Severity scale  
  (81/100)

Win-Spy. How to Remove? (Uninstall Guide)

removal by - -   | Type: Remote Administration Tools
12
Win-Spy is a powerful commercial computer surveillance system that tracks user activity, monitors network connections, logs keystrokes, takes screenshots, captures online chat conversations and pictures from a webcam, records e-mail messages, passwords and web sites visited. Win-Spy allows the person controlling it to browse the affected computer's file system, upload and run arbitrary software, manage files, modify essential system settings and control a PC. The program reports gathered data through the web based interface. Win-Spy is able to hide its running processes. The RAT must be manually installed. It secretly runs on every Windows startup. Win-Spy properties:
• Allows remote user connection
• Takes and sends out screenshots of user activity
• Logs keystrokes
• Connects itself to the internet
• Hides from the user
• Stays resident in background

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
Download
Reimage - remover Happiness
Guarantee
Compatible with Microsoft Windows
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Win-Spy. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Reimage is recommended to uninstall Win-Spy. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
Plumbytes
We are testing Plumbytes's efficiency (2015-05-29 10:15)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2015-05-29 10:15)
Hitman Pro
Webroot SecureAnywhere AntiVirus

Win-Spy manual removal

Kill processes:
comres.exe, comresr.exe, csrss.exe, dcom32.exe, makensis.exe, messanger.exe, msconfig.exe, mstcl.exe, mswin32.exe, ntserv32.exe, outlook32.exe, refsc.exe, rdesk.exe, refcdm.dll, service.exe, spools.exe, svchost32.exe, taskrem.exe, wsldll.exe

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AtiSound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions=1
HKEY_LOCAL_MACHINE\SOFTWARE\artx
HKEY_LOCAL_MACHINE\SOFTWARE\cams
HKEY_LOCAL_MACHINE\SOFTWARE\ixds
HKEY_LOCAL_MACHINE\SOFTWARE\Meta
HKEY_LOCAL_MACHINE\SOFTWARE\msim
HKEY_LOCAL_MACHINE\SOFTWARE\Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Service
HKEY_LOCAL_MACHINE\SOFTWARE\tcpip
HKEY_LOCAL_MACHINE\SOFTWARE\VideoSys
HKEY_CLASSES_ROOT\AOSMTP.[X]
HKEY_CLASSES_ROOT\EmExcel.Embed
HKEY_CLASSES_ROOT\InetCtls.Inet
HKEY_CLASSES_ROOT\InetCtls.Inet.1
HKEY_CLASSES_ROOT\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{586A6359-87C8-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}
HKEY_CLASSES_ROOT\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
HKEY_CLASSES_ROOT\CLSID\{909B99FC-EDE8-4F61-A9E7-028B14701342}
HKEY_CLASSES_ROOT\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
HKEY_CLASSES_ROOT\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\CLSID\{B60E2F6C-9BA3-437B-9A2C-5445249C5CAB}
HKEY_CLASSES_ROOT\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
HKEY_CLASSES_ROOT\CLSID\{BAD38DB2-DF5F-4DC4-9C3C-4E6AEB9DB66B}
HKEY_CLASSES_ROOT\CLSID\{C1037135-FC59-4EF9-9624-F6FE0C91B4C3}
HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}
HKEY_CLASSES_ROOT\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}
HKEY_CLASSES_ROOT\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{232E4565-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\Interface\{501D5248-30CC-4CFD-9468-AED3D7CF4C3F}
HKEY_CLASSES_ROOT\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}
HKEY_CLASSES_ROOT\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}
HKEY_CLASSES_ROOT\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
HKEY_CLASSES_ROOT\Interface\{AE41506E-6725-4995-A6E5-7513131505FA}
HKEY_CLASSES_ROOT\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{B09DE714-87C1-11D1-8BE3-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{C42CD1DF-517A-4A17-85C7-D93F468008DB}
HKEY_CLASSES_ROOT\Interface\{D5A034DB-0A2F-4328-B0ED-8CEEECF1C973}
HKEY_CLASSES_ROOT\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}
HKEY_CLASSES_ROOT\Interface\{DBCF04F3-5AE1-4DEC-84E5-E02F742DCAAD}
HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
HKEY_CLASSES_ROOT\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
HKEY_CLASSES_ROOT\Interface\{FE387538-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\Interface\{FE387539-44A3-11D1-B5B7-0000C09000C4}
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_CLASSES_ROOT\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}
HKEY_CLASSES_ROOT\TypeLib\{B6982069-36D9-42D7-B48B-799034173375}
HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}
HKEY_CLASSES_ROOT\TypeLib\{E3461F89-7106-46E4-A4B2-66ABA4A1869B}
HKEY_CLASSES_ROOT\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}
Delete files:
comres.exe, comresr.exe, csrss.exe, dcom32.exe, makensis.exe, messanger.exe, msconfig.exe, mstcl.exe, mswin32.exe, ntserv32.exe, outlook32.exe, refsc.exe, rdesk.exe, refcdm.dll, service.exe, spools.exe, svchost32.exe, taskrem.exe, wsldll.exe, aosmtp.dll, emexcel.dll, hpeg.dll, winhandler.dll
Delete directories:
C:\Program Files\Accessories\Temp[X]
Misc:
[X] is a set of certain characters or numbers.

Pressing CTRL+SHIFT+F12 brings main WebMail Spy window. The key combination may vary.

Exact file location:
service.exe - C:\Windows\DLL or C:\Winnt\DLL
aosmtp.dll, emexcel.dll, hpeg.dll, winhandler.dll - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32
csrss.exe, makensis.exe - C:\Windows\System\ComRoot, C:\Windows\System32\ComRoot or C:\Winnt\System32\ComRoot
other files - C:\Windows or C:\Winnt

Geolocation of Win-Spy

Map reveals the prevalence of Win-Spy. Countries and regions that have been affected the most are: United States.

Information updated:

Comments on Win-Spy

0
0
Guest
It is Spyware as bad as win-spy
0
0
miguel
when i set up this software i got a problem it stay hang my pc for a good time i have to reset my pc could u help me ?? marrymaker@hotmail.com thanks !!
0
0
Guest
Any program that is locked by windows can be removed if you boot into DOS using a DOS 7.1 floppy. I would recommend backing up csrss.exe in DOS, then remove the main copy just in case you really do need it as there is a legitimate MS program with the same name (...subsystem). Then boot into windows and see if things are ok.
0
0
steve
well have tried to delete the file csrss.exe but windows says it is critical. when i do a search and try to delete it it says it is write protected
0
1
rohid
well!! haven't used it yet!! but guess it will be good
0
0
Guest
Sry, why cant I remove the "downvote"? It didnt want to klick the button. -.-

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«

(All fields are required)