homeslice Posted November 30, 2021 ID:1490437 Share Posted November 30, 2021 Hi, My windows 10 laptop has the following detected and submitted for sampling. WindowsPlayer.exe(Heur.AdvML.C) is flagged as detected. Norton says Heur.AdvML.C is being sampled.... Internet searches are unclear - is this a USB worm, or maybe a false positive? MalwareBytes does not detect it, as I assume it has been quarantined. Just really looking for some info on it. Best, HS Link to post Share on other sites More sharing options...
homeslice Posted November 30, 2021 Author ID:1490438 Share Posted November 30, 2021 FYI, Looks like the most detailed latest info on this: https://community.norton.com/en/forums/getting-“heuradvmlc”-security-risk-indication-when-running-installation-program Link to post Share on other sites More sharing options...
kevinf80 Posted November 30, 2021 ID:1490440 Share Posted November 30, 2021 Hello homeslice and welcome to Malwarebytes, Run the following scan, lets see if anything shows up: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The tool will also make a log named (Addition.txt) Please also attach that log to your reply. If necessary: Disable smart screen ONLY if it interferes with software we may have to use:https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8 Please remember to enable when we are finished.... Next, Disable any Anti-virus software you have installed ONLY if it stops software we may use from working:https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ Please remember to enable AV software when we are finished running scans.... Thank you, Kevin Link to post Share on other sites More sharing options...
homeslice Posted November 30, 2021 Author ID:1490446 Share Posted November 30, 2021 thanks, will do asap, just on a work call. Link to post Share on other sites More sharing options...
homeslice Posted November 30, 2021 Author ID:1490450 Share Posted November 30, 2021 Thanks, attached..... FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 30, 2021 ID:1490567 Share Posted November 30, 2021 Where exactly was WindowsPlayer.exe installed, I cannot find it on my system. The only entries I have are windows media player: C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files\Windows Media Player\wmplayer.exe Run FRST one more time: Type the following in the edit box after "Search:". WindowsPlayer.exe Click Search Files button and post the log (Search.txt) it makes to your reply... Link to post Share on other sites More sharing options...
homeslice Posted November 30, 2021 Author ID:1490575 Share Posted November 30, 2021 Thanks, I'm not aware of installing any WindowsPlayer. You're right, it does sound like Windows Media Player. Odd. Re-scanned with the search, Here is a screenshot of the Norton quarantine as well: FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 30, 2021 ID:1490589 Share Posted November 30, 2021 (edited) Can you zip up the quarantine folder and attach to a reply... I did not want a fresh scan by FRST, I wanted a search.. Run FRST one more time: Type the following in the edit box after "Search:". WindowsPlayer.exe Click Search Files button and post the log (Search.txt) it makes to your reply... Edited November 30, 2021 by kevinf80 Link to post Share on other sites More sharing options...
homeslice Posted December 1, 2021 Author ID:1490679 Share Posted December 1, 2021 Sorry, I didnt read that properly, long day! Search is attached, and it seems to be a playback for Unity game engine builds looks like Norton has taken a sudden dislike to it. I've not yet found where Norton helpfully hides their quarantine folder, but will find that soon I think. Thanks! Search.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 1, 2021 ID:1490692 Share Posted December 1, 2021 Hiya homeslice, Thanks for the information update and search log, continue: Upload a File to Virustotal Go to http://www.virustotal.com/ Click the Choose file button Navigate to the file C:\Program Files\Unity\Hub\Editor\2021.1.19f1\Editor\Data\PlaybackEngines\windowsstandalonesupport\Variations\win64_nondevelopment_mono\WindowsPlayer.exe Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the URL address back here please. Thank you, Kevin. Link to post Share on other sites More sharing options...
homeslice Posted December 1, 2021 Author ID:1490758 Share Posted December 1, 2021 https://www.virustotal.com/gui/file/2a1905eda431386d9c30cdd6b6b2b2b8165b5227e7f4259c05df07c1f594cecd?nocache=1 Thanks, Seems like only one flags it.... Link to post Share on other sites More sharing options...
Solution kevinf80 Posted December 1, 2021 Solution ID:1490797 Share Posted December 1, 2021 Hiya homeslice, I believe this is a False Positive, I recommend that you contact Norton and take it up with their development team... Regards, Kevin.. Link to post Share on other sites More sharing options...
homeslice Posted December 1, 2021 Author ID:1490847 Share Posted December 1, 2021 Thanks Again Kevin! Yeah, I thought so, cheers for picking this up, will hit your paypal again :) HS Link to post Share on other sites More sharing options...
kevinf80 Posted December 2, 2021 ID:1490940 Share Posted December 2, 2021 Thanks very much HS, appreciated... 1 Link to post Share on other sites More sharing options...
kevinf80 Posted December 2, 2021 ID:1490941 Share Posted December 2, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you 1 Link to post Share on other sites More sharing options...
Recommended Posts