Detect and Remove Webwatcher
Webwatcher For PC is a monitoring program often employed by concerned parents, employers, or even police. However, it is a powerful program which can be used outside of WebWatcher's terms of service, which requires that you install on a computer you own or are authorized to monitor. Webwatcher will report almost ANYTHING you do from within Windows. This includes keystrokes, web browsing, IM, email, etc. Your data will be sent to the Awareness Technologies servers, where the software owner can view it from an account. Besides the obvious privacy reasons, you may also feel concerned about the security of your data.
- This guide will show you how to detect and remove the Webwatcher software. These instructions will only work for versions 4 - 6 of the PC software, which is no longer available for purchase or installation.
- Since 2010 with the release of version 7 of WebWatcher, the software is installed into randomized folder path directories on the computer. As such, each customer account will result in a unique folder path for software installation which makes it nearly impossible to find the location of where the software is installed.
- There is no way to locate this folder path from within the software itself. These instructions will not work for WebWatcher for Mac, Android or iOS as there is no known way to remove the software from those operating systems.
Contents
Steps
Non-Technical Methods
- Ask the person who installed the software (assuming you know them) to remove it. Obviously, this will not work if an unknown or uncooperative person installed it.
- Also try to have the vendor (Awareness Technologies) remove this software for you. However, the company requires you to prove that the software is illegally installed, a process which requires that you fill out and submit a notarized form regarding specific information on the person who may have installed it along with proof of ownership of the device itself.
- These requests are typically ineffective if you do not have specific information of the person who installed the software.
- If these methods do not work for you, or you want to confirm that it was in fact uninstalled, then read on.
Manual Detection Method (Not Guaranteed)
- Try striking various keys on the keyboard at the same time while physically on the computer that you believe is being monitored. The software uses a "hotkey" key combination sequence to access the status panel.
- Although the software no longer has a default sequence and it is now randomized, users have had success with hitting a combination of the Shift, Ctrl, 1, Tab, Windows, Alt, F1, Num Lock, Scroll Lock, and Caps Lock keys. However, it is important to note that this method is for detection only and not for removal.
- The software still requires the input of the Webwatcher account password to remove it even if the the correct key sequence is achieved. And, even if detection has occurred the person performing the monitoring can simply change this sequence remotely from a web console instead of actually removing it to prevent future detection.
- Open a CMD prompt. You can do this by clicking on start, then run, then typing cmd and press enter (XP). Or by using the start menu search to find a shortcut (Vista/7). If you are using Windows Vista or Windows 7, remember to right click the shortcut and select 'Run as Administrator'.
- Try one known Webwatcher directory. Then type 'cd c:\windows\system32\config\atww' (without quotes). If command prompt shows 'cannot find this file' or similar, then try 'cd c:\windows\syswow64\xedeh' and 'cd c:\windows\system32\xedeh' (without quotes). If it still shows 'cannot find this file' or similar, then move on to the next steps. If not, then you may be infected.
- Try other directories. Repeat step 2 for the directories 'c:\windows\system32\config\atuvp', 'c:\program files\webwatcherv5' and 'c:\program files\skyhook wireless' filling in the part after 'cd' with the appropriate directory. If any of these are found, then you may be infected. Proceed to delete or rename these files or use an antivirus/antispyware program.
Automated Detection & Removal
- Use Spy DLL remover. Download a copy of spy DLL remover from Security Xploded at [1]. Launch the program. Use 'run as administrator' (Vista/7)
- Click on the gears (settings) icon.
- Check your options. Enable 'Scan for hidden processes' and all of the options below it. In the drop-down box select 'show dangerous, suspicious, and analysis level threats' Make sure that 'Ignore non DLL files' is UNCHECKED
- Click the save button to confirm your preferences.
- Click 'scan now'
- Check the results. If anything appears in orange or red, then you are likely infected with Webwatcher or other spyware.
- Check the list of suspect files for the directories mentioned in the manual detection section of this guide.
- Check for any file named 'wpsnuio'.
- Also check for a folder in the c:\windows\system32 or c:\windows\system32\config directory for a directory with a name beginning with 'epphp'. For these items, note their file/folder names and paths, then click on them and then click 'remove all' to unload the spyware.
- If any files cannot be automatically removed, try your hand at deleting or renaming the detected files. Type the path of the target file into windows explorer (my computer), then select the file and move it to recycle bin or rename it. Do this for all of the suspected files, then restart your computer.
Boot Disk Method
- Note that this method completely bypasses Windows (and therefore Webwatcher's rootkit), giving you unrestricted access to the disk. However, there is also no protection against accidentally deleting, renaming, or modifying important system files. Make a backup first and be careful.
- Burn your CD/DVD. Burn a Linux live CD/DVD. You can use Ubuntu, Linux Mint, or really any distribution capable of accessing your hard disk (almost all of them should).
- Boot up. Start up your computer with the CD/DVD. Check out other articles on how to do this.
- Open your hard disk. Using the included file manager, open the drive which contains your windows folder.
- Look for suspicious files. Try to find the files and folders mentioned in the manual detection section.
- Move, rename, or delete the files. You can move them to a different location on the hard disk, move them to a USB drive, or rename the files. Deleting the files will work too, but be careful as this can cause system instability or crashes.
- Reboot into Windows. Restart the computer without the CD/DVD in the drive. You should also use Spy DLL Remover or another program to determine whether you have completely removed the software.
Tips
- Webwatcher uses a rootkit to hide itself from Task Manager, Windows Explorer and Regedit, but fails to hide itself from Command Prompt. Also, if the name of the hidden directory is typed into windows explorer, then the files are exposed.
- When researching/looking up Webwatcher on the internet, avoid confusion between the commercial spyware (what we are talking about here) and the many non-spyware programs (which are completely separate).
- Many of these steps require administrator rights on Windows, so remember to use the 'Run as Administrator' option on Windows 7 and Vista.
- You should restart your computer after preforming these steps to ensure that Webwatcher is cleared from your computer's memory
- Your antivirus/antispyware program might already detect webwatcher. Check the logs for detection entries titled 'Webwatcher' or 'Ultraview'
- Set a strong administrator password. Avoid telling your password to anyone. If someone should need administrator rights for some reason, then log on for him/her, watching everything he/she does carefully to prevent installation of this software in the future.
Warnings
- If Webwatcher or similar software is really installed on your PC, then the software owner will know that you have visited this Wikihow.
- Remember that there are plenty of other similar programs which can possibly be used to do the same thing as Webwatcher.
- Be VERY careful when editing system files. Make a backup of your important files whenever possible. If you feel uncomfortable or unsure, stop and ask a knowledgeable friend.
- Remember that the software CAN be reinstalled even after you delete it. So, run these detection steps as often as you deem necessary.
- These instructions might not work for newer versions, and there is no guarantee.
- Version 7.0 of this software has been released, possibly rendering these instructions (especially the manual detection/removal sections) obsolete. This is not to say that they will certainly not work, but that they are untested on versions 7.0 and up.
Related Articles
- Create a Secure Password
- Block Spyware