Friday
2008-11-28, 18:02
The following instructions have been created to help you to get rid of "SurfSideKick" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
Being Executed the program will install itself into the Program Files folder under the name "SurfSideKick2", create registry entries and an autostart entry. From that moment pop-ups will come up while surfing with Internet Explorer.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "SurfSideKick 3" and pointing to "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
Entries named "SurfSideKick 3" and pointing to "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
Entries named "SurfSideKick 3" and pointing to "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
Entries named "SurfSideKick 2" and pointing to "<$PROGRAMFILES>\SurfSideKick 2\Ssk.exe".
Entries named "SurfSideKick 2".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "S7KqHe".
Products that have a key or property named "Surf SideKick".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskCore.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskFFCore.dll".
The file at "<$SYSDIR>\bk.exe".
A file with an unknown location named "bk.exe".
The file at "<$APPDATA>\Sskuknwrd.dll".
The file at "<$LOCALSETTINGS>\Temporary Internet Files\Ssk.log".
The file at "<$SYSDIR>\bk.exe".
The file at "<$WINDIR>\DXCecho.exe".
A file with an unknown location named "bk.exe".
A file with an unknown location named "SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
A file with an unknown location named "ssk_installer.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$SYSDIR>\ssn6tuu.exe".
The file at "<$SYSDIR>\bk.exe".
The file at "<$LOCALSETTINGS>\Temp\i3F.tmp".
The file at "<$SYSDIR>\bk.exe".
The file at "<$SYSDIR>\Yunguyo.exe".
The file at "<$LOCALSETTINGS>\Temp\s11k.4.exe".
The file at "<$LOCALSETTINGS>\Temp\ssk3_b5.exe".
The file at "<$SYSDIR>\SSK3_B5 Seedcorn 4.exe".
The file at "<$SYSDIR>\SSK3.exe".
The file at "<$SYSDIR>\bk.exe".
The file at "<$SYSDIR>\repairs.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskCore.dll".
The file at "<$APPDATA>\Sskcwrd.dll".
The file at "<$APPDATA>\Sskknwrd.dll".
The file at "<$APPDATA>\Sskuknwrd.dll".
The file at "<$LOCALSETTINGS>\Temp\uD.bat".
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskCore.dll".
The file at "<$WINDIR>\netdx.dat".
The file at "<$WINDIR>\prntc.log".
The file at "<$WINDIR>\SSK3_B5.exe".
A file with an unknown location named "SSK_B5Surfs.EXE".
The file at "<$LOCALSETTINGS>\Temp\SskUpdater.exe".
The file at "<$WINDIR>\SSK_B5.EXE".
The file at "<$LOCALSETTINGS>\Temp\i3.tmp".
Make sure you set your file manager to display hidden and system files. If SurfSideKick uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\SurfSideKick 3".
The directory at "<$PROGRAMFILES>\SurfSideKick 3".
The directory at "<$PROGRAMFILES>\SurfSideKick 2".
Make sure you set your file manager to display hidden and system files. If SurfSideKick uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Remove "repairs" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\".
Delete the registry key "{22481ECF-6213-4385-A287-E457B22E3A2E}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{72EC96E8-30EB-4DA8-9446-B4366BF00249}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Ariaqudok", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Ariaqudok.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Yvakt", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Yvakt.1", plus associated values.
Delete the registry key "{34E97B51-AB15-419B-96D1-1B2469659004}" at "HKEY_CLASSES_ROOT\Interface\".
Remove "{DA28E0DB-229C-4003-827E-96AE15AD90FB}" from registry value "CLSID" at "HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html\".
Delete the registry key "{5769647E-6937-4390-BC5A-F5A986CAA1F2}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "kSR39sJ5" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{AE0ECC2F-0C33-494C-8B22-B57A7763027F}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{E5E2A3E7-00FE-4D31-A030-A10799DDCA66}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\".
Delete the registry key "SurfSideKick3" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "SurfSideKick3" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry value "_{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
Delete the registry value "{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
Delete the registry value "rpt" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\".
Delete the registry value "sox_id" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\".
Delete the registry value "sox_ver" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\".
