Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.XpcSpy

Spyware.XpcSpy

Updated:
13 February 2007
Version:
2.25
Publisher:
X Software Inc
Risk Impact:
Low
File Names:
XPCSpyPro.exe,AppSpy.dll,IESpy.dll,KeySpy.dll,SysDll32.dll,Rx.exe,Systemout.exe,AppMon.dll,IEMon.dll
Systems Affected:
Windows

Behavior


Spyware.XpcSpy is a spyware program that is used to secretly monitor other users by logging keystrokes and screen shots.

Symptoms


Your Symantec program detects Spyware.XpcSpy.

Behavior


This program must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 16 July 2004 revision 002
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 21 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.XpcSpy can do the following:
  • Log keystrokes
  • List all running programs
  • Log instant messenger conversations
  • Take periodic screen shots
  • Send the log files by email or FTP

When Spyware.XpcSpy is executed, it performs the following actions:
  1. May create one or more of the following files:

    • %ProgramFiles%\XSoftware\XPCSpyPro\XPCSpyPro.exe
    • %ProgramFiles%\XSoftware\Working\XPCSpyPro.exe - This is the main spyware file.
    • %ProgramFiles%\XSoftware\XPCSpyPro\AppSpy.dll
    • %ProgramFiles%\XSoftware\XPCSpyPro\IESpy.dll
    • %ProgramFiles%\XSoftware\XPCSpyPro\KeySpy.dll
    • %ProgramFiles%\XSoftware\Working\AppMon.dll
    • %ProgramFiles%\XSoftware\Working\IEMon.dll
    • %ProgramFiles%\XSoftware\Working\KeyMon.dll
    • %ProgramFiles%\XSoftware\Working\StartPrograms\HomePage.lnk
    • %ProgramFiles%\XSoftware\Working\StartPrograms\Readme.lnk
    • %ProgramFiles%\XSoftware\Working\StartPrograms\Run Me.lnk
    • %ProgramFiles%\XSoftware\Working\StartPrograms\Uninstall Me.lnk
    • %ProgramFiles%\XSoftware\Working\StartPrograms\User Manual.lnk
    • %ProgramFiles%\XSoftware\Working\StartPrograms
    • %ProgramFiles%\XSoftware\Working\AppHot.sup
    • %ProgramFiles%\XSoftware\Working\bk.bmp
    • %ProgramFiles%\XSoftware\Working\file_id.diz
    • %ProgramFiles%\XSoftware\Working\IeHot.sup
    • %ProgramFiles%\XSoftware\Working\license.txt
    • %ProgramFiles%\XSoftware\Working\Manual.chm
    • %ProgramFiles%\XSoftware\Working\Readme.txt
    • %ProgramFiles%\XSoftware\Working\record.tdb
    • %ProgramFiles%\XSoftware\Working\UnistInfo.ini
    • %ProgramFiles%\XSoftware\Working\Web.url
    • %ProgramFiles%\XSoftware\unins000.dat
    • %ProgramFiles%\XSoftware\unins000.exe
    • %System%\systemout.exe
    • %System%\SysDll32.dll
    • %System%\rx.exe
    • %System%\wintft.dll
    • %System%\drivers\systemin.sys

      Notes:
      • %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
      • %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. May create one or more of the following folders:

    • %ProgramFiles%\XSoftware
    • %ProgramFiles%\XSoftware\Report
    • %ProgramFiles%\XSoftware\Screenshots
    • %ProgramFiles%\XSoftware\Working
    • %ProgramFiles%\XSoftware\Working\tmp

  3. Adds one or more of the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA41EE62-B36A-4344-850C-9221073CF6B9}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppMon.TShellExecuteHook
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEMon.IESpy
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}

  4. Adds the following value:

    "System Check" = "Rundll32.exe SysDll32.dll,SystemCheck"

    to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  5. Add the following value:

    "ImagePath" = "%System%\systemout.exe"

    to the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SystemOutService

    so that the spyware runs as a service when you start Windows.

  6. Logs all keystrokes, instant messenger conversations, and running programs; and takes periodic screen shots. The default log file path is %ProgramFiles%\XSoftware\Report.

  7. Sends out the log files and screen shots through email or FTP.



The following is a general removal procedure. This spyware may include an uninstallation tool named Unins000.exe, along with Unins000.dat, both of which are located in the installation folder. The default installation folder is %Program Files%\XSoftware. Before you try to remove this spyware using the following instructions, we recommend that you try to uninstall it by using the provided uninstaller. To do this, browse to the %Program Files%\XSoftware folder, and if Unins000.exe is there, double-click Unins000.exe.


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Restart the computer in Safe mode
  3. Run a full system scan.
  4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To restart the computer in Safe mode
Shut down the computer, and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document "How to start the computer in Safe Mode ."

3. To run the scan
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.XpcSpy, and depending on which software version you are using, you may see one or more of the following options:

    Note: This applies only to versions of Norton AntiVirus that support Security Risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports Security Risk detection, and Security Risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions about this situation, contact your network administrator.
    • Exclude (not recommended)
      If you click this button, it will set the threat so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove it from your computer.

    • Ignore or Skip
      This option tells the scanner to ignore the threat for this scan only. It will be detected again the next time that you run a scan.

    • Cancel
      This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. The Cancel option tells the scanner to ignore the threat for this scan only, and thus the threat will be detected again the next time that you run a scan.

      To delete the security risk
      1. Click its file name (under the Filename column).
      2. In the Item Information box that appears, write down the full path and file name.
      3. Use Windows Explorer to locate and delete the file.
        If Windows Explorer reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.

    • Delete
      This option attempts to delete the detected files. In some cases, the scanner will not be able to do this.

      To delete the security risk
      1. If you see a message, "Delete Failed" (or similar message), manually delete the file.
      2. Click the file name of the threat that is under the Filename column.
      3. In the Item Information box that appears, write down the full path and file name.
      4. Use Windows Explorer to locate and delete the file.
        If Windows Explorer reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.

4. To delete the value from the registry

Important:
Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. For instructions, read the document "How to make a backup of the Windows registry ."
  1. Click Start > Run.
  2. Type the following:

    regedit
  3. Click OK.

  4. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. In the right pane, delete the following value:

    "System Check" = "Rundll32.exe SysDll32.dll,SystemCheck"

  6. Delete the following keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA41EE62-B36A-4344-850C-9221073CF6B9}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppMon.TShellExecuteHook
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEMon.IESpy
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}