SpySweeper vs Defender: Round 2

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Greetings! In Round 1, per the thread below, SpySweeper found the mucho
tracking cookies which apparently Defender is not designed to find. OK.
However, in a Sweep just now, SpySweeper found "UltraView Plus" on my
system!!! Risk Rating: Critical, UltraView Plus is a system monitoring
program that secretly tracks all the activities of the computer!! Whoa...how
can Defender not find this????? Hello.
 
I have Spysweeper and it has found system monitor ultraview plus on my PC
too. Keep in mind that this is a home desktop that only 2 people have access
to. I have searched all night for info on the keylogger and the info claims
is has to be installed onto the PC before remote monitoring is possible. I
don't see how that could happen with my PC. The scan log starts the same as
the other poster, but mine seems truncated. I am wondering if this is a false
positive, or perhaps I unstalled something that leftover only part of what
was shown in that other scanlog. MY PC is a Dell also, and in light of the
controvery about mywaysearch assistant and Dell, I can't help but consider
Dell might have had something in place on all theirPCs. I uninstalleld
mywaysearch assistant and Dell Cyber Coach several months ago. Here is the
pertinent part of my scanlog:
tarting Registry Sweep
8:14 PM: Found System Monitor: ultraview plus
8:14 PM: HKLM\software\classes\appid\director.exe\ (1 subtraces) (ID =
1191157)
8:14 PM: HKLM\software\classes\appid\director.exe\ || appid (ID = 1191158)
8:14 PM: Registry Sweep Complete, Elapsed Time:00:00:17
This was not detected as a threat by Microsoft Antispyware Bete 1, Ewido
ant-malware, A squared,Spybot, Ad Aware, X Cleaner, or McAfee virusscan.
-- Symantec has a rrecent threat listed as Spyware.Ultraview. I havenot had
time to examine all the registry entires they list, but I do not see mine on
their list.
Microsoft should look into the product because it is advertised as a system
monitor that cannot be detected by ANY anti-syware, anti-virus, or firewall
product. Their ads suggest you can use Ultrview Plus to monitor your
children,etc., but obviously that is not the only use for such a program.
Old Rebel: Too Old to Rebel; Too Young to just take it!
 
All of Symantec Support Viruses & Risks Home & Home Office Small
Business Enterprise Partners VERITAS

Spyware.Ultraview
Last Updated on: March 08, 2006 05:19:56 PM






Type: Spyware





Systems Affected: Windows 2000, Windows 95, Windows 98, Windows
Me,
Windows NT, Windows Server 2003, Windows XP


Risk Impact: High



Definitions (LiveUpdateâ„¢ Plus)
March 07, 2006

Definitions (LiveUpdateâ„¢ Daily)
March 07, 2006

Definitions (LiveUpdateâ„¢ Weekly)
March 07, 2006

Definitions (Intelligent Updater)
March 07, 2006



This risk can be detected only by Symantec products that support
security
risks. For more information on security risks, please go here.


Behavior
Spyware.Ultraview is a spyware program that steals confidential
information from the computer. This information is then sent to a
remote
server.

Symptoms
Your Symantec program detects Spyware.Ultraview.

Transmission
This security risk must be manually installed.




When Spyware.Ultraview is installed it performs the following actions:

Creates the following files:


%System%\config\atuvp\add.reg
%System%\config\atuvp\ccp.dll
%System%\config\atuvp\dprx.dll
%System%\config\atuvp\dtor.exe
%System%\config\atuvp\filesvc.sys
%System%\config\atuvp\mca.dll
%System%\config\atuvp\mcie.dll
%System%\config\atuvp\mck.dll
%System%\config\atuvp\mcmsg.dll
%System%\config\atuvp\mco.dll
%System%\config\atuvp\mcoexp.dll
%System%\config\atuvp\mcsc.dll
%System%\config\atuvp\mcy.dll
%System%\config\atuvp\procdrv.sys
%System%\config\atuvp\regfil.sys
%System%\config\atuvp\Registrar.exe

Note: %System% is a variable that refers to the System folder. By
default this is C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
(Windows
XP).


