Hi folks, let me offer some information which may be helpful, I hope. I suspect that the Yahoo AntiSpy (YAS) detection of Spyware.MateWatcher may be a false positive. YAS is made by Computer Associates and it uses an engine invariably derived from their PestPatrol product which is also "detecting" this key logger according to some posts. PestPatrol is notorious for its many false positives. Here are some facts:
I have 3 computers and I am the only user on all 3. All computers (XP) have YAS installed. The oldest computer does not have MS WORKS, the other two do. I started to run YAS on one of the computers today (one with WORKS) and I was told that an update to YAS was available. I got the update, ran YAS and it detected MateWatcher in the C:\WORKSSETUP folder. I then went to another computer (one with WORKS also) and ran YAS without updating and it detected nothing (YAS last updated 1/20/06, YAS does not update often and the update I downloaded on 1/20/06 was the previous one). I then updated this computer and sure enough it detected MateWatcher in the C:\WORKSSETUP folder also, so the updates I downloaded today are the reason for the detections. I then went to the oldest computer, the one without WORKS, ran YAS without updating and nothing showed up. I then updated YAS in that computer and nothing shows up also. So the “infection” by MateWatcher appears to occur in the WORKSSETUP folder only.
I then went to the following Symantec site:
http://securityresponse.symantec.com/avcenter/venc/data/spyware.matewatcher.html
and looked at the symptoms of the key logger. The symptoms reported do not appear in either of my two computers with WORKS now showing up as infected. The files Symantec indicates are installed by the key logger are not there and the registry keys that have to be removed manually:
HKEY_LOCAL_MACHINE\SOFTWARE\Userfriendlyproducts, Inc.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control Panel Software
are not there also.
Scans with Spybot, Ad-Aware and Computer Associates Antivirus detected nothing. I then went to the Symantec web and performed an online scan, both Virus and Security and nothing showed up. According to Symantec “This risk can be detected only by Symantec products that support security risks” and I am not sure their online scanner does this, does anyone know? (I know Norton AV 2005+ does).
Therefore I am of the opinion that YAS is false positing this key logger with its latest update (this has happened before). I have so far chosen to not remove the “key logger” using YAS as it may do damage. Perhaps one of the Spybot advisors can further elucidate on this, thanks.
:scratch:
