SONAR.AM.C!g9 Norton's?

brucefl · Post by **brucefl** » Sat May 20, 2017 6:38 pm

Not sure why it came up now, but Norton's said SONAR.AM.C!g9 was suspicious and I should remove it?
It was low lever and comes from VS exe?
Anyone else seen this? Thanks Bruce

Post by **Ken Berry** » Sat May 20, 2017 7:32 pm

I've never received it myself, but then again I use McAfee... But I also have never seen anyone else ever reporting this -- although there have been other very isolated cases of false positives in the past, including IIRC with PSP as well as VS.

I assume your "low lever" was a typo for "low level"...

Does VS still open and function properly?

greyguru · Post by **greyguru** » Tue Aug 29, 2017 3:28 am

I just downloaded Videostudio Ultimate 10.5 and I got a similar message on Fast Flick and on screen capture. Possibly I will get this on any other part I open too. Here's the "suspicious activity" it recorded:

Filename: MWizard.exe
Threat name: SONAR.AM.C!g9Full Path: d:\program files\corel\corel videostudio x10\mwizard.exe

____________________________

____________________________

On computers as of
28-Aug-17 at 9:51:12 PM

Last Used
28-Aug-17 at 9:51:12 PM

Startup Item
No

Launched
Yes

SONAR Protection monitors for suspicious program activity on your computer.

____________________________

MWizard.exe Threat name: SONAR.AM.C!g9
Locate

Few Users
Hundreds of users in the Norton Community have used this file.

New
This file was released more than 7 days ago.

High
This file risk is high.

____________________________

Source: External Media

Source File:
mwizard.exe

____________________________

System Settings Actions

Event: Process start (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\PCU:HFIv2 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Local\Temp\ PCULog3.txt (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings:ProxyEnable (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings:ProxyOverride (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections:SavedLegacySettings (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\VSPro\Version20\CCC\ServerData:pcuversion (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Local\Temp\ _tmp540225004 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\VSPro\Version20\msgsys:Launches (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\VSPro\Version20\msg:LastLaunchCount (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\VSPro\Version20\msg:Schedule (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\VSPro\Version20\msg:StartDate (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\VSPro\Version20\msg:LastLaunchTime (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content:CachePrefix (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies:CachePrefix (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History:CachePrefix (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings:EnableAutodial (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Local\Temp\ trkcfg.ini (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Corel\VSPro\Version20:totallaunchcount (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Local\microsoft\Windows\inetcookies\ rgd6k2z8.cookie (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\users\david\appdata\local\temp\ srvdbcf.tmp (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Local\microsoft\Windows\inetcache\IE\RGFWMGGX\ mcsatellite[4].xml (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\users\david\appdata\local\temp\ srvdff7.tmp (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Roaming\Corel\Messages\540225004_807001\en\messagecache1\Messages\ Messages.xml (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Roaming\ulead systems\corel videostudio mw (x64)\ 20.0 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Roaming\ulead systems\corel videostudio mw (x64)\20.0\ en-US (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DRIVERS32:vidc.i420 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Ulead Systems\Corel VideoStudio MW\20.0 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Ulead Systems\Corel VideoStudio MW\20.0\VIO (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Ulead Systems\Corel VideoStudio MW\20.0\VIO\AVI (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Ulead Systems\Corel VideoStudio MW\20.0\VIO\AVI:EnableGlobalDivX (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Ulead Systems\Corel VideoStudio MW\20.0\VIO:RemoveCriticalSection (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
Event: Process start (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:2592) No fix attempted
Event: Process start: d:\program files\Corel\corel videostudio x10\ MWizard.exe, PID:2592 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:2592) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\Microsoft\Multimedia\ActiveMovie Filters\MPEG Decoder:AudioFreqDivider (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\MainConcept\DirectShow\MPEGVideoDecoder:MPEG2Only (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
\REGISTRY\USER\S-1-5-21-3333716158-4089654070-4278953749-1001\SOFTWARE\MainConcept\DirectShow\MPEGVideoDecoder:ForceOverlayMixer2 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
Event: Process start: d:\program files\Corel\corel videostudio x10\x86\ qtbridge32.exe, PID:9820 (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Roaming\ulead systems\corel videostudio mw (x64)\20.0\en-US\ U32BASE.CFG (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
c:\Users\David\AppData\Roaming\ulead systems\corel videostudio mw (x64)\20.0\en-US\ GG_App.ini (Performed by d:\program files\corel\corel videostudio x10\mwizard.exe, PID:4784) No fix attempted
____________________________

File Thumbprint - SHA:
70f72752aceddb2b9d2b0680be2f4f819e4535d5f158b14cab7265fefafe16aa
File Thumbprint - MD5:
Not available

Post by **RobertOZ** » Tue Aug 29, 2017 4:22 am

Ignore the threat, it is a false positive, if you purchased the product from Corel then what you download will be perfectly safe to install and use, MWizard .exe appears to be related to the FastFlick component of the program and will not present any problems for you

Tear out my hair · Post by **Tear out my hair** » Tue Sep 19, 2017 3:31 am

I have been the frequent recipient of a similar message from Norton regarding suspicious vstudio.exe file behavior (sonar.am.c!g9) The TS person I called at Norton had apparently never heard of Corel and was sorry for my inconvenience, The phone support person at Corel determined that it is a tech support (which would e-mail me soon) problem a bit over two weeks ago and I have heard zip, zero, nada since. The chat person at Corel I chatted with today was also sorry for my inconvenience but chatted, emphatically, that I will hear from TS and essentially hung up. I D/L'd the program from Corel. I would be delighted if Corel were to say that this file's behavior too is a false positive but neither Corel nor Norton seem willing to commit to reassuring their customers with any resolution to this very worrying issue.

Alludo USER to USER Web Board

SONAR.AM.C!g9 Norton's?

SONAR.AM.C!g9 Norton's?

Re: SONAR.AM.C!g9 Norton's?

Re: SONAR.AM.C!g9 Norton's?

Re: SONAR.AM.C!g9 Norton's?

Re: SONAR.AM.C!g9 Norton's?