Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
REALCODE Development
Risk Impact:
File Names:
visage2_setup.exe (installer) visage.exe Mciwinen.dll
Systems Affected:


Spyware.Visage logs keystrokes, captures screenshots, and monitors Internet activity.


Your Symantec program detects Spyware.Visage.


Spyware.Visage must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 10 June 2005
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 15 June 2005
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.Visage is installed, it performs the following actions:

  1. Creates the following files:

    • %System%\Log.idx
    • %System%\Mciwinen.dll (viral)
    • %System%\mscalctl.dll
    • %System%\MSCHRT20.OCX
    • %System%\Process.idx
    • %System%\rcSetup.dll
    • %System%\Scr.Idx
    • %System%\SnapData.dat
    • %System%\URL.idx
    • %System%\visage.exe (viral)
    • %System%\Winsecmp.dll

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Visage.exe

  3. Adds the value:

    "{47267358-EC3D-44A1-9A93-4C8CC18B4B29}" = ""

    to the registry subkey:


  4. Logs keystrokes, captures screenshots, and monitors Internet activity.

The following instructions pertain to all Symantec antivirus products that support security risk detection.
  1. Uninstall the security risk.
  2. Delete any values added to the registry.

1. To uninstall the security risk

This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:
  1. Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).

  2. In the Control Panel window, double-click Add/Remove Programs.

    Windows Me only: If you do not see the Add/Remove Programs icon, click ...view all Control Panel options.

  3. Click Visage.

    You may need to use the scroll bar to view the whole list.

  4. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

    Note: After running the Add/Remove programs applet, all the files may have been removed. You will want to run a full system scan to ensure that this is the case. However, it is possible that no files will be detected after using Add/Remove programs.

2. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

    Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  3. Navigate to the subkey:


  4. In the right pane, delete the value, if present:

    "{47267358-EC3D-44A1-9A93-4C8CC18B4B29}" = ""

  5. Navigate to and delete the subkeys:


  6. Exit the Registry Editor.