Creates the following legitimate Microsoft files:


%System%\msxml4.dll
%System%\msxml4.inf
%System%\msxml4a.dll
%System%\msxml4r.dll


Creates the following registry subkeys:

HKEY_CLASSES_ROOT\AppID\Registrar.EXE
HKEY_CLASSES_ROOT\AppID\{38352016-D06D-41DF-8B5F-1269A59D0096}
HKEY_CLASSES_ROOT\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}
HKEY_CLASSES_ROOT\CLSID\{27B5E5C3-775A-4870-9BD3-B49694524CFD}
HKEY_CLASSES_ROOT\CLSID\{2FF1ACE6-7599-4079-A70E-7E83B0267624}
HKEY_CLASSES_ROOT\CLSID\{3C311150-55BF-4FBD-AFE0-7091E1D2D32B}
HKEY_CLASSES_ROOT\CLSID\{3C8EFE7C-42B3-44B4-B0A8-1261A49D6426}
HKEY_CLASSES_ROOT\CLSID\{45E922A0-0CD5-4A7B-BD35-44CA52B8390D}
HKEY_CLASSES_ROOT\CLSID\{615EB7A2-E5F7-4500-80B7-9F1E72BEC678}
HKEY_CLASSES_ROOT\CLSID\{67654448-42AD-4097-87AA-BAC1BFDA92B6}
HKEY_CLASSES_ROOT\CLSID\{891CA317-EB89-4025-ABB8-0C1D1472E4E5}
HKEY_CLASSES_ROOT\CLSID\{99947C9C-ACC7-4075-8261-0F586026EF52}
HKEY_CLASSES_ROOT\CLSID\{C0D0F71C-6812-4D95-9C4E-015D45A57803}
HKEY_CLASSES_ROOT\CLSID\{F8A0020A-2C78-47CD-AB7B-CE4181BE2628}
HKEY_CLASSES_ROOT\Interface\{0142B9E1-8F28-474B-AFF1-B41811384D70}
HKEY_CLASSES_ROOT\Interface\{1DAA2A2C-BBB9-4CF4-8D9C-757B61D09FD4}
HKEY_CLASSES_ROOT\Interface\{2430F873-EF85-4ED1-A25A-D3E0D629270A}
HKEY_CLASSES_ROOT\Interface\{309C886A-03B6-4098-B693-40034DFC6622}
HKEY_CLASSES_ROOT\Interface\{3FCDAE39-B685-42B3-AC10-EE04C1781652}
HKEY_CLASSES_ROOT\Interface\{408B762E-A8B3-4BB9-984B-3833FBDA2BCE}
HKEY_CLASSES_ROOT\Interface\{4CDDCA57-3DDE-40C7-A589-018E2DBD9CCA}
HKEY_CLASSES_ROOT\Interface\{571904ED-58B8-4CE6-A213-646B5D9A655A}
HKEY_CLASSES_ROOT\Interface\{595EA054-3660-483C-8A79-0166D4D4702E}
HKEY_CLASSES_ROOT\Interface\{6D9D5ED0-757B-4C9E-BB04-CCF5B036E349}
HKEY_CLASSES_ROOT\Interface\{77585A46-EB87-4517-A0BF-170B678A232E}
HKEY_CLASSES_ROOT\Interface\{82AA44FA-00C1-4A10-BE09-D3B10B9E7F68}
HKEY_CLASSES_ROOT\Interface\{8320962F-305F-4F80-AFBF-427556EB385B}
HKEY_CLASSES_ROOT\Interface\{874FAFF4-CA08-4AD8-A2D1-A6D3322205E7}
HKEY_CLASSES_ROOT\Interface\{8A680A04-51D6-4EBA-A35E-DBBAF0D54525}
HKEY_CLASSES_ROOT\Interface\{9154BB18-A295-45A1-8146-EBA4F0EC1B6D}
HKEY_CLASSES_ROOT\Interface\{98732B25-9BD7-4E90-B8E6-9A709EC60058}
HKEY_CLASSES_ROOT\Interface\{B0F03211-099C-45C5-B638-647E7DC731E7}
