NEWS
PARASITES
SOFTWARE
FORUM
DIRECTORY

 
 
 
 
 
 
  

Remove Win-Spy. Description and removal instructions

 
Title: Win-Spy
Type: Remote Administration Tools
Severity scale:Win-Spy severity is 81  (81 / 100)
 
Win-Spy is a powerful commercial computer surveillance system that tracks user activity, monitors network connections, logs keystrokes, takes screenshots, captures online chat conversations and pictures from a webcam, records e-mail messages, passwords and web sites visited. Win-Spy allows the person controlling it to browse the affected computer's file system, upload and run arbitrary software, manage files, modify essential system settings and control a PC. The program reports gathered data through the web based interface. Win-Spy is able to hide its running processes. The RAT must be manually installed. It secretly runs on every Windows startup.

FORUM:
Discuss Win-Spy in
spyware removal forum

Win-Spy properties:
• Allows remote user connection
• Takes and sends out screenshots of user activity
• Logs keystrokes
• Connects itself to the internet
• Hides from the user
• Stays resident in background

Automatic Win-Spy removal:

remover for Win-Spy

Win-Spy manual removal:

Kill processes:
comres.exe, comresr.exe, csrss.exe, dcom32.exe, makensis.exe, messanger.exe, msconfig.exe, mstcl.exe, mswin32.exe, ntserv32.exe, outlook32.exe, refsc.exe, rdesk.exe, refcdm.dll, service.exe, spools.exe, svchost32.exe, taskrem.exe, wsldll.exe
HELP:
how to kill malicious processes

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AtiSound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions=1
HKEY_LOCAL_MACHINE\SOFTWARE\artx
HKEY_LOCAL_MACHINE\SOFTWARE\cams
HKEY_LOCAL_MACHINE\SOFTWARE\ixds
HKEY_LOCAL_MACHINE\SOFTWARE\Meta
HKEY_LOCAL_MACHINE\SOFTWARE\msim
HKEY_LOCAL_MACHINE\SOFTWARE\Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Service
HKEY_LOCAL_MACHINE\SOFTWARE\tcpip
HKEY_LOCAL_MACHINE\SOFTWARE\VideoSys
HKEY_CLASSES_ROOT\AOSMTP.[X]
HKEY_CLASSES_ROOT\EmExcel.Embed
HKEY_CLASSES_ROOT\InetCtls.Inet
HKEY_CLASSES_ROOT\InetCtls.Inet.1
HKEY_CLASSES_ROOT\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6359-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}
HKEY_CLASSES_ROOT\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
HKEY_CLASSES_ROOT\CLSID\{909B99FC-EDE8-4F61-A9E7-028B14701342}
HKEY_CLASSES_ROOT\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
HKEY_CLASSES_ROOT\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{B60E2F6C-9BA3-437B-9A2C-5445249C5CAB}
HKEY_CLASSES_ROOT\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
HKEY_CLASSES_ROOT\CLSID\{BAD38DB2-DF5F-4DC4-9C3C-4E6AEB9DB66B}
HKEY_CLASSES_ROOT\CLSID\{C1037135-FC59-4EF9-9624-F6FE0C91B4C3}
HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}
HKEY_CLASSES_ROOT\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}
HKEY_CLASSES_ROOT\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{232E4565-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{501D5248-30CC-4CFD-9468-AED3D7CF4C3F}
HKEY_CLASSES_ROOT\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}
HKEY_CLASSES_ROOT\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}
HKEY_CLASSES_ROOT\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
HKEY_CLASSES_ROOT\Interface\{AE41506E-6725-4995-A6E5-7513131505FA}
HKEY_CLASSES_ROOT\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{B09DE714-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{C42CD1DF-517A-4A17-85C7-D93F468008DB}
HKEY_CLASSES_ROOT\Interface\{D5A034DB-0A2F-4328-B0ED-8CEEECF1C973}
HKEY_CLASSES_ROOT\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}
HKEY_CLASSES_ROOT\Interface\{DBCF04F3-5AE1-4DEC-84E5-E02F742DCAAD}
HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
HKEY_CLASSES_ROOT\Interface\{FE387538-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\Interface\{FE387539-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}
HKEY_CLASSES_ROOT\TypeLib\{B6982069-36D9-42D7-B48B-799034173375}
HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\TypeLib\{E3461F89-7106-46E4-A4B2-66ABA4A1869B}
HKEY_CLASSES_ROOT\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}
HELP:
how to remove registry entries

