Jump to content

notepad.exe - hope it is just a false positive

plkx

By plkx
in File Detections

 Share

Recommended Posts

plkx

plkx

Posted
Posted

Attached are the relevant reports.

Noticed that Win 10 PC that had not been used in the past 8 hours was now showing log in screen rather than screensaver.

After logging in, MB was open, with scanner window showing 2 items quarantined - notepad.exe.

In the scan log, a scan completed just 12 minutes earlier showed no problems.

Both reports are in the attached zip file.

I am still in early stages of investigating this issue, but checking here to see if others are having the same issue.

From event viewer I noticed this at 16:14 (coinciding with log in screen):The process C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (DESKTOP-HF4JICB) has initiated the restart of computer DESKTOP-HF4JICB on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shutdown Type: restart

Earlier (~14:46) I'm finding windows update client entries with Dell digital delivery entries.

Have to be away for a bit but will check in later.

plkx

 

fpreport_notepad.zip

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Thanks.

This isn't really triggered as malware, but as Riskware.

That registry location can be exploited, where you can run any program only by typing the name of the program in the run command.

We have seen malware making use/abuse of that, where they put a fake notepad.exe (that is malware), so calling notepad would then run the malicious one if one is available.

That's why this is always a risk and not really recommended. In your case, it's not malware, just a registry key that has been set, so you can safely ignore this, or put in your exclusion list.

 

Link to post
Share on other sites
plkx

plkx

Posted
  • Author
Posted

Thanks for the update.

Notepad.exe in the system32 directory always opens from a command prompt, since system32 is in the windows PATH.

So, this situation could arise from using a notepad alternative and having it substituted for the default notepad.exe in the system32 directory?

Thanks,

plkx

 

 

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

The difference is that the PATH environment variable only uses the directories listed there, whereas the app path registry key is more broad if no path defined.

Can you check if there's a Path subkey defined for the HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\notepad.exe key in your case? I'll in a meanwhile adjust the detection to make sure it only detects if no path subkey or path is defined there.

Link to post
Share on other sites
plkx

plkx

Posted
  • Author
Posted

There was no value. This may have been the result of several notepad alternatives I tried long ago, then uninstalled (Atom, notepad++, and maybe one or 2 others).

I deleted the keys (but kept a backup in case something else breaks).

 

Thanks,

plkx

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.