I recently upgraded a computer to Windows 8 and installed Spybot 2. Scans were reprting WebWatcher was installed as well as file & registry permission alerts. I suspected that Spybot was having problems due to the scan being executed by a non-admin account on the system. I confirmed that this morning by running sdscan.exe (items were not cleaned at the end of the scan). It appears that the program reports Malware if it cannot properly access the directories (or file permissions/registry keys,etc).

It would seem like the program should report the lack of permissions vs. reporting a malware infection.

Results of each scan listed below:

non-Administrator account:
============================================================
1/5/2013 10:45:35 AM
Scan took 00:37:09.
10 items found.

WebWatcher: [SBI $A7C1CDEA] Program directory (Directory, nothing done)
C:\Windows\SysNative\config\atww\avas\

WebWatcher: [SBI $A7C1CDEA] Program directory (Directory, nothing done)
C:\Windows\system32\config\atww\avas\

WebWatcher: [SBI $DAFCD6B5] Program directory (Directory, nothing done)
C:\Windows\SysNative\config\atww\Cache\

WebWatcher: [SBI $DAFCD6B5] Program directory (Directory, nothing done)
C:\Windows\system32\config\atww\Cache\

MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

Cookie: [SBI $49804B54] Browser: Cookie (4) (Browser: Cookie, nothing done)


Cache: [SBI $49804B54] Browser: Cache (16) (Browser: Cache, nothing done)


History: [SBI $49804B54] Browser: History (12) (Browser: History, nothing done)



Administrator account:
============================================================
1/5/2013 11:29:07 AM
Scan took 00:33:27.
8 items found.

MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Windows Explorer: [SBI $7308A845] Run history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Cache: [SBI $49804B54] Browser: Cache (2) (Browser: Cache, nothing done)


History: [SBI $49804B54] Browser: History (1) (Browser: History, nothing done)

Hello Joel,

Please always open Spybot by right clicking on the module’s icon you are about to run and select “Run as administrator”
You will find a screenshot of this in our FAQ:
How can I get administrator rights? (http://www.safer-networking.org/faq/how-can-i-get-administrator-rights-under-windows-vista7/)

Best regards
Sandra
Team Spybot