close

Privacy guaranteed - Your email is not shared with anyone.

System Monitor Found: 'Ultraview Plus' on several office computers - HELP!

Discussion in 'Tech Talk' started by Deanster, Mar 15, 2006.

  1. Deanster

    Deanster Cheese? CLM Millennium Member

    Messages:
    7,641
    Likes Received:
    2,372
    Joined:
    Feb 24, 1999
    Hi all!

    I run a 10-desktop network of Windows XPProSP2 machines at my small business, and today, a SpySweeper sweep found on five machines software called 'Ultraview Plus', which SpySweeper classifies as a 'Critical' threat, as it incorporates a full keylogger, and reports out to the Internet. Spysweeper appears to remove it, but rootkits are very hard to get rid of, so I'm not totally confident it's gone.

    We run McAfee Security Suite and SpySweeper on our machines, and the *nix mail server runs ClamAV to pick off inbound virii, trojans, etc. We've been pretty stable for the last year, with very very few spyware problems since we installed SpySweeper.

    Ultraview Plus appears to be the core of commercial surveillance software called WebWatcher, which is sold by http://www.awarenesstech.com - with claims of being totally invisible, hard to trace, hard to remove, etc.

    Interestingly, McAfee doesn't seem to search for Ultraview, and it's not listed as a threat on their site. Symantec (which we don't use) has it listed, and here's their info: http://securityresponse.symantec.com/avcenter/venc/data/spyware.ultraview.html

    What jumps out at me is the 'manually installed' portion - if that's true, then I have some kind of internal security problem - either an employee, cleaning person or other individual with physical access to my machines has installed this software, or the commercial package has been used by someone to form the core of their internet-based spyware, and it has made it through my firewall, industrial-grade e-mail virus/trojan killer, McAfee, and Spysweeper's install shields without raising an alarm.

    Anyone know anything about this? I think the scariest thing is the near-complete lack of information out there about this software appearing as a threat, how it gets on machines, or how to get it off again... Any info or experience appreciated!
     
  2. Washington D.C.

    Washington D.C.

    Messages:
    5,218
    Likes Received:
    1
    Joined:
    Oct 13, 2003
    Location:
    Woestyn Kusdorp

  3. mitchshrader

    mitchshrader Deceased

    Messages:
    8,672
    Likes Received:
    5
    Joined:
    Jun 14, 2005
    Location:
    Tulsa
    security.

    i've done SOHO tech support for exactly this issue, and have encountered some 'know it all wanna-be's and they were astoundingly and creatively destructive.

    in the pursuit of trivial ends. not to be malicious, just to see what happened.

    while i have no clue as to your vulnerabilities.. look VERY hard for someone who should know better.

    turning off a firewall 'just for a minute' to download some music, or flirt on some IM chat..

    is not beyond an employee. janitors can do likewise, or salesmen, 'just to fool around on the computer'..

    don't look Only for malice. Stupidity works fine too.
     
  4. HVAC-TEK

    HVAC-TEK

    Messages:
    82
    Likes Received:
    0
    Joined:
    Jan 3, 2005
    I second Ewido. the web based version works well and will tell you if it was uninstalled or not.

    Also Trend micro has a free web based antivirus called housecall. It should find this key logger as well.

    Just remember that any "back ups" you have will most likely contain the spyware, so mark your tapes so that the questioned ones will not be used to restore with. (untill they are recorded over)

    KIM
     
  5. Deanster

    Deanster Cheese? CLM Millennium Member

    Messages:
    7,641
    Likes Received:
    2,372
    Joined:
    Feb 24, 1999
    Hiya - thanks for the input.

    turns out that Webroot had a bad definitions update, and lots of folks were getting false positives on this. New definitions, now no problems...

    We're normally very secure, and have very few problems, as we keep our systems tight and clean, so having a full-on System Monitor show up just about had me on the ceiling.

    Now annoyed at Webroot, but mostly thrilled to find out there wasn't a real problem.