| Spyware.SpyMan removal process |
|
| Author:admin CopyFrom:web Hits: UpdateTime:2008-5-15 9:15:29 |
Begin of the article Spyware.SpyMan removal process
1.DownloadGoogle recommend safer browser Web browser, For more safe , Stay Secure on the Web and stay far away virus,Download URL http://www.oral8.net/firefox/firefox.htm
2. Temporarily Disable System Restore (Windows Me/XP).
3. Update the virus definitions. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all Spyware.SpyMan infected files and Delete/Modify any values added to the registry.
Navigate to the subkey and delete the valuesas following:
When the program is executed, it creates the following folders:
- %System%\fss\AM
- %System%\fss\HM
- %System%\fss\IC
- %System%\fss\images
- %System%\fss\MC
- %System%\fss\MC\14-05-2007
- %System%\fss\OE
- %System%\fss\YC
- %System%\fss\YM
It then creates the following files:
- %UserProfile%\Desktop\how to use SpyMan.lnk
- %UserProfile%\Local Settings\Temp\MSI484eb.LOG
- %UserProfile%\Local Settings\Temp\MSI484ec.LOG
- %UserProfile%\Local Settings\Temp\MSI86d1a.LOG
- %UserProfile%\Local Settings\Temp\MSI86d1b.LOG
- %System%\ExTransparent.dll
- %System%\fss\bad.fss
- %System%\fss\default.lan
- %System%\fss\Filter.fss
- %System%\fss\gud.fss
- %System%\fss\how to use SpyMan.html
- %System%\fss\images\blk111_10.gif
- %System%\fss\images\blk111_11.gif
- %System%\fss\images\blk111_12.gif
- %System%\fss\images\blk111_3.gif
- %System%\fss\images\blk111_4.gif
- %System%\fss\images\blk111_5.gif
- %System%\fss\images\blk111_7.gif
- %System%\fss\images\blk111_8.gif
- %System%\fss\images\blk111_9.gif
- %System%\fss\images\in_01.jpg
- %System%\fss\images\in_02.jpg
- %System%\fss\images\in_03.jpg
- %System%\fss\images\in_04.jpg
- %System%\fss\images\in_05.jpg
- %System%\fss\images\in_06.jpg
- %System%\fss\images\reg.jpg
- %System%\fss\images\scr-comp.gif
- %System%\fss\images\scr-date.gif
- %System%\fss\images\scr-emailweb.gif
- %System%\fss\images\scr-main.gif
- %System%\fss\images\scr-messenger.gif
- %System%\fss\images\spacer.gif
- %System%\fss\images\spybox.jpg
- %System%\fss\images\Thumbs.db
- %System%\fss\KS\14-05-2007.fss
- %System%\fss\misc.fss
- %System%\fss\PR\14-05-2007.fss
- %System%\fss\spanish.lan
- %System%\fss\SS\screenshots.html
- %System%\fss\winspl.exe
- %System%\fss\WV\14-05-2007.fss
- %System%\fss.fss
- %System%\HDSNLib.dll
- %System%\ijl11.dll
- %System%\issf.fss
- %System%\msado27.tlb
- %System%\MSMAPI32.OCX
- %System%\rssf.fss
- %System%\spmErr.txt
- %System%\ssf.fss
- %Windir%\spm.exe
- %SystemRoot%\LogMan.txt
It also drops several files with the following names:
- %System%\fss\SS\[RANDOM NAME]_[DATE]_[TIME].jpg
- %UserProfile%\Local Settings\Temp\[RANDOM NAME].tmp
- %Windir%\Installer\[RANDOM NAME].mst
Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Service" = "C:\WINDOWS\system32\fss\winspl.exe"
The program then creates the following registry subkeys:
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline\.Default
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert\.Default
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail\.Default
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage\.Default
- HKEY_CLASSES_ROOT\CLSID\{30BA1EC1-0059-4F91-9489-8D4E1189C688}
- HKEY_CLASSES_ROOT\CLSID\{32AA3950-881F-4712-8B35-83BF6825921F}
- HKEY_CLASSES_ROOT\CLSID\{5D4A5007-57B4-11D7-82A2-A4E31FDA2541}
- HKEY_CLASSES_ROOT\CLSID\{A71C9F09-FD16-4EFD-A939-A7157371B850}
- HKEY_CLASSES_ROOT\HDSNLib.HDSN
- HKEY_CLASSES_ROOT\Interface\{06F979F8-6769-4E37-8F1E-682C5974AD65}
- HKEY_CLASSES_ROOT\Interface\{473A13B0-A44B-4025-B665-2E1FB3AA707E}
- HKEY_CLASSES_ROOT\Interface\{4ED7A4FC-6D07-4A22-AD0F-E00BC5168058}
- HKEY_CLASSES_ROOT\Interface\{586E813A-46C0-4180-BC90-2092AD205300}
- HKEY_CLASSES_ROOT\Interface\{5D4A5006-57B4-11D7-82A2-A4E31FDA2541}
- HKEY_CLASSES_ROOT\Interface\{5DF827DD-575A-4E39-A674-7C5EE792EAE7}
- HKEY_CLASSES_ROOT\Interface\{72911F41-3592-4FCE-98FB-4DFE319E2936}
- HKEY_CLASSES_ROOT\Interface\{7BB6757C-0987-4873-B1EF-1908D79C57E8}
- HKEY_CLASSES_ROOT\Interface\{A5F268FB-F09B-4B59-A0B0-B28952CECF99}
- HKEY_CLASSES_ROOT\Interface\{A772B691-5338-4285-8E2B-B16E8076274F}
- HKEY_CLASSES_ROOT\Interface\{AABC19AB-D4EB-4E63-B16D-9A46B935CA7D}
- HKEY_CLASSES_ROOT\Interface\{D5D50503-7894-4282-8E9B-072C04AC15B8}
- HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages.1
- HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages
- HKEY_CLASSES_ROOT\MSMAPI.MAPISession.1
- HKEY_CLASSES_ROOT\MSMAPI.MAPISession
- HKEY_CLASSES_ROOT\TypeLib\{5D4A5005-57B4-11D7-82A2-A4E31FDA2541}
- HKEY_CLASSES_ROOT\TypeLib\{780134DB-223D-45F5-AB63-5406A0F66C2C}
The program may then perform the following activities on the computer:
- Record all keystrokes
- Take screen shots based on a provided list of keywords
- Monitor and log all applications that are started on the computer
- Monitor chat sessions
- Send all of the saved logs to a predefined email address
- Perform all of the above activities in stealth mode
5. Exit registry editor .
6.delete the IE temp files or you may download ATF temp files cleaner to run a full cleaning.and restart the computer.
8. Now you may remove Spyware.SpyMan successfully.
|
| howtoremoveInputer:admin Editor:admin |
| End Of The Article how to remove Spyware.SpyMan |
|
Back 个howtoremove:MalwareScanner
Next 个howtoremove: Lemir PW removal instruction |
