Manage Learn to apply best practices and optimize your operations.

How to remove TrueActive software from your system

In this Ask the Expert Q&A, our application security expert reviews the strengths and weaknesses of TrueActive, a commercially available keylogging tool. He also discusses what methods you should take if you want to remove this program from your system.

I have TrueActive in my winlogon.exe. Xoftspy finds it and deletes it, but it comes back when I reboot. What should I do?
TrueActive is a commercially available keylogger, formerly known as WinWhatWhere Investigator and is produced by TrueActive Software. It includes a suite of system monitoring tools including, keystroke, password, instant messaging, video/screen capture and network usage logging. It can operate in silent mode and use e-mail to send logs to a remote location. The licensed version also watches for anti spyware programs, taking measures to avoid detection. Organizations can use this type of software to legitimately monitor computer activity. However, several antispyware vendors classify TrueActive as spyware because it has the ability to scan systems, monitor activity and relay information to other computers or locations. Symantec, for example, categorizes it as having a high-risk impact despite the fact that vendors have removed the silent deploy feature, which allowed you to secretly install the program on someone else's computer via e-mail.

If you can open the TrueActive Monitor, you will find an uninstall button located on the left side of the program setup screen. With this you can uninstall it and, according to TrueActive Software, they will assist you in removing it if they agree that the software has been inappropriately installed. If you wish to remove TrueActive yourself, you should backup your system registry or create a Windows restoration point. According to the ParetoLogic Web site, makers of XoftSpy, you have to delete the winlogon.exe file located in the windows directory as part of the manual removal process. To find out more visit http://labs.paretologic.com/spyware.aspx?remove=Spyware.TrueActive. When I installed TrueActive I found no such file, so be careful that you do not delete the winlogon.exe file located in the system32 directory. This file is the Windows login manager. It handles the login and logout procedures on your system and is an essential part of your OS. TrueActive does not tamper with or corrupt this file.

You may be having difficulities removing TrueActive because your employers have installed it. Another reason could be that other antispyware programs you are running are resetting any registry changes made by XoftSpy. Finally, viruses and spyware can quickly reappear if you have not secured the route they are using to infect your system. I would ensure that your firewall and antivirus program is up to date and perhaps install another anti-spyware program to check and clean your computer.

This was last published in October 2005

Dig Deeper on Web application and API security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.