Removing SurfsideKick3

Ran into a very stubborn case of SurfSideKick3 lately.

This posting eventually did the trick. http://www.cybertechhelp.com/forums/showthread.php?t=87193

I think the most critical part of the procedure was using Reglite to change the registry entry for Windows NT. This allowed the deletion of the repairs.dll which was responsible for reloading SurfSideKick. After repairs.dll was deleted I could then remove the entire SurfSideKick directory and all the related entries from Hijackthis.

Here are the main excerpts from the posting.

1) Download Ewido Security Suite from here: http://www.ewido.net/

Launch Ewido, there should be an icon on your desktop, doubleclick it. The program will now go to the main screen. You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates: http://www.ewido.net/en/download/updates/

When installing, under “Additional Options” uncheck : “Install background guard” and “Install scan via context menu”.

Do not run a scan yet.

Now, go to Start> Control Panel> Add or Remove Programs and remove if present:

SurfSideKick 3

Then run HijackThis Do a system scan only and place a check mark next the following entries:

R3 – URLSearchHook: (no name) – CFBFAE00-17A6-11D0-99CB-00C04FD64497 – (no file)
R3 – URLSearchHook: (no name) – {02EE5B04-F144-47BB-83FB-A60BD91B74A9} – E:\Program Files\SurfSideKick 3\SskBho.dll

O2 – BHO: COMMUNICATOR – {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} – E:\WINDOWS\system32\communicator.dll

O3 – Toolbar: COMMUNICATOR – {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} – E:\WINDOWS\system32\communicator.dll

O4 – HKLM\..\Run: [stb] E:\WINDOWS\system32\stb.exe

O4 – HKLM\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe
O4 – HKCU\..\Run: [SurfSideKick 3] E:\Program Files\SurfSideKick 3\Ssk.exe

O9 – Extra button: (no name) – {85d1f590-48f4-11d9-9669-0800200c9a66} – %windir%\bdoscandel.exe (file missing)
O9 – Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590-48f4-11d9-9669-0800200c9a66} – %windir%\bdoscandel.exe (file missing)

O15 – Trusted Zone: *.akamai.net
O15 – Trusted Zone: http://Download.Windowsupdate.com

O18 – Filter: text/html – {DFAA31C8-A356-4313-9D95-5EDAB46C5070} – (no file)
O20 – AppInit_DLLs: repairs.dll

Close all the windows (browsers, programs) and click Fix checked.

Boot into Safe mode by tapping F8 as your computer restarts. Make sure that you can view hidden files and folders and uncheck “Hide Extensions for Known File Types” and delete the following files or folders highlighted in bold if they are still present:

E:\Program Files\SurfSideKick 3
E:\WINDOWS\system32\stb.exe
repairs.dll< -- Search for it, probably located in System32 Run Ewido. Click on scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido. 2) Download the following reg file to your desktop. When it is finished downloading double-click on it and say Yes when it asks if you would like to merge the data. fixssk.reg

3) Search for this file:

repairs.dll

Then download Pocket Killbox from here:

http://www.cybertechhelp.com/download/file/pocket-killbox

But don’t run it yet.

Boot into safe mode. Open Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying “File with be deleted on next reboot, Process and Reboot now?” Click “Yes” and post a new log when you have rebooted.

4) Download RegLite :

http://www.resplendence.com/downloads

Reboot into Safe Mode

Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the smaller left hand pane-> Right Click the Windows folder(Highlighted in Blue)

Select Rename-> Rename it to Windoz-> Hit Enter

Now look in the larger right hand pane-> locate and double click AppInit_DLLs

Under Value-> Remove(Delete)-> repairs.dll

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced options

Now under All Files and Folders, enter this into the text box:

repairs.dll

Delete any exact matches

Reboot and Open Reglite again-> go back to the folder you renamed to Windoz and Rename it again, back to Windows.

Have HijackThis fix this entry if its still there

O20 – AppInit_DLLs: repairs.dll

After the protection is remove you should then be able to delete the file…

C:\Windows\System32\repairs.dll <--delete that.