SurfSideKick

Hi Guys, Great forum you have here

I was playing with SurfSideKick earlier today and noticed Ewido fails to remove it and just hangs on the cleaning part, As your probably aware its loading the repairs(RandomNumber).dll via the AppInit_DLLs registry key which pretty much means its loaded into every running process because of user32.dll.

I'm not able to save a log from Ewido as it will not finish the cleanup and just hangs even in safe mode but for example it found 18 entries one of the times I loaded SSK and showed it removed 8 then hung, If I switch to Quarantine it has 7 of the repairs.dll files listed all with the same name and then one Ssk.exe file in program files\SurfSideKick folder and thats where it gets stuck , the repairs.dll is always present in system32 and the ssk.exe remains untouched so its either not removing them or its instantly regenerating

As far as I can see its impossible to remove this repairs.dll file because of the way its loaded (Cannot rename, move, delete, killbox etc..) , Hijack This will display an error message if you attempt to fix it and gives instructions to contact merijn which I did along time ago about this and Im sure other's have so he would already be aware of that problem.

When Ewido hangs its showing 99% CPU Usage & 29.680k mem usage and if its shut down and restarted it finds the same files, The key part to it is the repairs.dll protecting the other files from removal but it can be easily removed using the uninstaller command so maybe Ewido should consider using that method to remove this and tell the user to follow the on screen prompts then reboot and run another scan (SSK Pops up an uninstall box and asks you to enter 5 or 6 digits then reboot and its removed from the system) except for leaving the modified URL Search hook which can be easily fixed.

The uninstall command is

"C:\Program Files\SurfSideKick 3\Ssk.exe" /u

Ewido is also missing afew files in the application data folder and one file in system32 but the app data files seem random named and sizes so that may take some work to understand the pattern. Here's the system changes.

Initial File Size SurfSideKick

29.5 KB

creates random named temp and batch files.

Ran it 6 times which created .tmp files called iA, i2, i3, i4, i18, i12

example:
c:\Documents and Settings\Owner\Local Settings\Temp\iA.tmp

28.0 KB

Which contains this in the file:

http:/ (g@ /silentinstall %TEMP%SskUpdater3.exe Bundling/SskUpdater3_4bp5.exe dl.surfsidekick.com %d.%d.%d.%d Software\SurfSideKick3\Internet Explorer

h(**MODIFIED**)p://dl.surfsidekick.com/Bundling/SskUpdater3_4bp5.exe

Size 318kb

Which creates this :

C:\DOCUME~1\Owner\LOCALS~1\Temp\SskUpdater3.exe

It also creates random named batch files in the same folder

on testing it created - uf, u6, u1f, u13, u20, u21

c:\Documents and Settings\Owner\Local Settings\Temp\uF.bat

187 bytes

Batch file contains this:

@echo off
:try
del "C:\DOCUME~1\Owner\LOCALS~1\Temp\SskUpdater3.exe"
if exist "C:\DOCUME~1\Owner\LOCALS~1\Temp\SskUpdater3.exe" goto try
del "C:\DOCUME~1\Owner\LOCALS~1\Temp\uF.bat"

This makes these Registry changes (Left a few subkeys out to save space but listed all main keys) :

HKEY_CURRENT_USER\Software\SurfSideKick3

HKEY_CURRENT_USER\Software\SurfSideKick3\Internet Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\SurfSideKick3

HKEY_LOCAL_MACHINE\SOFTWARE\SurfSideKick3\Internet Explorer

HKEY_CLASSES_ROOT\CLSID\{02EE5B04-F144-47BB-83FB-A60BD91B74A9}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks "{02EE5B04-F144-47BB-83FB-A60BD91B74A9}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SurfSideKick 3" = C:\Program Files\SurfSideKick 3\Ssk.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SurfSideKick 3" = C:\Program Files\SurfSideKick 3\Ssk.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs" = "repairs302972994.dll"

Files :

c:\Program Files\SurfSideKick 3\Ssk.exe
Size: 125,952 bytes

c:\Program Files\SurfSideKick 3\SskBho.dll
Size: 90,112 bytes

c:\Program Files\SurfSideKick 3\SskCore.dll
Size: 259,072 bytes

c:\WINDOWS\system32\repairs302972994.dll
Size: 85,504 bytes

These were not detected in the scan:


c:\WINDOWS\Prefetch\IA.TMP-28A5DF0F.pf
Size: 9,826 bytes

c:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf
Size: 22,276 bytes

c:\WINDOWS\Prefetch\SSK3REPAIRINSTALL.EXE-28B75F6F.pf
Size: 5,052 bytes

c:\WINDOWS\Prefetch\SSKUPDATER3.EXE-33E712BE.pf
Size: 17,026 bytes

c:\WINDOWS\Prefetch\SURFSIDEKICK.EXE-30643CB4.pf
Size: 4,512 bytes

c:\WINDOWS\system32\bk.exe
Size: 326,144 bytes

C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
509,297 bytes

C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll
46 bytes

C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll
60 bytes

C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
30 bytes

Not all the application data files appeared each time I downloaded SSK but the 509,297 bytes file was there each time,

I think its virtually impossible to remove SSK without using its own uninstaller (except BartPE methods) so thought Id post info about the alternative to prevent the scanner hanging and removing the same files over and over.

Hope that helps

Regards

Andy