HKEY_CLASSES_ROOT\Interface\{BA4CF93B-BEDB-4C19-97AF-C39C1B31A848}
HKEY_CLASSES_ROOT\Interface\{C4655209-406D-49BA-9622-AE0410F50D0E}
HKEY_CLASSES_ROOT\Interface\{CC25F4C6-3227-45FA-8FDB-0E291EDB5742}
HKEY_CLASSES_ROOT\Interface\{D330D322-F5EE-4938-8B5F-3F4650F98BB9}
HKEY_CLASSES_ROOT\Interface\{F2168B0C-2381-42E5-A0C1-3B3D6D5AB60E}
HKEY_CLASSES_ROOT\TypeLib\{024CD98B-C982-46BA-A721-29CB460F33B8}
HKEY_CLASSES_ROOT\TypeLib\{16EB59FA-8710-430F-922D-67A8EFC74C18}
HKEY_CLASSES_ROOT\TypeLib\{3222FE43-306C-4831-B46B-A157B2986DD0}
HKEY_CLASSES_ROOT\TypeLib\{4AEDB174-8B9C-4DE7-8276-C7B60E0F6896}
HKEY_CLASSES_ROOT\TypeLib\{682DC0F3-19A4-450A-97FF-EEEB81554ED5}
HKEY_CLASSES_ROOT\TypeLib\{75BC0CC2-74B3-46A5-BDC5-2D311D479049}
HKEY_CLASSES_ROOT\TypeLib\{77CADC3F-6244-44DD-96E9-C3D84C0686D1}
HKEY_CLASSES_ROOT\TypeLib\{80519B95-F63A-4F69-AAEE-D5BB9ACBA0B2}
HKEY_CLASSES_ROOT\TypeLib\{8C023226-642E-43D0-8D64-BD6E628CB012}
HKEY_CLASSES_ROOT\TypeLib\{D2C2BC73-37AC-4F34-8C1C-8688C3DFAD7A}
HKEY_CLASSES_ROOT\TypeLib\{E9A68ED9-D34F-4F41-91ED-ACC4370DE537}
HKEY_CLASSES_ROOT\AOLMonitorDGC.AOLMonitor
HKEY_CLASSES_ROOT\AOLMonitorDGC.AOLMonitor.1
HKEY_CLASSES_ROOT\CommonCommandProcessor.CommandProcessor
HKEY_CLASSES_ROOT\CommonCommandProcessor.CommandProcessor.1
HKEY_CLASSES_ROOT\DataProxy.MonitorDataProxy
HKEY_CLASSES_ROOT\DataProxy.MonitorDataProxy.1
HKEY_CLASSES_ROOT\DataProxy.PostData
HKEY_CLASSES_ROOT\DataProxy.PostData.1
HKEY_CLASSES_ROOT\IEMonitorDGC.IEMonitor
HKEY_CLASSES_ROOT\IEMonitorDGC.IEMonitor.1
HKEY_CLASSES_ROOT\KeyLoggerDGC.KeyLogger
HKEY_CLASSES_ROOT\KeyLoggerDGC.KeyLogger.1
HKEY_CLASSES_ROOT\MSNMonitorDGC.MSNMonitor
HKEY_CLASSES_ROOT\MSNMonitorDGC.MSNMonitor.1
HKEY_CLASSES_ROOT\OutlookExpressDGC.OEMonitor
HKEY_CLASSES_ROOT\OutlookExpressDGC.OEMonitor.1
HKEY_CLASSES_ROOT\OutlookMonitorDGC.OutlookMonitor
HKEY_CLASSES_ROOT\OutlookMonitorDGC.OutlookMonitor.1
HKEY_CLASSES_ROOT\ScreenCaptureDGC.ScreenCapture
HKEY_CLASSES_ROOT\ScreenCaptureDGC.ScreenCapture.1
HKEY_CLASSES_ROOT\YahooMonitorDGC.YahooMonitor
HKEY_CLASSES_ROOT\YahooMonitorDGC.YahooMonitor.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\AT


Adds the value:

"atuvp" = "%Windir%\system32\config\atuvp\dtor.exe /register"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.


