Jump to content
whoamomma2

notepad.exe false positive

Recommended Posts

Hello everyone,

Today MBAM have detected that my notepad.exe is a fake trojan ms? I went to look at the file in the System32 folder and found out about some things.

The reason why i think it is a false positive is because when i open notepad.exe it runs normally (opens a blank notepad). Also looking the size of notepad.exe it is only 142kb which is the average file size of notepad.exe. If notepad.exe was a trojan then i would imagine the size of it should be very big.

On the other hand i could be wrong and notepad.exe isa trojan because when i looked at the Date Modified for notepad.exe it says "11/12/2012 10:12 AM" which isn't right because all of my other programs and files in the System32 folder has a date modified of the year 2006 (i'm using vista by the way).

So i wasn't sure if it is a false positive or not. So i'm here just to make sure if i was right or wrong.

I also have uploaded the MBAM scan log and the notepad.exe in a zip.

Thank you,

whoamomma.

notepad.exe.zip

Share this post


Link to post
Share on other sites

What the...? The MBAM scan log once again didn't get uploaded? I'll just copy and paste the scan log and post it here...

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.11.01

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

student :: STUDENT-PC [administrator]

Protection: Enabled

11/12/2012 11:39:28 AM

mbam-log-2012-12-11 (12-12-02).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 278651

Time elapsed: 27 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\notepad.exe (Trojan.FakeMS) -> No action taken. [0a03815c332a241248119f43ff01b64a]

C:\Windows\System32\notepad.exe (Trojan.FakeMS) -> No action taken. [3ad3a4395d0057dff2671bc7e31d7789]

(end)

Share this post


Link to post
Share on other sites

Hi, just had the exact same result and wondering if (very much hoping) it's a false positive. It flagged notepad.exe in the windows and system32 folders for me.

Share this post


Link to post
Share on other sites

I'm having the same problem on my 32-bit Vista system. A MBAM PRO v. 1.65.1.1000 Quick Scan (database v2012.12.11.01) detected the Microsoft Notepad text editor (notepad.exe) today as a Trojan.FakeMS in the following two locations that look like a false positive.

C:\Windows\System32\notepad.exe (attached as notepad A.zip)

C:\Windows\notepad.exe (attached as notepad B.zip)

The zipped files, as well as the Quick Scan log file run in developers mode, are attached. Norton Internet Security 2013 v. 20.2.0.19 does not detect either notepad.exe file as a threat. I also submitted both files to VirusTotal (https://www.virustotal.com/) and MBAM is the only AV software flagging these files as possible malware.

mbam-log-2012-12-10 (19-58-51).txt

notepad A.zip

notepad B.zip

------------

MS Windows Vista Home Premium 32-bit SP2 * 2013 v. 20.2.0.19 * MBAM PRO v. 1.65.1.1000

HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

Share this post


Link to post
Share on other sites

I got the detection too but it does not appear to be resolved for me. I have just updated to v2012.12.11.02 and I am still getting the same trojan fake detection when trying to open notepad.

Share this post


Link to post
Share on other sites

Its hard to say. Could of been from a microsoft patch or windows file protection restored it. As long as it scans clean you should be fine.

Share this post


Link to post
Share on other sites

Interesting. I am in the middle of an on-demand SAS scan and it has just flagged notepad.exe as a Trojan.Agent/Gen-Nullo. Wondering if this is definitely a FP?

Share this post


Link to post
Share on other sites

Cat,

I got a copy of the file u sent to the helpdesk. This is a copy from our quaritine which we disable so it cannot run. That is why sas is detecting it. Might want to replace that copy with one from this thread attached or the other copy on your computer.

Share this post


Link to post
Share on other sites

Help!! I'm having the same problem!! In fact I quareteened my notepad without realizing it. I only found out whe trying to use it. So I restored it and then scanned it and it says..... Trojan.FakeMS.

Share this post


Link to post
Share on other sites

Problem solved on my 32-bit Vista machine. I re-ran Quick Scan with database v2012.12.11.12 today and notepad.exe is no longer flagged as Trojan.FakeMS.

------------

MS Windows Vista Home Premium 32-bit SP2 * 2013 v. 20.2.0.19 * MBAM PRO v. 1.65.1.1000

HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.