Delete the registry key "SurfSideKick2" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "SurfSideKick2" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If SurfSideKick uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
Being Executed the program will install itself into the Program Files folder under the name "SurfSideKick2", create registry entries and an autostart entry. From that moment pop-ups will come up while surfing with Internet Explorer.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "SurfSideKick 3" and pointing to "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
Entries named "SurfSideKick 3" and pointing to "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
Entries named "SurfSideKick 3" and pointing to "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
Entries named "SurfSideKick 2" and pointing to "<$PROGRAMFILES>\SurfSideKick 2\Ssk.exe".
Entries named "SurfSideKick 2".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "S7KqHe".
Products that have a key or property named "Surf SideKick".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskCore.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskFFCore.dll".
The file at "<$SYSDIR>\bk.exe".
A file with an unknown location named "bk.exe".
The file at "<$APPDATA>\Sskuknwrd.dll".
The file at "<$LOCALSETTINGS>\Temporary Internet Files\Ssk.log".
The file at "<$SYSDIR>\bk.exe".
The file at "<$WINDIR>\DXCecho.exe".
A file with an unknown location named "bk.exe".
A file with an unknown location named "SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
A file with an unknown location named "ssk_installer.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$SYSDIR>\ssn6tuu.exe".
The file at "<$SYSDIR>\bk.exe".
The file at "<$LOCALSETTINGS>\Temp\i3F.tmp".
The file at "<$SYSDIR>\bk.exe".
The file at "<$SYSDIR>\Yunguyo.exe".
The file at "<$LOCALSETTINGS>\Temp\s11k.4.exe".
The file at "<$LOCALSETTINGS>\Temp\ssk3_b5.exe".
The file at "<$SYSDIR>\SSK3_B5 Seedcorn 4.exe".
The file at "<$SYSDIR>\SSK3.exe".
The file at "<$SYSDIR>\bk.exe".
The file at "<$SYSDIR>\repairs.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskCore.dll".
The file at "<$APPDATA>\Sskcwrd.dll".
The file at "<$APPDATA>\Sskknwrd.dll".
The file at "<$APPDATA>\Sskuknwrd.dll".
The file at "<$LOCALSETTINGS>\Temp\uD.bat".
The file at "<$PROGRAMFILES>\SurfSideKick 3\Ssk.exe".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskBho.dll".
The file at "<$PROGRAMFILES>\SurfSideKick 3\SskCore.dll".
The file at "<$WINDIR>\netdx.dat".
The file at "<$WINDIR>\prntc.log".
The file at "<$WINDIR>\SSK3_B5.exe".
A file with an unknown location named "SSK_B5Surfs.EXE".
The file at "<$LOCALSETTINGS>\Temp\SskUpdater.exe".
The file at "<$WINDIR>\SSK_B5.EXE".
The file at "<$LOCALSETTINGS>\Temp\i3.tmp".
Make sure you set your file manager to display hidden and system files. If SurfSideKick uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\SurfSideKick 3".
The directory at "<$PROGRAMFILES>\SurfSideKick 3".
The directory at "<$PROGRAMFILES>\SurfSideKick 2".
Make sure you set your file manager to display hidden and system files. If SurfSideKick uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Remove "repairs" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\".
Delete the registry key "{22481ECF-6213-4385-A287-E457B22E3A2E}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{72EC96E8-30EB-4DA8-9446-B4366BF00249}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Ariaqudok", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Ariaqudok.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Yvakt", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Fseytdc.Yvakt.1", plus associated values.
Delete the registry key "{34E97B51-AB15-419B-96D1-1B2469659004}" at "HKEY_CLASSES_ROOT\Interface\".
Remove "{DA28E0DB-229C-4003-827E-96AE15AD90FB}" from registry value "CLSID" at "HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html\".
Delete the registry key "{5769647E-6937-4390-BC5A-F5A986CAA1F2}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "kSR39sJ5" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{AE0ECC2F-0C33-494C-8B22-B57A7763027F}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{E5E2A3E7-00FE-4D31-A030-A10799DDCA66}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\".
Delete the registry key "SurfSideKick3" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "SurfSideKick3" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry value "_{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
Delete the registry value "{02EE5B04-F144-47BB-83FB-A60BD91B74A9}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
Delete the registry value "rpt" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\".
Delete the registry value "sox_id" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\".
Delete the registry value "sox_ver" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\".
Delete the registry key "SurfSideKick2" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "SurfSideKick2" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If SurfSideKick uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.