Adds the value:

"Outlook AddIns" =

"4.0;C:\WINDOWS\system32\config\atuvp\mco.dll;5;10000101001000;0011000"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Client



Creates the following legitimate registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}
HKEY_CLASSES_ROOT\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}
HKEY_CLASSES_ROOT\Interface\{2E01311B-C322-4B0A-BD77-B90CFDC8DCE7}
HKEY_CLASSES_ROOT\Interface\{50EA08B0-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B1-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B2-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B3-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B4-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B5-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B6-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B7-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B8-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08B9-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08BA-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08BB-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08BC-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08BD-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{50EA08BE-DD1B-4664-9A50-C2F40F4BD79A}
HKEY_CLASSES_ROOT\Interface\{C90352F4-643C-4FBC-BB23-E996EB2D51FD}
HKEY_CLASSES_ROOT\Interface\{C90352F5-643C-4FBC-BB23-E996EB2D51FD}
HKEY_CLASSES_ROOT\Interface\{FA4BB38C-FAF9-4CCA-9302-D1DD0FE520DB}
HKEY_CLASSES_ROOT\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}
HKEY_CLASSES_ROOT\Msxml2.DOMDocument.4.0
HKEY_CLASSES_ROOT\Msxml2.DSOControl.4.0
HKEY_CLASSES_ROOT\Msxml2.FreeThreadedDOMDocument.4.0
HKEY_CLASSES_ROOT\Msxml2.MXHTMLWriter.4.0
HKEY_CLASSES_ROOT\Msxml2.MXNamespaceManager.4.0
HKEY_CLASSES_ROOT\Msxml2.MXXMLWriter.4.0
HKEY_CLASSES_ROOT\Msxml2.SAXAttributes.4.0
HKEY_CLASSES_ROOT\Msxml2.SAXXMLReader.4.0
HKEY_CLASSES_ROOT\Msxml2.ServerXMLHTTP.4.0
HKEY_CLASSES_ROOT\Msxml2.XMLHTTP.4.0
HKEY_CLASSES_ROOT\Msxml2.XMLSchemaCache.4.0
HKEY_CLASSES_ROOT\Msxml2.XSLTemplate.4.0
HKEY_ALL_USERS\ATL.Registrar
HKEY_ALL_USERS\CLSID\{44EC053A-400F-11D0-9DCD-00A0C90391D3}


Runs in stealth mode and is completely invisible to the user.


Logs email messages, chat sessions, Web sites visited, keystrokes,
and
captures screenshots.


Stores the stolen information locally and also sends it to a remote
server. It can be viewed via the Internet.
 
BTW - I uninstalled Dedender a couple of days ago and reinstalled MSAS.
Tonight I was wishing I still had Defender.
 
Oh, Bill, Oh Bill....where are you??? I posted the details you requested
about this program and you disappeared on me!!! ;) Do you deduce anything
from the log?

Thanks, Rick
 
Their ads suggest you can use Ultrview Plus to monitor your
children,etc., but obviously that is not the only use for such a program.
Old Rebel: Too Old to Rebel; Too Young to just take it!
Click to expand...

Hi

Report it to the police, it´s the only way to clean up this
stinking market for keyloggers and monitoring.

We will not see any "self cleaning" about this from software vendors.

Nevertheless if it is a false/positive someone must start to
clean up in this jungle and beacuse it´s is an criminal act to
plant a keylogger.

Todays situation with so called "legitimate keyloggers"/monitoring
programs are soon "out of control".

