Possible false + in Notepad++ v4.7.3? ***RESOLVED***

[chalawah]

Hi I d/l Notepad++ v4.7.3 from sourceforge.net [ npp.4.7.3.Installer.exe ]

The MD5 is: 68924D4C0DCC91E3AC0AD9D0871EBCFD

At the end of the install SAS pop up alerts to say, '...detected and blocked a potentially harmful application from running'.

When I click on details I read:

'Trojan.Unknown Origin. C:\Docume~1\name\LOCALS~1\TEMPNSB397.TMP|NS39A.TMP

If I navigate to the above location I cannot find the .TMP file. If I click 'allow' and navigate to the location I still cannot locate TEMPNSB397.TMP|NS39A.TMP

This SAS alert also occured with Notepad++ v4.7.1

I am using:

SAS Pro v 3.9.1008 | Core 3375 | Trace 1379

XP Home SP2 Fully updated.

Hope this helps.

[Pandato]

Your definitions are not current and I think you have transposed some numbers. After updating to the current definitions, you may wish to scan again and if the file is still detected, submit a false positive report from within the program.

[chalawah]

Your definitions are not current and I think you have transposed some numbers. After updating to the current definitions, you may wish to scan again and if the file is still detected, submit a false positive report from within the program.

I am pretty sure that I didn't transpose any numbers Pandato.

I have SAS Pro set to check every 8 hours and at program start-up, so I am wondering just how far off the current update for that specific time [Mon Jan 07, 2008 9:56 pm] my definitions were ?

To expand further, at the end of the install SAS pop up alerts to say, '...detected and blocked a potentially harmful application from running', not only could I not find the file 'Trojan.Unknown Origin. C:\Docume~1\name\LOCALS~1\TEMPNSB397.TMP|NS39A.TMP' using a manual search, but clicking on the 'scan now' option also gave no further results - only a clean computer.

Pandato, on Sat Jan 12, 2008 6:27 pm I noticed that I had posted this possible false positive in the incorrect part forum so I posted a link to this thread in False Positives: https://forums.superantispyware.com/view ... =5492#5492

Could you please also advise as to where I should continue to post regarding this matter - it is not my intention to make this thread scattered and difficult to follow.

Thankyou for your time in providing assistance on this matter, I really appreciate it.

[chalawah]

The current definitions as posted on the Home page here are Core: 3379 and Trace: 1373, so I think you might have got your numbers wrong! Have you tried updating recently?

Hi Madeline

Yes, that is the same Core and Trace definitions that I have as at Sunday 6.57PM 13/01/07 [GMT+10]

Updates for me are completed automatically [in SAS Pro] by using the Preferences>Automatic updates> both ticks applied. In addition I always manually check for updates before manual scans.

I have searched the definition update history page https://www.superantispyware.com/definit ... story.html and can see that I was in fact up to date on the Core definitions for the original issue posted on 07/01/08

I am not able to double check the Trace definitions for that specific period as there doesn't appear to be any listing that I can see - so I hope I didn't make a typo mistake there. I realise that today's Trace is 1373, so it could be a possible typo as I had them as Trace 1379....

I doubt very much that seeing that auto update is/was working perfectly and Core definitions were correct [verified by the defintionupdatehistory.html] that the Trace might have been incorrect [ putting any Trace definition typo aside for the moment].

So I am still interested in any answer to my original question.

Go well.

[SUPERAntiSpy]

We need the original file from you, can you do the false-positive report after scanning your drive?

[chalawah]

We need the original file from you, can you do the false-positive report after scanning your drive?

Sorry Nick, at the time of the event I could not find the file, either by a subsequent scan by prompted by the SAS Pro pop-up alert, or by doing a manual search to the directory-location given in the pop-up:?

From my original post:

at the end of the install SAS pop up alerts to say, '...detected and blocked a potentially harmful application from running', not only could I not find the file 'Trojan.Unknown Origin. C:\Docume~1\name\LOCALS~1\TEMPNSB397.TMP|NS39A.TMP' using a manual search, but clicking on the 'scan now' option also gave no further results - only a clean computer.

and:

This SAS alert also occured with Notepad++ v4.7.1

[chalawah]

Ok,

I have just run the Notepad++ v4.7.3.Installer.exe again, over the top of the existing Notepad++ v4.7.3 to test the results again.

