Jump to content

Possible False Possitive Notepad after windows update


Recommended Posts

Order of events:

- Ran a full system scan with malwarebytes yesterday on laptop.

- Did a windows update yesterday on both desktop and laptop.


- Decided to do a full system scan on Laptop today, after which it found 2 notepad.exe files as malware in C:\WINDOWS.OLD
Malware.Generic.4236541952, C:\WINDOWS.OLD\WINDOWS\SYSWOW64\NOTEPAD.EXE, Geen actie door gebruiker, 1000000, 0, 1.0.24656, 716BA54E48A9D426FC848000, dds, 00740846
Malware.Generic.4236541952, C:\WINDOWS.OLD\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NOTEPAD_31BF3856AD364E35_10.0.18362.693_NONE_CF0F2E5D362498EF\NOTEPAD.EXE

- Ran a Malwarebytes scan on the same Windows.old map on my Desktop to check and it seems to detect the excact same Files.

 

Not sure if its a false positive but its sudden appearance on both computers out of nowhere seems a bit suspect.
Made a copy of the files it found and put it in a zip added here.

Scan Export.txt Mbytes Possible False Positive Notepad Files.zip

Link to post
Share on other sites

Yes the file is not infected.

If you upgraded windows and saved the old copy of windows, Then the new windows created windows.old and uses rootkit techniques to protect the files. If you ran rootkit scan on this directory then this can cause fps. If you plan on keeping the backup copy of windows then i would just add it to exclusions in malwarebytes.  Nothing can write there anyways.

 

Link to post
Share on other sites

I did a restore on the quarantined items and then ran turned off the scan for rootkits in the options.

Then I scanned the WINDOWS.OLD folder again. The same 2 files got flagged again.

Are you sure this is nothing to worry about?

Link to post
Share on other sites
29 minutes ago, Scubnubby said:

I did a restore on the quarantined items and then ran turned off the scan for rootkits in the options.

Then I scanned the WINDOWS.OLD folder again. The same 2 files got flagged again.

Are you sure this is nothing to worry about?

Was this a threat scan or a custom scan on C?

Link to post
Share on other sites
1 minute ago, Scubnubby said:

I right clicked the "windows.old" folder and picked the scan with malwarebytes option.

It is most likely a heuristic detection because it detects the files are not where they are supposed to be located on a normal install.

There is no reason to scan that folder much less a full scan on the OS drive.

Does it pick them up in a standard threat (recommended) scan?

Link to post
Share on other sites
2 minutes ago, Scubnubby said:

It did not pick them up with a standard scan.

That is why the default scan is a threat scan. In about 10 days that Windows.old will delete it self. It is not an infection, It is just found in the non standard location due to your custom scan.

Quote

Malwarebytes is not designed to function like normal AV scanners and uses a new kind of scan engine that relies mostly on heuristics detection techniques rather than traditional threat signatures.  Malwarebytes is also designed to look in all the locations where malware is known to install itself/hide, so a full or custom scan shouldn't be necessary, especially on any sort of frequent basis (like daily), especially since the default Threat Scan/Quick Scan checks all loading points/startup locations, the registry, all running processes and threads in memory, along with all system folders, program folders and data folders as well as any installed browsers, caches and temp locations.  This also means that if a threat were active from a non-standard location, because Malwarebytes checks all threads and processes in memory, it should still be detected.  The only threat it *might* miss would be a dormant/inactive threat that is not actively running/installed on a secondary drive, however if the threat were executed then Malwarebytes should detect it.  Additionally, whenever a new location is discovered to be used by malware the Malwarebytes Research team adds that location dynamically to the outgoing database updates so the locations that are checked by the default Threat/Quick Scan in Malwarebytes can be changed on the fly by Research without requiring any engine or program version updates/upgrades.

 

Link to post
Share on other sites

Alright so I guess it was nothing to worry about in the end.
Kind of had a feeling something seemed strange about it popping up identically on 2 different computers at the same time who aren't linked in any way.

Thanks alot for the help, much appreciated.

Link to post
Share on other sites

When a Windows or many others are found in a location other where it is supposed to be by default, Malwarebytes will grab it due to heuristics. Many other AV's with heuristics will do the same.

@shadowwar I think an exception should be added to the Windows.old folder or we will get more requests like this. If it is feasible. Many users run those un needed full scans often.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.