Jump to content

Norton Flagged a Malwarebytes Temp File as a worm.


gerik

Recommended Posts

  • Staff

Hi,

 

There's nothing to worry about here. We have received similar reports already with this. Such .tmp files aren't generated by Malwarebytes, but are most probably created by Norton itself for some reason (as we only see this with Norton happening). These files are non malicious.

Also see here: http://community.norton.com/en/forums/norton-360-premier-flagged-malwarebytes-tmp-file

Link to post
Share on other sites

That's a relief to hear. 

 

However, I wanted to ask two things before I completely believe I'm out of the woods yet so to speak.

 

The first is compared to the rest of the false positives I've seen this one involves two .bat files and a .reg file, as well as Norton claiming it made registry changes. With those differences compared to the rest, should I still not worry about it? (I'll post the registry changes at the bottom.)

 

The second is, to avoid having these false positive scares again, should I add an exclusion to Norton for Malwarebytes?

 

 

 

Filename: 00002858.tmp
Threat name: W32.Spybot.WormFull Path: c:\program files (x86)\malwarebytes anti-malware\00002858.tmp
 
____________________________
 
____________________________
 
 
On computers as of 
12/12/2015 at 11:38:31 PM
 
Last Used 
12/12/2015 at 11:40:39 PM
 
Startup Item 
No
 
Launched 
No
 
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
 
 
____________________________
 
 
00002858.tmp Threat name: W32.Spybot.Worm
Locate
 
 
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
 
Very New
This file was released less than 1 week  ago.
 
High
This file risk is high.
 
 
____________________________
 
 
Source: External Media
 
Source File:
00002858.tmp
 
____________________________
 
File Actions
 
File: C:\Users\admin\AppData\Local\Temp\ 1.reg Removed
File: C:\Users\admin\AppData\Local\Temp\ sysremove.bat Removed
File: C:\ a.bat Removed
Infected file: c:\program files (x86)\malwarebytes anti-malware\ 00002858.tmp Removed
____________________________
 
Registry Actions
 
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls Removed
Registry change: HKEY_USERS\S-1-5-21-3852119406-2483574012-2228641042-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ ->Firewall Controls Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->246545 Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->665578 Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->7686743 Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->rrrun Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ->Microsoft Visual Application Removed
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\->C:\WINDOWS\system32\dllcache\ winsno.exe Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls Removed
Registry change: HKEY_USERS\S-1-5-21-3852119406-2483574012-2228641042-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls Removed
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp Removed
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp Removed
Registry change: HKEY_USERS\S-1-5-21-3852119406-2483574012-2228641042-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp Removed
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp Removed
Registry change: HKEY_CLASSES_ROOT\CLSID\ {1C047C97-CA7F-BAF1-05A4-AEBA271281ED} Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ ->ATI Video Driver Controls Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ ->Microsoft Directxsp Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ->ATI Video Driver Controls Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ->Microsoft Directxsp Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->1123 Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->112 Removed
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->AntiVirusOverride:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->FirewallOverride:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteRegistry->Start:2 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Security Center->UpdatesDisableNotify:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control->WaitToKillServiceTimeout:20000 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon->SFCDisable:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->AntiVirusDisableNotify:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->FirewallDisableNotify:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ ->Shell:Explorer.exe Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ ->Start:4 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Ole->EnableDCOM:Y Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Lsa->restrictanonymous:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ NAVENG->Start:3 Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ NAVEX15->Start:3 Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SymEvent->Start:3 Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\->TransportBindName:\Device\ Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\ ->Start:2 Repaired
____________________________
 
 
File Thumbprint - SHA:
f73fb9a51960f0d3d0dfbf06a60ce3e3e351708495134067dce9144b5ba41e20
File Thumbprint - MD5:
Not available
Link to post
Share on other sites

  • Staff

It rather looks here like, when Norton finds a certain threat, it already runs an additional "fix" or removal batch, even though these entries aren't really present.

because some of above things it "so called deleted" are threats that were mainly active a few years ago.

Also see here: http://community.norton.com/forums/spybot-worm-creaning-procedure-requiring-restart-file-never-executed

So what Norton did clean up afterwards wasn't really there - it just seems to be a default action it performs when the name "W32.Spybot.Worm" has been triggered.

 

Yes, I believe it might indeed be better to set an exclusion in Norton for Malwarebytes.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.