Spyware.SurfSpy

Printer Friendly Page

Updated: February 13, 2007 11:38:30 AM
Type: Spyware
Version: 2.10
Publisher: Sureshot Software
Risk Impact: High
File Names: sescli.exe; surfspypersonal.exe

Behavior


Spyware.SurfSpy is an invisible tool that monitors Internet activity, captures the link of every visited Web site, and stores it in an encrypted log file. The log file can be sent secretly by email to a specified recipient.

Symptoms


Your Symantec program detects this threat as Spyware.SurfSpy.

Transmission


Spyware.SurfSpy must be manually installed on your system.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version July 13, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date July 14, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:38:30 AM
Type: Spyware
Version: 2.10
Publisher: Sureshot Software
Risk Impact: High
File Names: sescli.exe; surfspypersonal.exe


When Spyware.SurfSpy is installed, it performs the following actions:

1. Shows the end user license agreement.


2. Prompts a user asking which folder the programs are to be installed.


3. Creates the specified folder if it is not present. It also creates the subfolder system.


4. Copies the following files:

  • <installed path>\config.exe
  • <installed path>\faq.html
  • <installed path>\manual.html
  • <installed path>\uninstall.bat
  • <installed path>\system\sescli.cfg
  • <installed path>\system\sescli.exe

5. Allows the user to perform any of the following actions:
  • Start the spyware program automatically when the system is restarted and adds the values:
"Session Client" = "<installed path>\sescli.exe"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • Log all the Internet activity, including the visited Web sites, user name, IP addresses, computer name, and access times, into a password-protected encrypted file.
  • Send email messages with encrypted log files attached secretly to a specified email address.
  • Log to a server running a dedicated server-side program waiting for incoming connections on a specified port.


Updated: February 13, 2007 11:38:30 AM
Type: Spyware
Version: 2.10
Publisher: Sureshot Software
Risk Impact: High
File Names: sescli.exe; surfspypersonal.exe


This spyware program can be uninstalled using the batch file named uninstall.bat located in the installed folder. However, Symantec recommends the following procedure.

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Record the path to the installed files.
  3. Delete all the installed files.
  4. Run a full system scan and delete all the files detected as Spyware.SurfSpy.
  5. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To record the path to the installed files
a. Start your Symantec antivirus program and run a full system scan.
b. If any files are detected as Spyware.SurfSpy, record the path to the file.

3. To delete all installed files
a. Depending on your version of Windows, do one of the following:
  • Click Start, point to Programs, and then click MS-DOS Prompt.
  • Click Start, point to Programs, click Accessories, and then click Command Prompt.

b. Type, or copy and paste, the following text:

rmdir /s "<path to the installed file>"

then click OK .


c. If a prompt message confirming this action appears, click Y .

4. To scan for and delete the files
a. Start your Symantec antivirus program, and then run a full system scan.
b. If any files are detected as Spyware.SurfSpy, click Delete .

Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

5. To delete the value from the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

Note:
This is done to make sure that all the keys are removed. They may not be there if regsvr32 removed them.

a. Click Start > Run .
b. Type regedit

Then click OK .


c. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


d. In the right pane, delete the value:

"Session Client" = "<installed path>\sescli.exe"


e. Exit the Registry Editor.