notepad.exe false positive

[whoamomma2]

Hello everyone,

Today MBAM have detected that my notepad.exe is a fake trojan ms? I went to look at the file in the System32 folder and found out about some things.

The reason why i think it is a false positive is because when i open notepad.exe it runs normally (opens a blank notepad). Also looking the size of notepad.exe it is only 142kb which is the average file size of notepad.exe. If notepad.exe was a trojan then i would imagine the size of it should be very big.

On the other hand i could be wrong and notepad.exe isa trojan because when i looked at the Date Modified for notepad.exe it says "11/12/2012 10:12 AM" which isn't right because all of my other programs and files in the System32 folder has a date modified of the year 2006 (i'm using vista by the way).

So i wasn't sure if it is a false positive or not. So i'm here just to make sure if i was right or wrong.

I also have uploaded the MBAM scan log and the notepad.exe in a zip.

Thank you,

whoamomma.

notepad.exe.zip

[whoamomma2]

Hmm, for some reason the MBAM scan log didn't get uploaded. Well here it is...

[whoamomma2]

What the...? The MBAM scan log once again didn't get uploaded? I'll just copy and paste the scan log and post it here...

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.11.01

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

student :: STUDENT-PC [administrator]

Protection: Enabled

11/12/2012 11:39:28 AM

mbam-log-2012-12-11 (12-12-02).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 278651

Time elapsed: 27 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\notepad.exe (Trojan.FakeMS) -> No action taken. [0a03815c332a241248119f43ff01b64a]

C:\Windows\System32\notepad.exe (Trojan.FakeMS) -> No action taken. [3ad3a4395d0057dff2671bc7e31d7789]

(end)

[Graffin]

Hi, just had the exact same result and wondering if (very much hoping) it's a false positive. It flagged notepad.exe in the windows and system32 folders for me.

[Graffin]

Oh, and I'm also using Vista.

[sUBs]

Thank you for reporting this. It shall be fixed in our next update.

[lmacri]

I'm having the same problem on my 32-bit Vista system. A MBAM PRO v. 1.65.1.1000 Quick Scan (database v2012.12.11.01) detected the Microsoft Notepad text editor (notepad.exe) today as a Trojan.FakeMS in the following two locations that look like a false positive.

C:\Windows\System32\notepad.exe (attached as notepad A.zip)

C:\Windows\notepad.exe (attached as notepad B.zip)

The zipped files, as well as the Quick Scan log file run in developers mode, are attached. Norton Internet Security 2013 v. 20.2.0.19 does not detect either notepad.exe file as a threat. I also submitted both files to VirusTotal (https://www.virustotal.com/) and MBAM is the only AV software flagging these files as possible malware.

mbam-log-2012-12-10 (19-58-51).txt

notepad A.zip

notepad B.zip

------------

MS Windows Vista Home Premium 32-bit SP2 * 2013 v. 20.2.0.19 * MBAM PRO v. 1.65.1.1000

HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

[nosirrah]

This should be fixed now.

[catscomputer]

I got the detection too but it does not appear to be resolved for me. I have just updated to v2012.12.11.02 and I am still getting the same trojan fake detection when trying to open notepad.

[shadowwar]

03 will have this fixed in a few minutes.

[catscomputer]

Fixed! Thanks a lot.

[whoamomma2]

Okay, i guess it was a false positive then. But one more question. Why was the Date Modified changed to 11/12/2012?

[shadowwar]

Its hard to say. Could of been from a microsoft patch or windows file protection restored it. As long as it scans clean you should be fine.

[catscomputer]

Interesting. I am in the middle of an on-demand SAS scan and it has just flagged notepad.exe as a Trojan.Agent/Gen-Nullo. Wondering if this is definitely a FP?

[shadowwar]

it definately was on our end. not sure about sas

[shadowwar]

Cat,

I got a copy of the file u sent to the helpdesk. This is a copy from our quaritine which we disable so it cannot run. That is why sas is detecting it. Might want to replace that copy with one from this thread attached or the other copy on your computer.

[beauknowsdiddly]

Help!! I'm having the same problem!! In fact I quareteened my notepad without realizing it. I only found out whe trying to use it. So I restored it and then scanned it and it says..... Trojan.FakeMS.

[shadowwar]

please update your definitions and it should no longer be detected.

[beauknowsdiddly]

Awesome!! Thank you!!

[lmacri]

Problem solved on my 32-bit Vista machine. I re-ran Quick Scan with database v2012.12.11.12 today and notepad.exe is no longer flagged as Trojan.FakeMS.

------------

MS Windows Vista Home Premium 32-bit SP2 * 2013 v. 20.2.0.19 * MBAM PRO v. 1.65.1.1000

HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS