gerik Posted December 13, 2015 ID:1006703 Share Posted December 13, 2015 I scanned my computer and Norton flagged a temp file from Malwarebytes as a worm. I have previously received false positives from Norton about malwarebytes Files being malware and wanted to show what it found to see if it's something to be worried about. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted December 13, 2015 Staff ID:1006706 Share Posted December 13, 2015 Hi, There's nothing to worry about here. We have received similar reports already with this. Such .tmp files aren't generated by Malwarebytes, but are most probably created by Norton itself for some reason (as we only see this with Norton happening). These files are non malicious.Also see here: http://community.norton.com/en/forums/norton-360-premier-flagged-malwarebytes-tmp-file Link to post Share on other sites More sharing options...
gerik Posted December 13, 2015 Author ID:1006708 Share Posted December 13, 2015 That's a relief to hear. However, I wanted to ask two things before I completely believe I'm out of the woods yet so to speak. The first is compared to the rest of the false positives I've seen this one involves two .bat files and a .reg file, as well as Norton claiming it made registry changes. With those differences compared to the rest, should I still not worry about it? (I'll post the registry changes at the bottom.) The second is, to avoid having these false positive scares again, should I add an exclusion to Norton for Malwarebytes? Filename: 00002858.tmpThreat name: W32.Spybot.WormFull Path: c:\program files (x86)\malwarebytes anti-malware\00002858.tmp ____________________________ ____________________________ On computers as of 12/12/2015 at 11:38:31 PM Last Used 12/12/2015 at 11:40:39 PM Startup Item No Launched No Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium. ____________________________ 00002858.tmp Threat name: W32.Spybot.WormLocate Very Few UsersFewer than 5 users in the Norton Community have used this file. Very NewThis file was released less than 1 week ago. HighThis file risk is high. ____________________________ Source: External Media Source File:00002858.tmp ____________________________ File Actions File: C:\Users\admin\AppData\Local\Temp\ 1.reg RemovedFile: C:\Users\admin\AppData\Local\Temp\ sysremove.bat RemovedFile: C:\ a.bat RemovedInfected file: c:\program files (x86)\malwarebytes anti-malware\ 00002858.tmp Removed____________________________ Registry Actions Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls RemovedRegistry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls RemovedRegistry change: HKEY_USERS\S-1-5-21-3852119406-2483574012-2228641042-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls RemovedRegistry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Firewall Controls RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ ->Firewall Controls RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->246545 RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->665578 RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->7686743 RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->rrrun RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ->Microsoft Visual Application RemovedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\->C:\WINDOWS\system32\dllcache\ winsno.exe RemovedRegistry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls RemovedRegistry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls RemovedRegistry change: HKEY_USERS\S-1-5-21-3852119406-2483574012-2228641042-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls RemovedRegistry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->ATI Video Driver Controls RemovedRegistry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp RemovedRegistry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp RemovedRegistry change: HKEY_USERS\S-1-5-21-3852119406-2483574012-2228641042-1001\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp RemovedRegistry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices\ ->Microsoft Directxsp RemovedRegistry change: HKEY_CLASSES_ROOT\CLSID\ {1C047C97-CA7F-BAF1-05A4-AEBA271281ED} RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ ->ATI Video Driver Controls RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ ->Microsoft Directxsp RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ->ATI Video Driver Controls RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ->Microsoft Directxsp RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->1123 RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\ ->112 RemovedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->AntiVirusOverride:0 RepairedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->FirewallOverride:0 RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteRegistry->Start:2 RepairedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Security Center->UpdatesDisableNotify:0 RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control->WaitToKillServiceTimeout:20000 RepairedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon->SFCDisable:0 RepairedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->AntiVirusDisableNotify:0 RepairedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->FirewallDisableNotify:0 RepairedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ ->Shell:Explorer.exe RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ ->Start:4 RepairedRegistry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Ole->EnableDCOM:Y RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Lsa->restrictanonymous:0 RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ NAVENG->Start:3 RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ NAVEX15->Start:3 RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SymEvent->Start:3 RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\->TransportBindName:\Device\ RepairedRegistry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\ ->Start:2 Repaired____________________________ File Thumbprint - SHA:f73fb9a51960f0d3d0dfbf06a60ce3e3e351708495134067dce9144b5ba41e20File Thumbprint - MD5:Not available Link to post Share on other sites More sharing options...
Staff miekiemoes Posted December 13, 2015 Staff ID:1006710 Share Posted December 13, 2015 It rather looks here like, when Norton finds a certain threat, it already runs an additional "fix" or removal batch, even though these entries aren't really present.because some of above things it "so called deleted" are threats that were mainly active a few years ago.Also see here: http://community.norton.com/forums/spybot-worm-creaning-procedure-requiring-restart-file-never-executedSo what Norton did clean up afterwards wasn't really there - it just seems to be a default action it performs when the name "W32.Spybot.Worm" has been triggered. Yes, I believe it might indeed be better to set an exclusion in Norton for Malwarebytes. Link to post Share on other sites More sharing options...
gerik Posted December 13, 2015 Author ID:1006714 Share Posted December 13, 2015 When making the exclusion is it better to do it as instructed in this topichttps://forums.malwarebytes.org/index.php?/topic/175993-do-i-really-need-all-these-programs-at-the-same-time/ Or to just add an exclusion for the whole malwarebytes folder in the program files? Thanks. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted December 13, 2015 Staff ID:1006716 Share Posted December 13, 2015 In your case, it might indeed be better to add an exclusion for the folder itself Link to post Share on other sites More sharing options...
gerik Posted December 13, 2015 Author ID:1006717 Share Posted December 13, 2015 I have added an exclusion for Malwarebytes, and hopefully this will prevent anymore false positive scares from appearing. Thank you for helping me with this. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted December 13, 2015 Staff ID:1006718 Share Posted December 13, 2015 You're most welcome Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now