Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.matewatcher


  • Please log in to reply
12 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:46 AM

Posted 11 February 2006 - 05:48 PM

I ran a-square today in normal mode. It found one malware object. It removed it, but I still would like advice as to what, if anything to do next. Some statistics:
Object: c:\workssetup
Diagnosis: Trace.Directory.SpyWare.MateWatcher
File properties of the infected.txt file which a2 put in their directory
Size: 44 bytes (44 bytes)
Size on disk: 4.00 KB (4,096 bytes)

I asked PestPatrol (not the CA version) to take a look on the file a2 saved, but I doubt it's the same thing since I told a2 beforehand to remove the malware.
Anyway, PP report:
File: C:\Program Files\a2 Free\infected.txt
Size: 420,864 bytes
Pest: Not a known pest
MD5: 8b779a5ee996421183ef5cffd4ac1d85
Running/Active?: No.
Creation Date: 2/11/2006
Last Write: 2/11/2006
Text: O,J M,I O,I
File Type: .txt file.
Compression: No compression or unknown compression method.
Language: Unknown Language.

CA info indicates this matewatcher thing surfaced 1/29/2006
http://www3.ca.com/securityadvisor/pest/pe...px?id=453097323

I have NEVER used Works. The only activity that happens there, I suppose, are Microsoft updates and patches.


How did I get it? What to check next?
I use ZoneAlarm & Pest Patrol(corporate) at all times.
Lavasoft Ad-Aware, Spybot S&D, a-square on demand. Only a-square saw this pest today.

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:09:46 AM

Posted 11 February 2006 - 11:38 PM

MateWatcher Pro - Program designed to monitor user activity. May be used with or without consent. Because it is sold commercially, most anti-virus vendors do not detect it.
http://www.spywareguide.com/product_show.php?id=395

No physical access is required. This product's Control Panel software allows you to create small Remote Install monitoring files that you can email and send to the person you want to monitor. The person receives your email and downloads your Remote Install file and then double clicks it. The install file then invisibly in stealth installs itself on that computer, restart it, and begins monitoring that user's activity. You can then use the Control Panel software to remotely view all their activity. Remember you can only use this product to monitor computers you personally own or have been given explicit permission to monitor.

http://forums.spybot.info/showthread.php?t=2280

If found it, and got rid of it, I wouldn't worry unless it returns.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:46 AM

Posted 12 February 2006 - 01:55 PM

Thanks so much.
Now, the quote, as well as the info in the links, great links, I might add, imply that I read some mail and that I clicked on a link or ran an attachment. Well, I didn't. And my husband lost his password anyway so is not allowed in (I run a tight ship here!), so I've been the only user, not that I suspect him to install matewatcher.
Can you offer a gues HOW it even got into my computer in the first place?

It's also not clear to me whether getting at the information from logs and things using this matewatcher thing requires the snooping user to be physically at my computer or do they get the info remotely? Would Microsoft install something like that?

Someone's signature here says "if you're not paranoid ..." so I'm just following suit :thumbsup:

Edited by tos226, 12 February 2006 - 01:56 PM.


#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:10:46 AM

Posted 12 February 2006 - 06:15 PM

You can then use the Control Panel software to remotely view all their activity


You may have the computer that is doing the snooping. In other words that computer may have the monitoring software to watch another computer.

If you want to investigate further do a search for these files:

svchost.exe
start.exe
free_eval_matewatcher_6.exe
controlpanel_mw9.exe

You will need to show hidden files.

How to see hidden files in Windows

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:46 AM

Posted 12 February 2006 - 10:20 PM

Leurgy, so you're telling me that someone on another computer is remotely snooping my computer? And I'm allowing it???
By "control panel software" do you mean THE ControlPanel in Windows where we do Admin tasks, etc or some other?

Now, before I saw your note, I decided to run A-square again, this time in safe mode.
While I was at it, before removal, I ran S&D and Ad-Aware - both clean, inspite of the fact, that S&D people know about this pest, judging from the link tq1911 provided.
I also ran HJT just to make me a log, but I'm not well versed in it to tell if anything is bad there.

Anyway, this spyware thing is still there. Perhaps wasn't really removed in the first place.

This is a wild goose chase. I need help.
I looked at the CA advisory and basically see nothing, even is safe mode:
Their list matches the items you mentioned. With hidden files showing I ran few searches:
- Nothing in registry related to userfriendlyproducts inc.
- No c:\workssetup\controlpanel\ directory
- No systemroot+\control panel software uninstaller.exe
(if systemroot means c:\)
- No control panel software uninstaller.exe
- No controlpanel_mw9.exe
- No remote-install-help.chm

- start.exe is in something called Quicken, I don't use it.
- csrss.exe and svchost.exe exist, belong to $uninstall and other Microsoft files are in windows\system32 and service pack files, and svchost is in two PCHealth dumps also under \windows.
Hey isn't svchost a normal service in windowsXP?

