PDA

View Full Version : MateWatcher



Wilson72
2006-03-12, 18:15
Yahoo AntiSpy picked up MateWatcher on my computer last night. Spybot missed it on a scan immediately prior. Perhaps it is a new signature? BTW- YAS takes over 10 minutes to remove it. I stopped the scan too early on a couple of occasions.

My suspicions arose when sending email through Outlook. When sending one message Outlook would notify me of sending 2 or more. I suspect this was MateWatcher sending out info.

I was also up to date with SpywareBlaster, Lavasoft Adaware Personal SE and Windows Defender. None caught it.:scratch:

md usa spybot fan
2006-03-12, 18:30
There is addition information on MateWatcher in the following thread:
Matewatcher
http://forums.spybot.info/showthread.php?t=2280

MateWatcher is a commercial keylogger and generally Spybot does not target commercial keyloggers. Perhaps they will reconsider since MateWatcher appears to be stealthfully installed via an email attachment.

el cpu
2006-03-13, 02:55
Hi folks, let me offer some information which may be helpful, I hope. I suspect that the Yahoo AntiSpy (YAS) detection of Spyware.MateWatcher may be a false positive. YAS is made by Computer Associates and it uses an engine invariably derived from their PestPatrol product which is also "detecting" this key logger according to some posts. PestPatrol is notorious for its many false positives. Here are some facts:

I have 3 computers and I am the only user on all 3. All computers (XP) have YAS installed. The oldest computer does not have MS WORKS, the other two do. I started to run YAS on one of the computers today (one with WORKS) and I was told that an update to YAS was available. I got the update, ran YAS and it detected MateWatcher in the C:\WORKSSETUP folder. I then went to another computer (one with WORKS also) and ran YAS without updating and it detected nothing (YAS last updated 1/20/06, YAS does not update often and the update I downloaded on 1/20/06 was the previous one). I then updated this computer and sure enough it detected MateWatcher in the C:\WORKSSETUP folder also, so the updates I downloaded today are the reason for the detections. I then went to the oldest computer, the one without WORKS, ran YAS without updating and nothing showed up. I then updated YAS in that computer and nothing shows up also. So the “infection” by MateWatcher appears to occur in the WORKSSETUP folder only.

I then went to the following Symantec site:

http://securityresponse.symantec.com/avcenter/venc/data/spyware.matewatcher.html

and looked at the symptoms of the key logger. The symptoms reported do not appear in either of my two computers with WORKS now showing up as infected. The files Symantec indicates are installed by the key logger are not there and the registry keys that have to be removed manually:

HKEY_LOCAL_MACHINE\SOFTWARE\Userfriendlyproducts, Inc.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control Panel Software

are not there also.

Scans with Spybot, Ad-Aware and Computer Associates Antivirus detected nothing. I then went to the Symantec web and performed an online scan, both Virus and Security and nothing showed up. According to Symantec “This risk can be detected only by Symantec products that support security risks” and I am not sure their online scanner does this, does anyone know? (I know Norton AV 2005+ does).

Therefore I am of the opinion that YAS is false positing this key logger with its latest update (this has happened before). I have so far chosen to not remove the “key logger” using YAS as it may do damage. Perhaps one of the Spybot advisors can further elucidate on this, thanks.
:scratch:

jhootrn
2006-07-06, 10:34
Newbie here
I know this is old but I have a simple quick qestion:
If my system has this matewatcher program on it: is it possible that someone in my household DID NOT install it.
From what I am reading it could have been installed thru a email attachment.
Is this correct?

tashi
2006-07-06, 18:40
Hello
From the link md usa spybot fan provided above:
http://forums.spybot.info/showthread.php?t=2280

No physical access is required. This product's Control Panel software allows you to create small Remote Install monitoring files that you can email and send to the person you want to monitor. The person receives your email and downloads your Remote Install file and then double clicks it. The install file then invisibly in stealth installs itself on that computer, restart it, and begins monitoring that user's activity. You can then use the Control Panel software to remotely view all their activity. Remember you can only use this product to monitor computers you personally own or have been given explicit permission to monitor. ;)