Spyware.SpyloPCMonitor

[Brad]

Behavior
Spyware.SpyloPCMonitor is a spyware program that monitors user activity, logs keystrokes, and takes screenshots. It ends the processes of anti-spyware programs.

Symptoms
Your Symantec program detects Spyware.SpyloPCMonitor.

Transmission
Spyware.SpyloPCMonitor must be manually installed.

technical details
File names:
SETUP.EXE
HOOK.DLL
SPYLO.EXE
WSYS.EXE
WSYSSRV.EXE

When Spyware.SpyloPCMonitor is installed, it performs the following actions:

   1. Creates the following files:

          * %UserProfile%\Start Menu\Programs\Spylo PC Monitor\Get Full version.lnk
          * %UserProfile%\Start Menu\Programs\Spylo PC Monitor\Spylo Commander.lnk
          * %UserProfile%\Start Menu\Programs\Spylo PC Monitor\Spylo Manual.lnk
          * %UserProfile%\Start Menu\Programs\Spylo PC Monitor\Spylo Monitor.lnk
          * %UserProfile%\Start Menu\Programs\Spylo PC Monitor\Visit homepage.lnk
          * %System%\fiohdd.sys
          * %System%\iobge12.sys
          * %System%\rgl40.sys
          * %System%\rtdk.sys
          * %System%\stslog.sys
          * %System%\[computer_name]_smonact.flg
          * %Windir%\SPCMon\DEFKILL.DAT
          * %Windir%\SPCMon\DESCRIPT.ION
          * %Windir%\SPCMon\HELP.CHM
          * %Windir%\SPCMon\HOMEPAGE.URL
          * %Windir%\SPCMon\HOOK.DLL
          * %Windir%\SPCMon\INSTALL.LOG
          * %Windir%\SPCMon\LICENSE.TXT
          * %Windir%\SPCMon\README.TXT
          * %Windir%\SPCMon\REGISTER.URL
          * %Windir%\SPCMon\SPYLO.EXE
          * %Windir%\SPCMon\SQL.GID
          * %Windir%\SPCMon\Uninstall.exe
          * %Windir%\SPCMon\WHATSNEW.TXT
          * %Windir%\SPCMon\WSYS.DLL
          * %Windir%\SPCMon\WSYS.EXE
          * %Windir%\SPCMon\WSYSSRV.EXE

            Notes:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

   2. Creates the following registry key:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Spylo PC Monitor

   3. Adds the value:

      "wsys.exe" = "%Windir%\SPCMon\wsys.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/spyware.spylopcmonitor.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

      Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

   3. Navigate to and delete the subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Spylo PC Monitor

   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "wsys.exe" = "%Windir%\SPCMon\wsys.exe"

   6. Exit the Registry Editor.
   4. Monitors user activity, logs keystrokes, and takes screenshots.

   5. Ends the processes of anti-spyware programs.