Spyware.PersonInspect

[Brad]

Behavior
Spyware.PersonInspect is a spyware program that monitors Internet activity, logs key strokes, and takes screenshots.

Symptoms
Your Symantec program detects Spyware.PersonInspect.

Transmission
Spyware.PersonInspect must be manually installed.

technical details
File names:
personal-inspector-setup.exe
rView.exe
svcmon.dll
svcmon.exe
svcmonh.dll
svcmoni.dll

When Spyware.PersonInspect is installed, it performs the following actions:

   1. Creates the following files:

          * %UserProfile%\Desktop\personal-inspector-setup.exe
          * %UserProfile%\Start Menu\Programs\Personal Inspector\Links\Download lastest version.lnk
          * %UserProfile%\Start Menu\Programs\Personal Inspector\Links\Mail to support.lnk
          * %UserProfile%\Start Menu\Programs\Personal Inspector\Links\Program's home page.lnk
          * %UserProfile%\Start Menu\Programs\Personal Inspector\Links\Registration.lnk
          * %UserProfile%\Start Menu\Programs\Personal Inspector\Personal Inspector.lnk
          * %UserProfile%\Start Menu\Programs\Personal Inspector\Uninstall.lnk
          * %UserProfile%\Start Menu\Programs\Personal Inspector\View Report.lnk
          * %System%\PIN\Icons\TrayIcon00.ico
          * %System%\PIN\Icons\TrayIcon02.ico
          * %System%\PIN\Icons\TrayIcon03.ico
          * %System%\PIN\Icons\TrayIcon04.ico
          * %System%\PIN\Icons\TrayIcon06.ico
          * %System%\PIN\Icons\TrayIcon07.ico
          * %System%\PIN\Icons\TrayIcon09.ico
          * %System%\PIN\Icons\TrayIcon10.ico
          * %System%\PIN\Icons\TrayIcon11.ico
          * %System%\PIN\Icons\TrayIcon12.ico
          * %System%\PIN\Icons\TrayIcon13.ico
          * %System%\PIN\Icons\TrayIcon15.ico
          * %System%\PIN\license.txt
          * %System%\PIN\Links\Download lastest version.url
          * %System%\PIN\Links\Mail to support.url
          * %System%\PIN\Links\Program's home page.url
          * %System%\PIN\Links\Registration.url
          * %System%\PIN\RegDll.bat
          * %System%\PIN\rView.exe
          * %System%\PIN\svcmon.cfg
          * %System%\PIN\svcmon.dll
          * %System%\PIN\svcmon.exe
          * %System%\PIN\svcmon.rep
          * %System%\PIN\svcmonh.dll
          * %System%\PIN\svcmoni.dll
          * %System%\PIN\Uninstall.exe
          * %System%\PIN\UnRegDll.bat
          * %System%\system.pi

            Note:
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Creates the following registry keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85DDD882-701E-401B-8A7D-D51227048214}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
      {34EC10B9-2B39-4CF5-B1D1-84D1138D0CD5}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
      {CF9CAB33-968A-4227-AFEB-A7877C496D8B}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Iewatcher.ViewSource
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Iewatcher.ViewSource.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
      Browser Helper Objects
      \{85DDD882-701E-401B-8A7D-D51227048214}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
      Personal-Inspector
      HKEY_LOCAL_MACHINE\SOFTWARE\KMiNT21\PersonalInspector

   3. Adds the value:

      "svcmon" = "%System%\PIN\svcmon.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   4. Adds the following values:

      "Local machine" = "[random_value]"
      "Remote machine" = "[random_value]"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE

   5. Monitors Internet activity, logs key strokes, and takes screenshots.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/spyware.personinspect.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

   3. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "svcmon" = "%System%\PIN\svcmon.exe"

   5. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE

   6. In the right pane, delete the value:

      "Local machine" = "[random_value]"
      "Remote machine" = "[random_value]"

   7. Navigate to and delete the keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85DDD882-701E-401B-8A7D-D51227048214}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{34EC10B9-2B39-4CF5-B1D1-84D1138D0CD5}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CF9CAB33-968A-4227-AFEB-A7877C496D8B}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Iewatcher.ViewSource
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Iewatcher.ViewSource.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
      \{85DDD882-701E-401B-8A7D-D51227048214}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Personal-Inspector
      HKEY_LOCAL_MACHINE\SOFTWARE\KMiNT21\PersonalInspector

   8. Exit the Registry Editor.