructions for reference, since you will
have to restart your computer during the fix.

Please download AproposFix from here:

http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the
desktop. Open the aproposfix folder on your desktop and run RunThis.bat.
Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a
new HijackThis log, along with the entire contents of the log.txt file in
the aproposfix folder.


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[pechenegs]

hi electronics, I'm pretty sure if you download the right trial it will clean off the spyware. There might be a bit of confusion at the spysweeper website, I had a poster last week tell me the trial was over and I checked and no trial period for spysweeper, then I checked the next day and there it was, 14 day trial. I have had one other poster say it wouldn't clean off the spyware they found and this poster reports that it does!

yea I just checked again, and 14 day trial is still on, click my link above and when you get into the web page and it says add to cart in the top right jsut below that it says 14 day trial!

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

I think you need to make sure you download spysweeper home 14 day trial and not the enterprise edition, maybe that's the difference or Spysweeper is just palying up, but I have had users download it may times and it has cleaned off spyware for them in the trial verison!

I actually just bought it, and after 3-4 days managed to get it to load the defintion files up as it would only scan in safe mode but now it seems to be ok as I just got the definitions files downloaded butI think I might have accidentally blocked it with processguard lol!!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars