How to find and neutralize WebWatcher

Creators of this spyware is positioning it as a tool for parents and managers (like many others spyware). It allows you to control your children or staff. Such justification allows WebWatcher to avoid getting into anti-virus database and work silently on many computers.

We should not ignore the fact that there are many people who want to spy on someone, who want to steal someone else’s information using this program. If you search for information about it in Google, you will find tens of thousands pages with advices on how to find and remove this program. Perhaps they are the victims of cybercriminals, and we want to help them.

WebWatcher works very secretly. You can’t find it in the processes or in the services or among drivers. It is difficult to find it using standard tools. However, in COVERT Pro there are tools to find such well-disguised spies. It is easy even for usual users.

You can easy detect many spyware programs in Network Monitor while they send information via the Internet. However, WebWatcher acts much more sophisticated. For this purpose, it uses fake processes, which are not related to WebWatcher.

The first process – iexplore.exe (Micosoft Internet Explorer web browser), the second -svchost.exe (main system process for downloadable and dynamic libraries). Both processes belong to the operating system and there is nothing unusual in the fact that they are in Network monitor.


Let’s try to find this spyware with the help of special features – “DLL Monitor” and “Analysis svchost.exe“.

Open the “Monitor DLL” and disable (if it is enable) user account control UAC (point the cursor on the upper frame of the main window of Covert, press right button and choose appropriate option).

(UAC – User Account Control. This function prevents unauthorized changes in system files. UAC asks for permission or an administrator password before performing potentially dangerous actions).

If you use COVERT Pro USB, you needn’t to disable UAC for running “Monitor DLL”. In this case, when the program starts, you need to decline the use of administrator rights.

Restart your computer, run the COVERT Pro again and open the “Monitor DLL”.

There are three libraries highlighted in yellow in the list of loaded libraries: mcsc_wqjhqb.dll, shim_hkcuob.dll and mcapp_dehbkb.dll. These files are in the folder C:\Windows\System32\qtqhdtg and they belong to WebWatcher. We know this because we have installed it on the computer. If you see yellow line, it is advisable to find the program that uses these files. Right click on the yellow line and select “Search for information in Internet” from the context menu.


We couldn’t find information about these libraries because they do not belong to Microsoft Windows or another legitimate program.


These libraries have no names in the list, no descriptions, and no information about developer. You should delete unknown DLL files in such cases.

Now run the “System Services“, then “Hidden services“, and select “Analysis svchost.exe” in the context menu.


The purpose of this feature is to detect spyware masquerading as system processes. System services and libraries that run using process ‘svchost.exe’ highlighted in green. Yellow indicates processes pretending to be system processes. In our case, we immediately see the service WebWatcher with the name svcboot_yvnhea that running as system process with dynamic link library svcboot_yvnhea.dll. It has the same path as spyware library, which we found earlier.

Now all components of WebWatcher has been detected by COVERT Pro.

To remove spyware WebWatcher, open “Monitor DLL” in the main window, right-click on the row with the spy module and select “Disable” from the context menu. Repeat this action for all spyware files. If all done correctly, the spyware files will be grayed out and the message about the successful operation will appear.


Open the “Hidden services” and select “Analysis svchost.exe”. Right-click on the line with the attached file of a spyware. In the context menu choose “Modify services tasks” and click on “Disconnect DLL”. If the operation pass successfully, the line number, name and address of the DLL will be highlighted in gray.


After computer’s restart, all libraries which spyware has been used will be disabled. However, we still need to delete the folder with the remaining files and information about spyware in the operating system. In the “Hidden service” select item with information about spyware, and in the context menu “Open Services folder” select “DLL“. Delete all contents along with the folder. Then in the submenu “Change tasks”, click “Clean system”.


After these steps, spyware WebWatcher will be removed completely.

If for some reason, you can’t or don’t want to remove spy WebWatcher from your computer, but you want to hide (to mask) your actions from it, then go to the secure platform of COVERT Pro. All your actions in a protected environment will be impossible to intercept and view in WebWatcher. It will send blank reports to spying server.


In the end of this article, as usual, we perform online test for spy library using 39 antivirus. Only six of them are consider it as a threat to the computer. Make your own conclusions.


Download COVERT Pro and check FREE of charge your computer for spyware and rootkits, which were not detected by an antivirus.