Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
Risk Impact:
File Names:
Systems Affected:


Spyware.InTheKnow is a program that detects keystrokes and takes snapshots of specified programs on your computer.


The files are detected as Spyware.InTheKnow.


Spyware.InTheKnow must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 22 June 2004
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 23 June 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.InTheKnow runs, it performs the following actions:
  1. Displays an introductory message.

  2. Gives you the option of registering the product at or entering a registration key.

  3. Allows you to type the main password. Typing this password while using any Windows program brings up the user interface.

  4. Gives you the option to determine the interval between taking snapshots.

  5. Gives you the choice of which programs to take snapshots.

  6. Gives you picture management options, including how long files are stored and the maximum storage amount.

  7. Creates these files:
    • %Temp%\WZS2.tmp\SetupITK.exe
    • %Temp%\WZS2.tmp\Hooks32.exe
    • %Temp%\WZS2.tmp\ITKDLL.dll
    • %Temp%\WZS2.tmp\StartUp.exe

      %Temp% is a variable that refers to the path to the temporary files folder.

      These files are used for installation and are subsequently deleted.

  8. Creates these files:
    • %System%\Brnts6.exe
    • %System%\WnDl.exe
    • %System%\MsW54.exe

      %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  9. Creates the folder %System%\Balance, which is to used to store keystroke and snapshot data.

  10. Creates the folder, C:\ITKExport, which is to used to store exported reports that the Spyware generates.

  11. Adds the subkey:


    to the following registry key:


    and adds these values to that subkey:

    "SgjTtVUWBq" = "iA88IFT"

    "Jp-i-cAR" = "1"

    "cQRfpP" = "1"

    "cQRWDCoUo" = "2bfRQ;;bcWoH;;cP.y;;iVFs0DtU;;QCpn;;W-A7;;uLZ2;;FP9Lp;;JWhgkkWA;;1DPpSSDo3PXX;;ANBuDONXORs;;nwrLIMa4v;;XLd2;;B0jkx;;4sSg;;KDhVyVlcs;;6_Sl;;b7eRV;;cwTTrn;;kft26UED;;So5xyI1L,d;;-.w2;;4ChF;;Kg1hy;;ZMeuufxTk;;v.HHWtuq;;g3N3q-BX;;prstq;;VT-L67;;unKO0a;;4ldp."

    "DwQ1pjlEuPfq" = "7"

    "Djm1pjlEuPfq" = "2"

    "DwQ4mCrpjn" = "7"

    "Djm4mCrpjn" = "2"

    "QkfCEClXd5Q" = "D:\sM26t\ukGIQs1f\Yn-p3qt"

    Some of the registry values depend on settings that were made during the installation, and may be different from what is shown above.

  12. Adds the value:

    "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"

    to the registry key:


  13. Adds the value:

    "DPpSSSlU4BksP" = "1"

    to the registry key:


  14. Adds the value:

    "Brnts6.exe" = "%System%\Brnts6.exe"

    to the following registry key:


  15. Deletes the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Uninstall Spyware.InTheKnow.
  3. Run a full system scan and delete all the files detected as Spyware.InTheKnow.
  4. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the Spyware
  1. Type the main password to bring up the user interface to Spyware.InTheKnow.
  2. Click Manager > Uninstall In The Know ...
  3. Follow the prompts.

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.InTheKnow, click Delete.

    • If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file.
    • If you ran the Add/Remove programs applet as described in the previous section, it is possible that all the files were removed, and therefore none will be detected.

4. To delete the values from the registry

Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.

  1. Click Start > Run.
  2. Type regedit > OK.
  3. Navigate to the key:


  4. In the right pane, delete the value:

    "Brnts6.exe" = "%System%\Brnts6.exe"

  5. Navigate to the key:


  6. In the right pane, delete the value:

    "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"

  7. Delete the key:


  8. Exit the Registry Editor.