In my computer, There are suspicious CLSID registry as below.
%SystemRoot%\system32\[random length and letters].dll
Location: HKCR\CLSID\{4A805FB7-07D5-9F24-EC3C-3932E5493B9F} (fixed location)
In system32 dir, there are no such dll file as said in registry above.
And this value is created again with new [random_name].dll if that registry value be removed.
Also it seems like there are no issue on my computer for year.
At one time, I tried to catch that file using powershell's file create event detect, but failed.
I also tried NPE, but nothing there.
If there are any malicious registry entries on your PC, Norton or Malwarebytes will certainly detect them. Really no need for you to spend time playing whack-a-mole with the registry. If you have had previous malware infections that have been remediated there may still be some registry entries associated with the malware present. This is normal and expected. Some AV products will leave these harmless remnants for technical reasons. Nothing to worry about.
I removed NIS fully as I can and reinstalled it today. And still registry was there.
But, a time NIS is reinstalled, new registry entry value was there which uuid start with D.
And, after license is updated automatic, it seems NIS create another registry entry which same one before.
So, there was 2 registry with random letters. One is same as 4A805FB7-07D5-9F24-EC3C-3932E5493B9F.
It might be changed by user account or license user have.
Actually I still worry, but I also think that would be no problem.
Thank you for reply on my post again.
Okay...
There are still registry creation unless I turned off Tamper feature.
I agree Norton's key creation is safe, too, in general.
But I just nervous that AV could connect dll file named with random letters which not exist.
If I see anyone have registry key like me using CCleaner's Registry Cleaner, I would be comfortable.
It might be not exist on same location (4A805FB7-07D5-9F24-EC3C-3932E5493B9F).
If Norton is creating the key, it would not be a virus. The Norton Product Tamper feature stops any non Norton process from accessing anything Norton. Whether it is a file, a process, or registry entry.
Thank you for reply.
First, I tried Malwarebytes. But nothing there, too.
So, I tried another way to catch up registry edit event using ProcMon v3.60.
As a result, Norton Internet Security was the one that making a registry entry as you can see above screenshot.
Also a registry location was wrong which output from CCleaner's Registry Cleaner.
The currect location is HKCR\WOW6432Node\CLSID\{4A805FB7-07D5-9F24-EC3C-3932E5493B9F}\InprocServer32.
For make random string, process access to Microsoft Base Cryptographic Provider v1.0.
After then, try to open HKCR\WOW6432Node\CLSID\{4A805FB7-07D5-9F24-EC3C-3932E5493B9F}\InprocServer32 key.
If not there create new key using crypto provider.
Before that happen, there are smilar one but just check key existence.
Location: HKCU\Software\Classes\CLSID\{3237555C-C043-4836-AFDE-570D63E9EDAB}\InprocHandler
May I ask is this intended behavior of NIS which is not done by virus or something?
I hope this is the one of protection like kill switch of ransomware.
Windows 10 Pro x64 2004 build 19041.630
NIS 22.20.5.39
Hello SaeGon. That registry entry is not present on any of my Windows 10 Pro installs. My recommendation is to download and run a full scan with Malwarebytes. MBAM concentrates on things Norton doesn't always detect. Make sure you thoroughly screen the list of what it finds, if anything, before having it removed. We are here to assist if needed.
(screenshot is stored in attachment as main2.PNG)