NEWS
PARASITES
SOFTWARE
FORUM
DIRECTORY

 
 
 
 
 
 
  
Title: Win-Spy
Type: Remote Administration Tools

Remove Win-Spy. Removal instructions


 
Severity scale:Win-Spy severity is 81  (81 / 100)
 
Win-Spy is a powerful commercial computer surveillance system that tracks user activity, monitors network connections, logs keystrokes, takes screenshots, captures online chat conversations and pictures from a webcam, records e-mail messages, passwords and web sites visited. Win-Spy allows the person controlling it to browse the affected computer's file system, upload and run arbitrary software, manage files, modify essential system settings and control a PC. The program reports gathered data through the web based interface. Win-Spy is able to hide its running processes. The RAT must be manually installed. It secretly runs on every Windows startup.

Win-Spy properties:
• Allows remote user connection
• Takes and sends out screenshots of user activity
• Logs keystrokes
• Connects itself to the internet
• Hides from the user
• Stays resident in background

Automatic Win-Spy removal:

remover for Win-Spy
SpyHunter is recommended remover to uninstall Win-Spy. You should confirm using free trial that it detects current version of parasite.

Note: Manual assistance required means that one or all of removers were unable to remove parasite without some manual intervention, please read manul removal instructions below.

If you failed to remove Win-Spy using SpyHunter please report this to us.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use.
STOPzilla
download | review
We are testing STOPzilla's efficiency at removing Win-Spy (2006-08-18 03:45:26)
Malwarebytes Anti Malware
download | review
We are testing Malwarebytes Anti Malware's efficiency at removing Win-Spy (2006-08-18 03:45:26)
Spyware Doctor
download | review | tutorial
We are testing Spyware Doctor's efficiency at removing Win-Spy (2006-08-18 03:45:26)
XoftSpySE Anti Spyware
download | review

Win-Spy manual removal:

Kill processes:
comres.exe, comresr.exe, csrss.exe, dcom32.exe, makensis.exe, messanger.exe, msconfig.exe, mstcl.exe, mswin32.exe, ntserv32.exe, outlook32.exe, refsc.exe, rdesk.exe, refcdm.dll, service.exe, spools.exe, svchost32.exe, taskrem.exe, wsldll.exe
HELP:
how to kill malicious processes

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AtiSound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions=1
HKEY_LOCAL_MACHINE\SOFTWARE\artx
HKEY_LOCAL_MACHINE\SOFTWARE\cams
HKEY_LOCAL_MACHINE\SOFTWARE\ixds
HKEY_LOCAL_MACHINE\SOFTWARE\Meta
HKEY_LOCAL_MACHINE\SOFTWARE\msim
HKEY_LOCAL_MACHINE\SOFTWARE\Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Service
HKEY_LOCAL_MACHINE\SOFTWARE\tcpip
HKEY_LOCAL_MACHINE\SOFTWARE\VideoSys
HKEY_CLASSES_ROOT\AOSMTP.[X]
HKEY_CLASSES_ROOT\EmExcel.Embed
HKEY_CLASSES_ROOT\InetCtls.Inet
HKEY_CLASSES_ROOT\InetCtls.Inet.1
HKEY_CLASSES_ROOT\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6359-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}
HKEY_CLASSES_ROOT\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
HKEY_CLASSES_ROOT\CLSID\{909B99FC-EDE8-4F61-A9E7-028B14701342}
HKEY_CLASSES_ROOT\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
HKEY_CLASSES_ROOT\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{B60E2F6C-9BA3-437B-9A2C-5445249C5CAB}
HKEY_CLASSES_ROOT\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
HKEY_CLASSES_ROOT\CLSID\{BAD38DB2-DF5F-4DC4-9C3C-4E6AEB9DB66B}
HKEY_CLASSES_ROOT\CLSID\{C1037135-FC59-4EF9-9624-F6FE0C91B4C3}
HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}
HKEY_CLASSES_ROOT\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}
HKEY_CLASSES_ROOT\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{232E4565-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{501D5248-30CC-4CFD-9468-AED3D7CF4C3F}
HKEY_CLASSES_ROOT\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}
HKEY_CLASSES_ROOT\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}
HKEY_CLASSES_ROOT\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
HKEY_CLASSES_ROOT\Interface\{AE41506E-6725-4995-A6E5-7513131505FA}
HKEY_CLASSES_ROOT\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{B09DE714-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{C42CD1DF-517A-4A17-85C7-D93F468008DB}
HKEY_CLASSES_ROOT\Interface\{D5A034DB-0A2F-4328-B0ED-8CEEECF1C973}
HKEY_CLASSES_ROOT\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}
HKEY_CLASSES_ROOT\Interface\{DBCF04F3-5AE1-4DEC-84E5-E02F742DCAAD}
HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
HKEY_CLASSES_ROOT\Interface\{FE387538-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\Interface\{FE387539-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}
HKEY_CLASSES_ROOT\TypeLib\{B6982069-36D9-42D7-B48B-799034173375}
HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\TypeLib\{E3461F89-7106-46E4-A4B2-66ABA4A1869B}
HKEY_CLASSES_ROOT\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}
HELP:
how to remove registry entries