Delete files:
comres.exe, comresr.exe, csrss.exe, dcom32.exe, makensis.exe, messanger.exe, msconfig.exe, mstcl.exe, mswin32.exe, ntserv32.exe, outlook32.exe, refsc.exe, rdesk.exe, refcdm.dll, service.exe, spools.exe, svchost32.exe, taskrem.exe, wsldll.exe, aosmtp.dll, emexcel.dll, hpeg.dll, winhandler.dll
HELP:
how to remove harmful files

Delete directories:
C:\Program Files\Accessories\Temp[X]
Misc:
[X] is a set of certain characters or numbers.

Pressing CTRL+SHIFT+F12 brings main WebMail Spy window. The key combination may vary.

Exact file location:
service.exe - C:\Windows\DLL or C:\Winnt\DLL
aosmtp.dll, emexcel.dll, hpeg.dll, winhandler.dll - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32
csrss.exe, makensis.exe - C:\Windows\System\ComRoot, C:\Windows\System32\ComRoot or C:\Winnt\System32\ComRoot
other files - C:\Windows or C:\Winnt

Other programs to remove Win-Spy:

• Malwarebytes Anti Malware - Review - Download
• Malwarebytes Anti Malware - Review - Download
• Windows Defender - Review - Download

Information added: 19/03/04
Information updated: 18/08/06

Additional resources related to Win-Spy:

Attention: If you know or you have a website or page about Win-Spy removal, feel free to add a link to this list: add url



more resources

Post Comment:

Attention: Use this form only if you have additional information about Win-Spy parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.



Enter security code:


Comments from visitors:

1. About SpywareHunterS by Guest. 2005-05-07 23:05:44
It is Spyware as bad as win-spy

2. re: comment about Win-Spy by miguel 2005-03-10 17:03:27
when i set up this software i got a problem it stay hang my pc for a good time i have to reset my pc could u help me ?? marrymaker@hotmail.com thanks !!

3. re: comment about Win-Spy by Guest. 2005-02-09 08:02:30
Any program that is locked by windows can be removed if you boot into DOS using a DOS 7.1 floppy. I would recommend backing up csrss.exe in DOS, then remove the main copy just in case you really do need it as there is a legitimate MS program with the same name (...subsystem). Then boot into windows and see if things are ok.

4. re: comment about Win-Spy by steve. 2005-02-07 08:02:47
well have tried to delete the file csrss.exe but windows says it is critical. when i do a search and try to delete it it says it is write protected

5. by rohid. 2004-05-29 09:05:32
well!! haven't used it yet!! but guess it will be good
Related news:
Similar parasites:
Related articles:
Latest Spyware Threats: VirusProtect Pro | VirusLocker | SpyCrush | ContraVirus | SpyLocked | SpyDawn | AntiVerminser | SpywareQuake | VirusBurst | AntiVermins | AntiVermeans | Zlob | PopCorn.net | MovieLand | TagASaurus | BraveSentry | VirusBurster | SystemDoctor | VirusRescue | MalwareWipe | SpySheriff | CmdService | Smitfraud | SpywareStrike | WinFixer | WinHound | PestTrap | UnSpyPC
Agreement of Use | Privacy policy | Webmasters | Contact us | RSS Feeds
© 2001-2008 2-spyware.com All Rights Reserved. Reproduction in part or whole without written permission is prohibited. Powered by: eSolutions.