Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
Raytown Corporation
Risk Impact:
File Names:
skin200.exe skin200.exe taskfind.dll powexch.exe qlaunch.exe
Systems Affected:


Spyware.SKIn is a program that logs keystrokes.


Your Symantec program detects Spyware.SKIn.


Spyware.SKIn must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 16 July 2004
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 21 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.SKIn contains the following functionality:
  • Keystroke logging
  • Mouse position logging
  • Windows title logging
  • Scheduling monitoring hours

When Spyware.SKIn is installed the following actions are performed:
  1. Creates the following files:
    • %ProgramFiles%\SKIn2000\skin2000.exe - Configuration manager
    • %ProgramFiles%\SKIn2000\file_id.diz - Product information
    • %ProgramFiles%\SKIn2000\license.txt - License information
    • %ProgramFiles%\SKIn2000\order.txt - Ordering information
    • %ProgramFiles%\SKIn2000\order.frm - Ordering information
    • %ProgramFiles%\SKIn2000\products.url - Product website link
    • %ProgramFiles%\SKIn2000\default.sch - Default schedule settings template
    • %ProgramFiles%\SKIn2000\worktime.sch - Normal working hours schedule settings template
    • %ProgramFiles%\SKIn2000\readme.txt - Documentation
    • %ProgramFiles%\SKIn2000\uninst.exe - Uninstaller
    • %System%\taskfind.dll - Used by powexch.exe
    • %System%\powexch.exe - Sets up the system for logging
    • %System%\qlaunch.exe - Used by powexch.exe
    • %ProgramFiles%\SKIn2000\Help\1x1.gif - Used by help file
    • %ProgramFiles%\SKIn2000\Help\basic.css - Used by help file
    • %ProgramFiles%\SKIn2000\Help\bullet_check2.gif - Used by help file
    • %ProgramFiles%\SKIn2000\Help\bul_001.gif - Used by help file
    • %ProgramFiles%\SKIn2000\Help\bul_002.gif - Used by help file
    • %ProgramFiles%\SKIn2000\Help\help.html - Help file
    • %ProgramFiles%\SKIn2000\Help\index.html - Help file
    • %ProgramFiles%\SKIn2000\Help\index_1.html - Help file
    • %ProgramFiles%\SKIn2000\Help\index_2.html - Help file
    • %ProgramFiles%\SKIn2000\Help\index_3.html - Help file
    • %ProgramFiles%\SKIn2000\Help\index_4.html - Help file
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SKIn2000\SKIn2000 Configuration Utility.lnk - Start menu link
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SKIn2000\SKIn2000 Help.lnk - Start menu link
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SKIn2000\License Agreement.lnk - Start menu link
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SKIn2000\Order Information.lnk - Start menu link
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SKIn2000\Raytown Corp. Home.lnk - Start menu link
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SKIn2000\Uninstall SKIn2000.lnk - Start menu link
    • C:\session.log - Log file

    • %System% is a variable. The spyware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.

  2. Modifies the following value:

    "Userinit" = "<previous value of Userinit>,powexch.exe"

    in the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    so that the Spyware runs when you start Windows.

  3. Adds the registry key:


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Uninstall Spyware.SKIn.
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Spyware.SKIn.
  5. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Uninstalling the Spyware
  1. Navigate to %ProgramFiles%\SKIn2000.
  2. Double-click uninst.exe.

3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode . "

4. Scanning for and deleting the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Spyware.SKIn, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file.
5. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

Note: This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  4. In the right plane, remove:


    from the value:

    "Userinit" = "<previous value of Userinit>,powexch.exe"

  5. Delete the key:


  6. Exit the Registry Editor.