Spyware.InTheKnow

Printer Friendly Page

Updated: February 13, 2007 11:37:48 AM
Type: Spyware
Version: 1.1.7
Publisher: www.itksoft.com
Risk Impact: High
File Names: ITK.exe
Systems Affected: Windows

Behavior


Spyware.InTheKnow is a program that detects keystrokes and takes snapshots of specified programs on your computer.

Symptoms


The files are detected as Spyware.InTheKnow.

Transmission


Spyware.InTheKnow must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version June 22, 2004
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date June 23, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:37:48 AM
Type: Spyware
Version: 1.1.7
Publisher: www.itksoft.com
Risk Impact: High
File Names: ITK.exe
Systems Affected: Windows


When Spyware.InTheKnow runs, it performs the following actions:

  1. Displays an introductory message.

  2. Gives you the option of registering the product at www.itksoft.com or entering a registration key.

  3. Allows you to type the main password. Typing this password while using any Windows program brings up the user interface.

  4. Gives you the option to determine the interval between taking snapshots.

  5. Gives you the choice of which programs to take snapshots.

  6. Gives you picture management options, including how long files are stored and the maximum storage amount.

  7. Creates these files:
    • %Temp%\WZS2.tmp\SetupITK.exe
    • %Temp%\WZS2.tmp\Hooks32.exe
    • %Temp%\WZS2.tmp\ITKDLL.dll
    • %Temp%\WZS2.tmp\StartUp.exe

      Note:
      %Temp% is a variable that refers to the path to the temporary files folder.

      These files are used for installation and are subsequently deleted.

  8. Creates these files:
    • %System%\Brnts6.exe
    • %System%\WnDl.exe
    • %System%\MsW54.exe

      Note:
      %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  9. Creates the folder %System%\Balance, which is to used to store keystroke and snapshot data.

  10. Creates the folder, C:\ITKExport, which is to used to store exported reports that the Spyware generates.

  11. Adds the subkey:

    grnx

    to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft

    and adds these values to that subkey:

    "SgjTtVUWBq" = "iA88IFT"

    "Jp-i-cAR" = "1"

    "cQRfpP" = "1"

    "cQRWDCoUo" = "2bfRQ;;bcWoH;;cP.y;;iVFs0DtU;;QCpn;;W-A7;;uLZ2;;FP9Lp;;JWhgkkWA;;1DPpSSDo3PXX;;ANBuDONXORs;;nwrLIMa4v;;XLd2;;B0jkx;;4sSg;;KDhVyVlcs;;6_Sl;;b7eRV;;cwTTrn;;kft26UED;;So5xyI1L,d;;-.w2;;4ChF;;Kg1hy;;ZMeuufxTk;;v.HHWtuq;;g3N3q-BX;;prstq;;VT-L67;;unKO0a;;4ldp."

    "DwQ1pjlEuPfq" = "7"

    "Djm1pjlEuPfq" = "2"

    "DwQ4mCrpjn" = "7"

    "Djm4mCrpjn" = "2"

    "QkfCEClXd5Q" = "D:\sM26t\ukGIQs1f\Yn-p3qt"


    Note:
    Some of the registry values depend on settings that were made during the installation, and may be different from what is shown above.

  12. Adds the value:

    "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft

  13. Adds the value:

    "DPpSSSlU4BksP" = "1"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\grnx

  14. Adds the value:

    "Brnts6.exe" = "%System%\Brnts6.exe"

    to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  15. Deletes the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations


Updated: February 13, 2007 11:37:48 AM
Type: Spyware
Version: 1.1.7
Publisher: www.itksoft.com
Risk Impact: High
File Names: ITK.exe
Systems Affected: Windows


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Uninstall Spyware.InTheKnow.
  3. Run a full system scan and delete all the files detected as Spyware.InTheKnow.
  4. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


2. To uninstall the Spyware
  1. Type the main password to bring up the user interface to Spyware.InTheKnow.
  2. Click Manager > Uninstall In The Know ...
  3. Follow the prompts.

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.InTheKnow, click Delete.


    Notes:
    • If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file.
    • If you ran the Add/Remove programs applet as described in the previous section, it is possible that all the files were removed, and therefore none will be detected.


4. To delete the values from the registry

Important:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

Note:
This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.

  1. Click Start > Run.
  2. Type regedit > OK.
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "Brnts6.exe" = "%System%\Brnts6.exe"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft

  6. In the right pane, delete the value:

    "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"

  7. Delete the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\grnx

  8. Exit the Registry Editor.