Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
Eltima Software
Risk Impact:
File Names:
advanced_keylogger.exe kmonitor.exe Setup.exe trace.exe svchost.exe TMLib.dll TMUtils.dll
Systems Affected:


Spyware.AdvancedKey is a program that logs keystrokes, clipboard contents, and screenshots on your computer.


The files are detected as Spyware.AdvancedKey.


Spyware.AdvancedKey must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 17 July 2004
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 19 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.AdvancedKey is installed, the following actions are performed:
  1. Displays the End-User License Agreement.

  2. Prompts for the installation folder. The default installation folder is %Windir%\IDDE.

    Notes: %Windir% is a variable. By default, this is C:\Windows or C:\Winnt.

  3. Creates following files and folders:

    • %Windir%\IDDE\kmonitor.exe: Main application for logging viewing and configuring. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\License.txt: License information.
    • %Windir%\IDDE\manual.chm: Help file.
    • %Windir%\IDDE\readme.txt: Documentation.
    • %Windir%\IDDE\register.bat: Used for registering the Spyware.
    • %Windir%\IDDE\Setup.exe: Used to place the files in the proper location and set up registries. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\setup.log: Log of the installation process.
    • %Windir%\IDDE\trace.exe: Used to trace screenshots. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\uninstall.bat: Used for uninstallation.
    • %Windir%\IDDE\Uninstall.exe: Generic uninstaller.
    • %Windir%\IDDE\wrk.log: Log of the installation process.
    • %Windir%\system\svchost.exe: Main logger. Detected as Spyware.AdvancedKey.
    • %System%\TMLib.dll: Used for saving logs and setting up the environment for logging. Detected as Spyware.AdvancedKey.
    • %System%\TMUtils.dll: Used for saving screenshots and tracing the screeshots. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\CLPBR\: Directory that contains screenshots.
    • %Windir%\ddemal32.bin: Log file.
    • %Windir%\system\setup.log
    • %Windir%\system\MSIDLLSI.DAT

      Note: %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  4. Creates the following registry subkeys:


  5. Creates a service with the following attributes:

    Service name: svchost
    Display name: MS Software Generic Host Process for Win32 Services
    Path to executable: %Windir%\system\svchost.exe
    Startup type: Automatic

  6. Performs the following actions:

    • Logs keystrokes
    • Monitors the clipboard
    • Captures screenshots
    • Monitors Internet activity
    • Emails log files
    • Hides and unhides its Taskbar icon using the Ctrl+Alt+Del+R key combination

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Uninstall Spyware.AdvancedKey.
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Spyware.AdvancedKey.
  5. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the Spyware
  1. Navigate to the %Windir%\IDDE folder.
  2. Double-click Uninstall.exe to launch the uninstall program.

3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode . "

4. To scan for and delete the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Spyware.AdvancedKey, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file.

5. To delete the value from the registry

Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.
  1. Click Start > Run.

  2. Type regedit

    then click OK.

  3. Navigate to the key:


  4. In the left pane, delete the subkey:


  5. Navigate to, and delete the keys:


  6. Exit the Registry Editor.