Delete files:
comres.exe, comresr.exe, csrss.exe, dcom32.exe, makensis.exe, messanger.exe, msconfig.exe, mstcl.exe, mswin32.exe, ntserv32.exe, outlook32.exe, refsc.exe, rdesk.exe, refcdm.dll, service.exe, spools.exe, svchost32.exe, taskrem.exe, wsldll.exe, aosmtp.dll, emexcel.dll, hpeg.dll, winhandler.dll
HELP:
how to remove harmful files

Delete directories:
C:\Program Files\Accessories\Temp[X]
Misc:
[X] is a set of certain characters or numbers.

Pressing CTRL+SHIFT+F12 brings main WebMail Spy window. The key combination may vary.

Exact file location:
service.exe - C:\Windows\DLL or C:\Winnt\DLL
aosmtp.dll, emexcel.dll, hpeg.dll, winhandler.dll - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32
csrss.exe, makensis.exe - C:\Windows\System\ComRoot, C:\Windows\System32\ComRoot or C:\Winnt\System32\ComRoot
other files - C:\Windows or C:\Winnt
Information added: 2004-03-19 10:00:00
Information updated: 2006-08-18 01:08:11

Additional resources related to Win-Spy:

Attention: If you know or you have a website or page about Win-Spy removal, feel free to add a link to this list: add url
more resources
0
0
rohid
well!! haven't used it yet!! but guess it will be good
2004 05 29
0
0
steve
well have tried to delete the file csrss.exe but windows says it is critical. when i do a search and try to delete it it says it is write protected
2005 02 07
0
0
Guest
Any program that is locked by windows can be removed if you boot into DOS using a DOS 7.1 floppy. I would recommend backing up csrss.exe in DOS, then remove the main copy just in case you really do need it as there is a legitimate MS program with the same name (...subsystem). Then boot into windows and see if things are ok.
2005 02 09
0
0
miguel
when i set up this software i got a problem it stay hang my pc for a good time i have to reset my pc could u help me ?? marrymaker@hotmail.com thanks !!
2005 03 10
0
0
Guest
It is Spyware as bad as win-spy
2005 05 07

Post Comment:

Attention: Use this form only if you have additional information about Win-Spy parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.
Home page Name



«


* All field required
Related news:
Similar parasites:
Related articles:
Compare spyware removers
Compare free products

HijackThis Log Analyzer Beta 2 HijackThis Log Analyzer Beta 2

I failed to remove Win-Spy using SpyHunter.

Email


Close

Spreading the knowledge:

It is very hard to fight Computer parasites alone in internet space. If you have a website we would be more than happy if you would help us to spread the knowledge about latest threats. You can help your visitors to manage their Computer system manually without aditional expences. Knowledge is the power, we just need to spread it.
add text box
rss feed
help other
Latest Spyware Threats: Internet Security 2012 | Win 7 Total security 2012 | System Check | Win 7 Internet Security 2012 | Win 7 Home Security 2012 | Win 7 Antivirus 2012 | Win 7 Antispyware 2012 | Vista Security 2012 | Vista Antivirus 2012 | Vista Antispyware 2012 | XP Antispyware 2012 | XP Antivirus 2012 | XP Security 2012 | XP Home Security 2012 | Security Shield
Agreement of Use | Privacy policy | Webmasters | Contact us | RSS Feeds
© 2001-2011 2-spyware.com All Rights Reserved. Reproduction in part or whole without written permission is prohibited. Powered by: eSolutions.