Ultraview plus found by SpySweeper

Discussion in 'other anti-malware software' started by cmwilson, Mar 15, 2006.

Thread Status:
Not open for further replies.
  1. cmwilson

    cmwilson Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    15
    Two days ago Webroot's SpySweeper found the keylogger Ultraview plus on my computer and successfully (I hope) removed it. I also run McAfee Internet Security, which didn't find it, not at time of infection and not on virus scans. Symantec's website includes definitions for Ultraview (but not ultraview plus, though it could be the same thing) in their anti-virus software. According to Symantec, the program must be manually installed. I have installed nothing during the time when I would have been infected (between SpySweeper scans) though infection may have occurred before SpySweeper was able to detect it.

    Does anyone have any information on this keylogger? How was my system infected? What damage could it have done while the infection was active? Is there a way to detect these things before they infect my computer?

    I am running Windows XP with all updates current, McAfee Internet Security 8 with current definitions, and SpySweeper, latest version, latest definitions.
     
  2. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Webroot have admitted this is a FP (False Positive). See this thread on MS's Windows Defender newsgroup:

    nntp://privatenews.microsoft.com/microsoft.private.security.spyware.announcements/12943

    Check SpySweeper's log to verify SS has 'identified' Ultraview from registry entries alone (i.e., it did not find any matching files). If that is the case, restore the deleted entries from SS's quarantine (assuming you quarantined, rather than deleted the 'threat').

    It might be a good idea to check with Webroot directly if you are in doubt.
     
  3. cmwilson

    cmwilson Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    15
    Unfortunately I was not successful in registering with the newsgroup you link to above. The web-based newsgroup I was able to access included the thread, SpySweeper vs Defender: Round 2. This thread discusses the possibility that Ultraview plus is a false positive but comes to no conclusion. I'll keep checking it for further info.
    I can find nothing about it on the Webroot website. The least they could do is let people know they may be chasing a wild goose.
    I did have SpySweeper delete the threat, so the next time something goes wonky, I'll know why. The sweep found only two registry entries and no files. Here's the pertinent info from the log:

    9:45 PM: Starting Registry Sweep
    9:45 PM: Found System Monitor: ultraview plus
    9:45 PM: HKLM\software\classes\appid\director.exe\ (1 subtraces) (ID = 1191157)
    9:45 PM: HKLM\software\classes\appid\director.exe\ || appid (ID = 119115:cool:
    9:45 PM: Registry Sweep Complete, Elapsed Time:00:00:18

    I have put in a trouble ticket with Webroot, so hopefully I'll get a definitive answer on this.

    Thanks so much for the swift reply.
     
  4. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Yes, that is the correct thread. It does have this statement from Dan of Webroot:

    "After some further research this does appear to be a false positive based on
    those registry entries."

    ... and your entries are the same as those referred to in the thread. It is reasonably safe therefore, I think, for you to be confident the report was indeed a FP.

    Do you happen to have Macromedia Director installed? If so, this is probably the prog that SS is FP'ing on.

    You're welcome.
     
  5. cmwilson

    cmwilson Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    15
    No, I don't have Director, though I have the flash plug-ins for my browers (IE & Firefox). I did find a director.exe file associated with MUSICMATCH Jukebox, which came with my Dell computer and which I never use, so maybe no harm done. :rolleyes:
     
  6. cmwilson

    cmwilson Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    15
    Hmmm. The public web forum I was able to access doesn't have this post. Maybe it hasn't been updated yet.
    3/16 Ooops, never mind. Found it.
     
    Last edited: Mar 16, 2006
  7. cmwilson

    cmwilson Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    15
    I just heard back from Webroot about my trouble ticket. It is indeed a false positive.
     
Thread Status:
Not open for further replies.