Security news and information

Smitrem is a tool created by noahdfear that is used to remove files associated with smitfraud, spy sheriff, psguard, and other related malware. It has been in use for quite a while, though I am unsure of the exact date it was created, and does an excellent job removing these malware.

It has come to light in the past few days that a person named Pcbutts1 has stolen this utility and branded it so that it says he made it. The problem is, this person obviously did not know how to use search and replace as he left noahdfear’s name, as well as other people who helped with the tool, in the script.

Further research into Pcbutts shows that he is a flamer and a troll and is commonly seen on the Microsoft newsgroups offering bad advice, ripping off other’s work, and offering downloads for programs that he has no right to offer for download. If you run into this character, please avoid any advice he may have to offer.

As more information about this comes to light, I will update this blog.

For those who want to know the correct tool to use, this is a direct link to noahdfear’s smitrem program.

smitrem.exe

If you would like to make a complaint about this to the hosting company for pcbutt’s website, you can send it to the following information:

Mr. Scott Knowles
Interland Shared Abuse Department
Interland, Inc.
303 Peachtree Center Avenue, Suite 500
Atlanta, GA 30303

abuse@interland.com

Tags: No Tags

After playing around a bit more with Surf Sidekick 3, you may be able to get rid of it fairly easily even if you do not have an option for it in your add/remove programs control panel.

Simple click on start, then run, and type :

C:\Program Files\SurfSideKick 3\Ssk.exe /u

Then press the OK button. It should start the uninstall procedure. If it asks you to type in the code that is displayed, please do so and reboot. The program “should” be uninstalled now.

Tags: No Tags

I thought I would take some time out of working on BC and start trying to figure out a fix for an annoying adware called Surf Sidekick 3. This bugger comes in two flavors; easy to remove and very very very annoying to remove. For the easy method you just have uninstall it via add/remove programs. For the hard method, there is no add/remove option and your stuck with the sucker.

The latest incarnation of this programs will install a dll in your %System% folder called repairs.dll or repairsrandom-number.dll which is started via the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Any dll listed in that key will load when a program that requires user32.dll is launched. The problem is that almost every Windows program requires user32.dll, so therefore, this repairs.dll file is loaded in almost all of your running processes. As you can imagine this file would now be very difficult to remove considering that it is loaded in almost every running process on your computer. This key also loads in safe mode, so simply booting into safe mode and clearing the key does not help either.

The repairs.dll is basically a protector program. It monitors itself and the other programs associated with this program listed in the registry and makes sure it stays there. If it detects that a registry key under its protection is removed, it adds it back. So the key to removing this infection, is to get rid of the file loaded in the AppInit_DLLs key.

Unfortunately, I have not been able to find a good tool that I can use to automate the killing of the repairs.dll module from each running process, and the method that can be used, can not be automated nor explained too well for the basic user.

So for now the ways to fix this adware are the following:

1. Uninstall via Add/Remove Programs if your lucky.

2. If Windows is loaded on a FAT partition, then you can simply reboot via a bootdisk and delete this file as well as the folder c:\program files\surf sidekick 3\.

3. If Windows is loaded on a NTFS partition, then you need to create a boot cd like BartPE and delete the dll and c:\program files\surf sidekick 3\

If I come up with an automated fix I will let everyone know.

Tags: No Tags