pphidpad.exe false positive?

[RCA_833A]

Since 20 May, I began getting a malware detected message when I use a Penpower EZ Go Jr. USB tablet.

 

This is the product:
http://sg.penpower.net/product.asp?sn=469

 

Malwarebytes identifies the principal EXE file for the EZ Go, \win32\pphidpad.exe as being infected with "Trojan.Shylock.XGen"

 

When Malwarebytes quarantines the pphidpad.exe file, the EZ Go Jr will not work. Windows gives an error of not being able to sense the tablet.

 

I have gone so far as to download the manual updater from Penpower and reinstall the operating system into the EZ Go Jr. And I still get the same malware detected message. I have tried EZ Go Jr software versions 1.0.7 and 1.0.8.

 

I then "ignored" the file in Malwarebytes. The file loads, EZ Go Jr. works fine.

 

I get the same error on 2 PCs.

 

When ignoring the pphidpad.exe file, running the EZ Go Jr, then running Malwarebytes on the host computer, nothing comes up.

 

Bug maybe?

 

Thanks,

Daniel

[miekiemoes]

Hi,

 

Please zip and attach the pphidpad.exe file to this thread.

 

Thanks!

[RCA_833A]

Hi,

 

Please zip and attach the pphidpad.exe file to this thread.

 

Thanks!

Sorry, even zipped, the file is around 90MB.  The EZ Go Jr.'s entire operating system and asian character sets are contained within the device, not the host computer.  It does not install anything and vacates the host when exiting.

 

However, you can download the file from Penpower's website here:

http://sg.penpower.net/download.asp?series_sn=118&product_sn=469

 

I'm thinking it might not be easy to duplicate the false positive without actually having the device.  As I recall, the installer (actually part of the downloaded file) will not open if it does not detect an EZ Go Jr. attached to the computer.

 

Contined thanks,

 

Daniel

[miekiemoes]

Hi,

 

This is weird though, are you sure that pphidpad.exe malwarebytes detected is 90MB ? Can you please verify? Because it doesn't make sense we detect this.

I need that actual file, not the installer, because when I tried this yesterday, I really could not reproduce detection here.

Can you also post your malwarebytes log with this detection in it?

[RCA_833A]

Hi,

 

This is weird though, are you sure that pphidpad.exe malwarebytes detected is 90MB ? Can you please verify? Because it doesn't make sense we detect this.

I need that actual file, not the installer, because when I tried this yesterday, I really could not reproduce detection here.

Can you also post your malwarebytes log with this detection in it?

Here you go.

I copied the file from the device, zipped and attached.  Log is also attached as text file.

 

Thanks,

 

Daniel 

pphidpad_log.txt

[RCA_833A]

Hmmm, I don't see the ZIP file in the above reply.  I'll try to post again.

 

pphidpad.zippphidpad_log.txt

[shadowwar]

Can you please update your database and try again?

 

 

There was a false positive with this name around the time in your log

 

Scan Date: 5/20/2014
Scan Time: 4:39:15 PM

 

But it has been fixed since that log date.

 

That attachment zip i am unable to get.

 

Also i was able to confirm that the def that hit back then is no longer in the current database.

[RCA_833A]

Can you please update your database and try again?

 

 

There was a false positive with this name around the time in your log

 

Scan Date: 5/20/2014

Scan Time: 4:39:15 PM

 

But it has been fixed since that log date.

 

That attachment zip i am unable to get.

 

Also i was able to confirm that the def that hit back then is no longer in the current database.

Thanks for the reply.  I'll remove the file from the ignore list and try reloading the EZ Go Jr.

 

Regards,

 

Daniel