As per the title, a Malwarebytes scan has reported malware in various Sublime Text 3 files. The malware reported is Adware.InstallCube.

Is this a a false positive?

• https://www.virustotal.com/gui/url/2c4baf4c6bfdd3b57b7f613adb5d749ebfc033d5e9c3d10734faab39dd4ff536/detection
• https://www.virustotal.com/gui/url/80ec45726846fc5c1b7c4e3de17715818f86942d87523cca6d9b094e8ad2896e/detection

which ones specifically?

I am also having this.

Installed the new version of Sublime Merge from the Sublime Text 3 update popup and this morning I found this.

malware.png1208×715 57.2 KB

Looks like its the uninstall executables and registry key in my case:

Registry Key: 1
Adware.InstallCube, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Sublime Text 3_is1, No Action By User, 532, 975217, , , , , , 
File: 5
Adware.InstallCube, C:\PROGRAM FILES\SUBLIME TEXT 3\UNINS000.EXE, No Action By User, 532, 975217, 1.0.44517, , ame, , 3A325574AE5C04843808F7461391EE6E, 7F2E1EE6351A5F21F479763B1A56586884BE5E4BD3F50AAE601144451F675514
Adware.InstallCube, C:\$RECYCLE.BIN\S-1-5-21-2035986812-3903232634-3022976894-1001\$RNC4CUD\CRASH_REPORTER.EXE, No Action By User, 532, 975217, 1.0.44517, , ame, , 532243F7EB4CAB6614A7830D007B85F3, 63E3685D98253BB9FC55BA598F0F6CD7D390A3A61A95862C8E9CA41CB585CB82
Adware.InstallCube, C:\$RECYCLE.BIN\S-1-5-21-2035986812-3903232634-3022976894-1001\$RNC4CUD\SUBL.EXE, No Action By User, 532, 975217, 1.0.44517, , ame, , AF3D798D6480F1D0408A675AF44E2020, DF5A79948773CD6A4EE5FE93F43D019EF06BD5EBF0FCBBEBD369A2D0E5B57CEE
Adware.InstallCube, C:\$RECYCLE.BIN\S-1-5-21-2035986812-3903232634-3022976894-1001\$RNC4CUD\SUBLIME_TEXT.EXE, No Action By User, 532, 975217, 1.0.44517, , ame, , 5D4C46BE1524D189345F5B87853B2B65, 68D96D28BDA975226AB021CD8A0F521AB5CB8F4CB676A7C945BF768BEC834A15
Adware.InstallCube, C:\$RECYCLE.BIN\S-1-5-21-2035986812-3903232634-3022976894-1001\$RNC4CUD\UPDATE_INSTALLER.EXE, No Action By User, 532, 975217, 1.0.44517, , ame, , 93DE39E857FFE9E07AFCBD750E90CE26, BFDC68FACCB61EBEAD3846E246AE776B7BA0866BBEA5D9D1D3D13D98E5ADDB5C

Thanks

I uploaded the sublime_merge.exe build 2059 on my machine.
https://www.virustotal.com/gui/file/94a291cbb6af99af92b14995c1c496213670da0fc4a0a00c456ed35849b3af26/detection
(obviously, someone has uploaded it before.)

So is this a false positive? Concerned that Sublime is no longer showing up in W10 uninstall list and don’t want to click the executable and make things worse.

I can’t tell that. You can upload file to do tests by yourself and make the decision with whichever result you trust. If you ask SublimeHQ staffs, no matter what the fact is, I expect a “no issue” answer.

Lets see what Malwarebytes say about this.

Type and source of infection

Adware.InstallCube is often installed by the user themselves under false pretences. The bundlers will be offered as a program that the user was looking for.

As far as I know neither Sublime Text nor Sublime Merge offer a bundle(include another program) with the installer. Virus Total results from @jfcherng show the installers are clean. So, yes @pdgguy this might be a false positive.

I suggest sharing checksums of files to confirm if it’s a false positive.

Correct. I use this free and open-source shell extension for that on Windows.

Sublime Text

md5: 1BA71525C5CF278DA93C6E61463CD0F4

image.png405×566 12.4 KB

Sublime Merge

md5: F10C0CDC5C83F340B6FBE8BF189F52E4

image.png405×566 12.1 KB

Both installer hashes look good to me.