Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
Sureshot Software
Risk Impact:
File Names:
sescli.exe; surfspypersonal.exe


Spyware.SurfSpy is an invisible tool that monitors Internet activity, captures the link of every visited Web site, and stores it in an encrypted log file. The log file can be sent secretly by email to a specified recipient.


Your Symantec program detects this threat as Spyware.SurfSpy.


Spyware.SurfSpy must be manually installed on your system.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 13 July 2004
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 14 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.SurfSpy is installed, it performs the following actions:

1. Shows the end user license agreement.

2. Prompts a user asking which folder the programs are to be installed.

3. Creates the specified folder if it is not present. It also creates the subfolder system.

4. Copies the following files:
  • <installed path>\config.exe
  • <installed path>\faq.html
  • <installed path>\manual.html
  • <installed path>\uninstall.bat
  • <installed path>\system\sescli.cfg
  • <installed path>\system\sescli.exe

5. Allows the user to perform any of the following actions:
  • Start the spyware program automatically when the system is restarted and adds the values:
"Session Client" = "<installed path>\sescli.exe"

to the registry key:


  • Log all the Internet activity, including the visited Web sites, user name, IP addresses, computer name, and access times, into a password-protected encrypted file.
  • Send email messages with encrypted log files attached secretly to a specified email address.
  • Log to a server running a dedicated server-side program waiting for incoming connections on a specified port.

This spyware program can be uninstalled using the batch file named uninstall.bat located in the installed folder. However, Symantec recommends the following procedure.

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Record the path to the installed files.
  3. Delete all the installed files.
  4. Run a full system scan and delete all the files detected as Spyware.SurfSpy.
  5. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To record the path to the installed files
a. Start your Symantec antivirus program and run a full system scan.
b. If any files are detected as Spyware.SurfSpy, record the path to the file.

3. To delete all installed files
a. Depending on your version of Windows, do one of the following:
  • Click Start, point to Programs, and then click MS-DOS Prompt.
  • Click Start, point to Programs, click Accessories, and then click Command Prompt.

b. Type, or copy and paste, the following text:

rmdir /s "<path to the installed file>"

then click OK .

c. If a prompt message confirming this action appears, click Y .

4. To scan for and delete the files
a. Start your Symantec antivirus program, and then run a full system scan.
b. If any files are detected as Spyware.SurfSpy, click Delete .

Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

5. To delete the value from the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

This is done to make sure that all the keys are removed. They may not be there if regsvr32 removed them.

a. Click Start > Run .
b. Type regedit

Then click OK .

c. Navigate to the key:


d. In the right pane, delete the value:

"Session Client" = "<installed path>\sescli.exe"

e. Exit the Registry Editor.