BTW this is XP-SP2, IE6 both up to date on patches, Office2003-SP2 (recently updated to SP2). ZoneAlarm Suite, and the others I mentioned above.

Edit: I just noticed a post, and HJT contains refs to ZA. So there are now 2 ZA people with some sort of spyware.
http://www.bleepingcomputer.com/forums/t/44013/how-do-i/
I sure hope this isn't ZA problem.

Edited by tos226, 12 February 2006 - 10:28 PM.


#6 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:10:46 AM

Posted 13 February 2006 - 12:23 PM

This program needs two computers to run. One that monitors and one that is watched. I asked for you to search for those files to see if which function was being performed by your computer. It would seem that someone was trying to monitor you since you don't have the files to run the program.

Since this problem was found in the Works folder, and you use Office instead of Works, you could simply uninstall Works through Add/Remove Programs. Check to make sure that folder is deleted afterwards if you do that.

By "control panel software" do you mean THE ControlPanel in Windows where we do Admin tasks, etc or some other?


That quote refers to the monitoring program.

Perhaps its best if you post your log for our team to review.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#7 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:46 AM

Posted 13 February 2006 - 10:46 PM

Leurgy, Thanks again.
There isn't much of a log, just this:

a-squared Report (I have 3 identical now, it just won't go away)
Scan started: 2/11/2006 11:10:59 AM
Scan finished: 2/11/2006 11:40:59 AM
Scan duration: 0h 29min 59sec
Scanned files: 140730
Infected files: 1
Object Diagnosis
c:\workssetup Trace.Directory.SpyWare.MateWatcher


But in case you're talking about HJT, I'm sending HJT log to the HJT section.
http://www.bleepingcomputer.com/forums/ind...showtopic=44116
Does HJT detect everything?

I wonder if "Trace" here might refer to something that got partially removed ????? by resident PestPatrol, perhaps, or ZA antivirus . Would that make sense? I don't think Spybot removed it, because it just hasn't been reporting anything bad, it always says congratulations ... yet it is in their definitions.

Edited by tos226, 13 February 2006 - 10:59 PM.


#8 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:10:46 AM

Posted 14 February 2006 - 07:59 AM

Different programs find different things. The fact that Spybot has it listed doesn't mean it will find this trace that a2 did. Did you look to see if there is a SpyWare.MateWatcher Directory in C:\workssetup?

To find out go to Start>Run and paste in the following:

C:\workssetup\SpyWare

If its there, the directory will open.

HJT doesn't find everything but there are other ways to dig this malware out. The comments posted with your log will point them in the right direction.

Beyond that, its best not to make any changes until our HJT people look at your log. Lets wait and see what they say about all this. Since I'm not part of the team its BC policy that I don't comment on that, but I'll follow your progress.

Edited by Leurgy, 14 February 2006 - 08:04 AM.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#9 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:46 AM

Posted 14 February 2006 - 09:10 AM

Did you look to see if there is a SpyWare.MateWatcher Directory in C:\workssetup?
...
Since I'm not part of the team its BC policy that I don't comment on that, but I'll follow your progress.

Leurgy, of course I looked. It's just that there is NO C:\workssetup directory in the first place. Nor any of these other things CA lists.
Thanks for the offer to follow what HJT experts say. I don't intend to make ANY changes, but unfortunately remote things happen - ZA updates and Microsoft's, I don't know to what extent they change anything substantial.

#10 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:10:46 AM

Posted 14 February 2006 - 09:28 AM

Updates are not a problem, but if you were to, say, remove a virus, then your log will have changed and the Team member may waste some time looking for a fix that is no longer needed.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#11 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:46 AM

Posted 15 February 2006 - 12:11 AM

It's just that there is NO C:\workssetup directory in the first place.

Whoa!! I'm sorry, Leurgy - there is a c:\workssetup directory. I'm losing it :thumbsup: :flowers: :trumpet:
It contains ...\MSWORKS and \OFFICE. But nothing from the list you gave me or from the CA list is there.
I'm a bit puzzled by \OFFICE, since Office11 is under Microsoft.It might be the stripped down Office that comes with the computer. All files are from 2002 and 2003.

#12 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:10:46 AM

Posted 15 February 2006 - 11:00 AM

Works is a stripped down version of Office, as you say. I wouldn't worry about what is in there. If you do have Office, and don't use Works, you can uninstall it, but you don't need to.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#13 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:46 AM

Posted 17 February 2006 - 10:54 PM

Leurgy, I just suggested to Grinler over in the HJT section not to waste time of this anymore. With a bit of cleanup (against your instructions), in safe mode and some other, I got rid of this c:\workssetup thing and it looks like things are clean. Thanks for telling me it's OK to dump Works. I'm always worried that if I trash something it will take the house down.

Keep up the great work here. It's great to know that help is just around the corner :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users