All scriptkiddies new "toy" and it´s legit ?! ;)

regards
plun
 
I am trying to find out what it is that Spysweeper really hit on. It may be
a legit program that has been misidentified. Perhaps something of Dells. We
shall see. I am posting on the appropriate forums and customer support. Oh
BTW - I just uninstalled MSAS again and reinstalled Defender. Installed like
a charm and updated. I just couldn't take the limitations of MSAS,
especially on my limited user account. I have been continuing the have the
email problem without Defender installed - it comes and goes - but Defender
is obviously not the cause of the problem. It's nice to have Defender back
in my arsenal.
 
Director.exe may be an innocent program. Additionally, all that the log
shows is Registry entries associated with that file, not the actual file
itself.

I'm leaning towards false positive so far.

--
 
Right--essentially the same detection. I suspect this is something standard
from Dell--possibly something used in the build process and removed before
the machine goes out the door--hence the presence in the registry, but no
actual executable on the disk.

--
 
That's a great list--can you find any of those listed .dll files (the ones
unique to Ultraview--not the Microsoft ones), or, especially, the
executables--on your system?

I'd bet not.

--
 
Check the Symantec information that Old Rebel has posteded--look for the
..dll files, and the executables, that are listed as a part of the real
UltraView and see whether you can find them on your system. Use command
switches that look for hidden files--attrib, for example.

I suspect that you won't find them--but it is a great idea to look for the
stuff that Symantec lists as part of the genuine UltraView threat.

--
 
Defender is reinstalled and performing excellently. I will check for the
files that Symantec listed later today. I do not expect to find any of them.
 
Hi

This mess with keyloggers/montoring programs
must be reported to the Police.

Nevertheless if this is false/positives, FBI/FTC must
make it clear for all keylogger/monitoring vendors, security vendors
and users what this is about.

This has also nothing for ASC to sort out !

For example using strong passwords with a keylogger running ;)

It´s impossible that MS has one definition for an unwanted keyloggers,
Symantec, McAfee, TM another.........

So maybe Kaspersky labs is the soulution ;) or other European
protection vendors.

To make politic of it ;)

We are going directly towards a catastroph with kelyloggers/monitoring
programs.

IMHO.

regards
plun
 
Remind me what email problem?

--

Old Rebel said:
I am trying to find out what it is that Spysweeper really hit on. It may
be
a legit program that has been misidentified. Perhaps something of Dells.
We
shall see. I am posting on the appropriate forums and customer support.
Oh
BTW - I just uninstalled MSAS again and reinstalled Defender. Installed
like
a charm and updated. I just couldn't take the limitations of MSAS,
especially on my limited user account. I have been continuing the have the
email problem without Defender installed - it comes and goes - but
Defender
is obviously not the cause of the problem. It's nice to have Defender
back
in my arsenal.
Click to expand...
 
Old Rebel said:
I am trying to find out what it is that Spysweeper really hit on. It may be
a legit program that has been misidentified. Perhaps something of Dells. We
shall see. I am posting on the appropriate forums and customer support. Oh
BTW - I just uninstalled MSAS again and reinstalled Defender. Installed like
a charm and updated. I just couldn't take the limitations of MSAS,
especially on my limited user account. I have been continuing the have the
email problem without Defender installed - it comes and goes - but Defender
is obviously not the cause of the problem. It's nice to have Defender back
in my arsenal.
Click to expand...
All,
After some further research this does appear to be a false positive based on
those registry entries.

-Dan from Webroot
 
Hi Old Rebel

Well, WD has some faults but it is running and protects ;)

Been around in my neighborhood and installed it in several PCs.

About keyloggers..... I get angry directly when I now sees anything
about keyloggers. If I finds anything like a keylogger I will report
it directly to the police and my ISP in future.

If you have time you can also run Kasperskys labs "State of the art
scanner".

http://www.kaspersky.com/virusscanner

And this one is great beacuse within every test you have Kaspersky labs
within 99 to 100 % recognition.

regards
plun
 
I just received word via the Spysweeper forum at CastleCops that this is
indeed al false positive for my registry keys. I see that Dan has already
posted the info in the thread. Nice to have Webroot reply here.
 
Back
Top