-
Scans run as non-admin users report false positive infections
I recently upgraded a computer to Windows 8 and installed Spybot 2. Scans were reprting WebWatcher was installed as well as file & registry permission alerts. I suspected that Spybot was having problems due to the scan being executed by a non-admin account on the system. I confirmed that this morning by running sdscan.exe (items were not cleaned at the end of the scan). It appears that the program reports Malware if it cannot properly access the directories (or file permissions/registry keys,etc).
It would seem like the program should report the lack of permissions vs. reporting a malware infection.
Results of each scan listed below:
non-Administrator account:
============================================================
1/5/2013 10:45:35 AM
Scan took 00:37:09.
10 items found.
WebWatcher: [SBI $A7C1CDEA] Program directory (Directory, nothing done)
C:\Windows\SysNative\config\atww\avas\
WebWatcher: [SBI $A7C1CDEA] Program directory (Directory, nothing done)
C:\Windows\system32\config\atww\avas\
WebWatcher: [SBI $DAFCD6B5] Program directory (Directory, nothing done)
C:\Windows\SysNative\config\atww\Cache\
WebWatcher: [SBI $DAFCD6B5] Program directory (Directory, nothing done)
C:\Windows\system32\config\atww\Cache\
MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
Cookie: [SBI $49804B54] Browser: Cookie (4) (Browser: Cookie, nothing done)
Cache: [SBI $49804B54] Browser: Cache (16) (Browser: Cache, nothing done)
History: [SBI $49804B54] Browser: History (12) (Browser: History, nothing done)
Administrator account:
============================================================
1/5/2013 11:29:07 AM
Scan took 00:33:27.
8 items found.
MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-9999999999-99999999-9999999-999\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
Windows Explorer: [SBI $7308A845] Run history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-1416162619-4133266439-517339774-1604\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Cache: [SBI $49804B54] Browser: Cache (2) (Browser: Cache, nothing done)
History: [SBI $49804B54] Browser: History (1) (Browser: History, nothing done)
Last edited by tashi; 2013-01-06 at 03:34.
Reason: Moved from malware forum
-
Hello Joel,
Please always open Spybot by right clicking on the module’s icon you are about to run and select “Run as administrator”
You will find a screenshot of this in our FAQ:
How can I get administrator rights?
Best regards
Sandra
Team Spybot
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules