- 13 February 2007
- Sureshot Software
- Risk Impact:
- File Names:
- sescli.exe; surfspypersonal.exe
Spyware.SurfSpy is an invisible tool that monitors Internet activity, captures the link of every visited Web site, and stores it in an encrypted log file. The log file can be sent secretly by email to a specified recipient.
Your Symantec program detects this threat as Spyware.SurfSpy.
Spyware.SurfSpy must be manually installed on your system.
Antivirus Protection Dates
- Initial Rapid Release version 02 October 2014 revision 022
- Latest Rapid Release version 01 February 2015 revision 020
- Initial Daily Certified version 13 July 2004
- Latest Daily Certified version 28 September 2010 revision 036
- Initial Weekly Certified release date 14 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
When Spyware.SurfSpy is installed, it performs the following actions:
1. Shows the end user license agreement.
2. Prompts a user asking which folder the programs are to be installed.
3. Creates the specified folder if it is not present. It also creates the subfolder system.
4. Copies the following files:
- <installed path>\config.exe
- <installed path>\faq.html
- <installed path>\manual.html
- <installed path>\uninstall.bat
- <installed path>\system\sescli.cfg
- <installed path>\system\sescli.exe
- Start the spyware program automatically when the system is restarted and adds the values:
to the registry key:
- Log all the Internet activity, including the visited Web sites, user name, IP addresses, computer name, and access times, into a password-protected encrypted file.
- Send email messages with encrypted log files attached secretly to a specified email address.
- Log to a server running a dedicated server-side program waiting for incoming connections on a specified port.
This spyware program can be uninstalled using the batch file named uninstall.bat located in the installed folder. However, Symantec recommends the following procedure.
The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
- Update the definitions.
- Record the path to the installed files.
- Delete all the installed files.
- Run a full system scan and delete all the files detected as Spyware.SurfSpy.
- Delete the value that was added to the registry.
1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.
2. To record the path to the installed files
a. Start your Symantec antivirus program and run a full system scan.
b. If any files are detected as Spyware.SurfSpy, record the path to the file.
3. To delete all installed files
a. Depending on your version of Windows, do one of the following:
- Click Start, point to Programs, and then click MS-DOS Prompt.
- Click Start, point to Programs, click Accessories, and then click Command Prompt.
rmdir /s "<path to the installed file>"
then click OK .
c. If a prompt message confirming this action appears, click Y .
4. To scan for and delete the files
a. Start your Symantec antivirus program, and then run a full system scan.
b. If any files are detected as Spyware.SurfSpy, click Delete .
Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.
5. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
Note: This is done to make sure that all the keys are removed. They may not be there if regsvr32 removed them.
a. Click Start > Run .
b. Type regedit
Then click OK .
c. Navigate to the key:
d. In the right pane, delete the value:
"Session Client" = "<installed path>\sescli.exe"
e. Exit the Registry Editor.