New Spyware found

[Guest]

I have all the leading spyware detectors on the market and none of them have
yet found this:

umpoc25.exe resides in Program Files\Higworks directory

This has taken ages to find and I have zipped a copy of the whole directory
before deleting it. Who should I contact to make sure this advanced piece of
**** is killed off once and for all?

Regards
James, Leeds, UK

 

[Tom Emmelot]

Hello James,

is this software not placed by yourself?
I google and found nothing also in did a check in virus/spyware database
of Trend and nothing came up, so can you tel me what the spyware does or
send me the zip file?

Regards >*< TOM >*<

James, Leeds, UK schreef:

 

[Guest]

Hi Tom

I can assure you I did not write this software! It has been driving me mad
for weeks popping up ads that are DEFINATELY targeted at me, even offering me
dates in the town I live!!!

I've sent you a zip file with the directory in but after help in tracking
this down by Ron Kinner he assures me that it is :-

"This is the wingenerics.dll rootkit. We have a canned fix for it:

"Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe"

Unfortunately, Adwatch, Spybot and MS AnitSpyware Beta all fail to find it :-(

The offending directory, once found, contained all the html I have
downloaded in the past 6 weeks, every url I have visited and its own DNS
cache.

Not only invisible to the 3 leading spyware agents, it hides its active
process and associated files. Only because the spyware broke and windows told
me the file name that cause the error was it finally tracked down in safe
mode with command prompt.

This is very clever and very annoying - shame none of the anti spyware
programs can find it!!!

Thanks for your interest
James

 

[Bill Sanderson]

If you zip it, and password protect it with the password "infected" I can
make sure that it gets passed to folks at Microsoft who are at least as
interested as you are in making sure such things are stamped out.

 

[Bill Sanderson]

Whoops. Remove two final terms from my posting address for a valid email.

 

[Bill Sanderson]

Looks like you are in good hands, and that the executable is one that should
be known to Microsoft. Rootkits are not easy to detect. You might want to
look at Sysinternals RootKitRevealer, and F-secure's Blacklight beta
product.

From Microsoft's perspective, the Malicious Software Removal tool, which is
part of the monthly security patch release--scheduled for January 10th of
this month--is their tool which explicitly targets a number of families of
root kits. Microsoft Antispyware has also historically removed some adware
which uses rootkit like technology--but clearly it isn't doing the job for
your bug yet.

--

 

[Tom Emmelot]

Hello James,

thanks for the direct mail to, I meant that it was may by installed from
a program what you forgot to clean out, and not write! Nice that you
already manage to get rid of it! I saw only in the cash folder all kind
of things from "Play Now At betdirectpoker.com" and "Morris Furniture
Group Maiden Hurdle" and match more of that stuff! Also the servers
where the stuff is comming from! So pass it on to Bill Sanderson mayby
the next time MSAS find it!

Regards >*< TOM >*<

James, Leeds, UK schreef: