Results 1 to 2 of 2

Thread: Scans run as non-admin users report false positive infections

  1. #1
    Junior Member
    Join Date
    Jan 2013
    Posts
    1

    Default Scans run as non-admin users report false positive infections

    I recently upgraded a computer to Windows 8 and installed Spybot 2. Scans were reprting WebWatcher was installed as well as file & registry permission alerts. I suspected that Spybot was having problems due to the scan being executed by a non-admin account on the system. I confirmed that this morning by running sdscan.exe (items were not cleaned at the end of the scan). It appears that the program reports Malware if it cannot properly access the directories (or file permissions/registry keys,etc).

    It would seem like the program should report the lack of permissions vs. reporting a malware infection.

    Results of each scan listed below:

    non-Administrator account:
    ============================================================
    1/5/2013 10:45:35 AM
    Scan took 00:37:09.
    10 items found.

    WebWatcher: [SBI $A7C1CDEA] Program directory (Directory, nothing done)
    C:\Windows\SysNative\config\atww\avas\

    WebWatcher: [SBI $A7C1CDEA] Program directory (Directory, nothing done)
    C:\Windows\system32\config\atww\avas\

    WebWatcher: [SBI $DAFCD6B5] Program directory (Directory, nothing done)
    C:\Windows\SysNative\config\atww\Cache\

    WebWatcher: [SBI $DAFCD6B5] Program directory (Directory, nothing done)
    C:\Windows\system32\config\atww\Cache\

    MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
    HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Name

    MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
    HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Id

    MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
    HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

    Cookie: [SBI $49804B54] Browser: Cookie (4) (Browser: Cookie, nothing done)


    Cache: [SBI $49804B54] Browser: Cache (16) (Browser: Cache, nothing done)


    History: [SBI $49804B54] Browser: History (12) (Browser: History, nothing done)



    Administrator account:
    ============================================================
    1/5/2013 11:29:07 AM
    Scan took 00:33:27.
    8 items found.

    MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
    HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Name

    MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
    HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Id

    MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
    HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

    MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
    HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

    MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
    HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

    Windows Explorer: [SBI $7308A845] Run history (Registry Key, nothing done)
    HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

    Cache: [SBI $49804B54] Browser: Cache (2) (Browser: Cache, nothing done)


    History: [SBI $49804B54] Browser: History (1) (Browser: History, nothing done)
    Last edited by tashi; 2013-01-06 at 04:34. Reason: Moved from malware forum

  2. #2
    Senior Member
    Join Date
    Oct 2005
    Location
    Germany
    Posts
    5,263

    Default

    Hello Joel,

    Please always open Spybot by right clicking on the module’s icon you are about to run and select “Run as administrator”
    You will find a screenshot of this in our FAQ:
    How can I get administrator rights?

    Best regards
    Sandra
    Team Spybot

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •