SurfSideKick re-asserts itself even with TeaTimer running.

Discussion in 'other security issues & news' started by Close_Hauled, Jun 9, 2005.

Thread Status:
Not open for further replies.
  1. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I am working on a friends computer with Windows XP Home. He had so much spyware on it that I am amazed that the computer worked at all. I have cleaned off a lot with Spybot, but I noticed that SurfSideKick (maybe SurfSideKick 2) keeps re-asserting itself in the startup. TeaTimer is running, but does not stop it. It's like a game of whack-a-mole. Ammusing for a while, but tedious. Obviously SurfSideKick has a service running. I am just curious as to how it is getting by TeaTimer. Any thoughts?
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    or SurfSideKick 3 ;)

    In any case....since SurfSideKick gets a kick start by it's simple Run entry....SurfSideKick\Ssk.exe....TeaTimer should definetly have no problem with it.

    Having said that....and since it's your friends PC....what version of Spybot are we talking about. Your info causes me to wonder....especially if they are still using Spybot 1.3....if they are suffering from the known TeaTimer bug :doubt:
     
  3. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    He had no protection whatsoever. I put 1.3 on, but I did not update it to 1.4. I will update it this weekend. But TeaTimer does not know that the SurfSideKick change occurs. Spybot shows the change in real-time. When Spybot shows the change in System Startup, I delete it, only to see the change come back seconds later.

    Cleaning this one will be easy, so my question is not a how-to. It's more of an academic question to understand how the spyware is functioning. I will often play cat and mouse with them to understand them. Here, I am just curious as to how it gets around TeaTimer.

    I noticed also that some of the spyware was actually trying to defeat Spybot. It seemed as if they were trying to deny Spybot access to some of it's DLL's. I wish I had my camera with me to document what I was seeing. Spybot was able to maintain control on the second (boot-up) scan because I had already denied everything in the system startup.

    SurfSideKick and another spyware (I forgot the name) were the only two that were not cleaned. The second one could not reassert itself because of TeaTimer. But it has a service running that tries. I identified the service and disabled it. This system had at least six services running that were associated with spyware.
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    There may be a possibility that TeaTimer knows about it....which is why I asked about 1.3 and mentioned the known TeaTimer bug for version 1.3.

    It might not be part of the problem according to what transpired after you installed 1.3....but have a look at the below post in case you are not aware.

    This post---> TEATIMER REGISTRY MONITOR
    "REMEMBER THIS DECISION" BUG


    Also take a look in the Application Data\Spybot - Search & Destroy\Excludes folder to see if there is a RegKeyWhite.sbe file. Open it in notepad and see if there is an Allow entry dealing with SSK :doubt:
     
  5. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Interesting. I did not know this. But I never use "Remeber this decision", especially in this case. It robs me of tactical knowledge that I need. I'll follow the procedure none the less and let you know what happens.

    Thanks Bubba.
     
Loading...
Thread Status:
Not open for further replies.