Spyware.WebMailSpy - Removal

The following is a general removal procedure. This spyware may include an uninstallation tool named Unvise32.exe, along with uninstal.log, which is located in the installation folder. The default location for Unvise32.exe is "C:\Windows" or C:\WinNT. The default location of Uninstal.log is :\Program Files\ExploreAnywhere\WebMail Spy.

We suggest that, before you attempt to remove this spyware using a scan, you try to uninstall it by following these steps:

1. Click Start > Run
2. Type:
   
   "C:\Windows\unvise32.exe C:\PROGRA~1\EXPLOR~1\WEBMAI~1\uninstal.log"
   
   and then click OK.
   
   
3. Do one of the following:
   • If the uninstaller works, follow all the prompts. When completed, follow steps 1 and 3 below.
   • If the uninstaller does not work, follow all the steps below.

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

1. Update the definitions.
2. Restart the computer in Safe mode.
3. Run a full system scan and delete all the files detected as Spyware.WebMailSpy.
4. Delete the value that was added to the registry.
   

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode."

Note: If you are using Windows98/Me, make sure that you use the System Configuration Utility described in "How to start the computer in Safe Mode" to do this.

If you are using Windows 95 and cannot get to Safe Mode by pressing the F8 key (because Spyware.WebMailSpy disabled this), follow the additional steps in the section, "Disabled F8 workaround," which is at the bottom of this page.

3. To scan for and delete the files

1. Start your Symantec antivirus program, and then run a full system scan.
2. If any files are detected as Spyware.WebMailSpy, click Delete.
   
   Note: If your Symantec antivirus product reports that it cannot delete a detected file, note the path and file name. Then use Windows Explorer to locate and delete the file.
   

4. To delete the values from the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

1. Click Start > Run.
   
2. Type regedit
   
   Then click OK.
   
   
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   In the right pane, delete the value:
   
   "1WinCfg32" = "<install_path>\WebMailSpy.exe"
   
   
4. Navigate to the key:
   
   HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\System
   
   (This key may not exist on all the systems)
   
   If it does exist, in the right pane, delete the value:
   
   "DisableTaskMgr" = "1"
   
   
5. Windows NT/2000/XP only
   
   Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   
   
6. In the right pane, if it the value exists, delete it: "IgnoreShiftOveride" = "1"
   
   
7. Exit the Registry Editor.
   
   
8. Restart the computer in Normal mode.

Disabled F8 workaround
Follow this procedure only if you use the Windows 95 operating system.

Important: Symantec strongly recommends that you back up Msdos.sys before making any changes to it.

1. Click Start > Run
2. Type:
   
   command
   
   and then click OK.
   
   
3. At the command prompt, type the following, pressing Enter after typing each line:
   
   C:\
   attrib -h -r -s msdos.sys
   edit msdos.sys
   
   
4. When the file opens in the text editor, in the [Options] section, look for the line:
   
   BootKeys = 0
   
   If the line exists, change it to:
   
   BootKeys = 1
   
   
5. Click File > Save.
6. Click File > Exit.
7. Type:
   
   attrib +h +r +s msdos.sys
   
   
8. Restart the computer and continue from where you left off in the removal instructions.

Technical Details