Here is the method I used:

1. Click on SAS and manually update/check updates: Core 3379 Trace 1373

2. Open the Notepad++ v4.7.3.Installer.exe

3. This time close to the beginning of the install SUPERAntispyware Alert window pops up:

SUPERAntispyware has detected and blocked a potentially harmful application from running.

SUPERAntiSpyware Alert Options

Click here to view your details about the blocked items

Click hereto scan your system now [recommended]

I do not click the 'Finish' button in the Notepad++ Setup window.

4. I click on the option to view details of which on this install of Notepad++ there are four!:

Identification: Trojan.Unknown Origin.Process

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS74.TMP

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS73.TMP

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS72.TMP

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS71.TMP

Description of Item: Spyware/Adware Application Explanation

Summary: Trojan.Unknown Origin.Process Unknown

Description: Randomly (or deceptively-) named application process. Contains deceptive, incomplete, or missing version or company information and is installed in the Temp, Windows, System, System32, or Application Data directories. May also be found under randomly named sub-directories under these folders or Program Files.

This application is most likely downloaded and installed by another application that is considered to be adware or spyware.

Threat Level: 10 (1-10)

Process:*

(08E3ECF3.EXE)

(SYSIHZX.EXE)

(HHQLO.DLL)

(EAKHGWTDAX.EXE)

(VHYXAAAA.EXE)

(DAYCDY.EXE)

(IBFMHQ.EXE)

(ZR*EUROSIGN*GAA>EXE)

(MM5.EXE)

(SHEX.EXE)

(WIN3B.TMP.EXE)

(PP.EXE)

(MA.EXE)

(LOAD.EXE)

(WINC.TMP.EXE)

(NA.EXE)

(YNOLUPQV.DLL)

(DRVZOH.DLL)

(EYGXGHWF.EXE)

(5.EXE)

(1.EXE)

(3.EXE)

(4.EXE)

(21.EXE)

(0XF9.EXE)

(VIGQG.EXE)

(~TMP1174.EXE)

(PIBM.EXE)

(BBI0011.EXE)

(SYST212.EXE)

(6.TMP)

(TMP1.EXE)

(CHECK.EXE)

((NDEDFENKJ.EXE)

(TT.EXE)

(TMP2.EXE)

(DMXRGP.EXE)

(BX18DXV.DAT)

(NS5.TMP) ........................and more and more and more.................

5. When I navigate to:

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS74.TMP

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS73.TMP

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS72.TMP

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS71.TMP

I can find nsx6F.tmp only, and inside this directory I can see no other .TMP or .tmp files other than the following:

InstallOptions.dll

ioSpecial.ini

LangDLL.dll

modern-header.bmp

modern-wizard.bmp

nsExec.dll

UserInfo.dll

I have a copy of these saved.

6. I now click on 'Finish' on the Notepad++ Setup window....and attempt to navigate to:

Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\

but find that this no longer exists

This explains why I could not find it in my original post, as I had already clicked on the 'Finish' button in Notepad Setup

7. Clicking on the option to Scan in the SUPERAntiSpyware Alert pop up window and selecting full scan results in the computer being confirmed as clean: 'Scanning is complete - No harmful software was found'.

8. I am now going to run the Notepad installer again, but this time not click finish and run the SAS scan at the prompt from SUPERAntiSpyware Alert pop up window.

I will post back my findings in a following post.

I have also completed a manual scan [using SAS] of the nsx6F.tmp that I saved - no harmful software was found.

[chalawah]

I will post back my findings in a following post.

I have now completed the same method and actions as in items 1 to 5 .

Same results... a similar alert from SAS. I immediately clicked on the option to scan in the SAS pop up alert [before clicking on Finish in the Notepad++ Setup]. The result of a Full scan is: 'Scanning is complete - No harmful software was found'.

I have saved the nsa166.tmp directory that SAS alerts as containing problem .tmp files. I can see no .tmp files in there.

When comparing the two files nsa166.tmp and nsx6f.tmp they contain the same files:

InstallOptions.dll

ioSpecial.ini

LangDLL.dll

modern-header.bmp

modern-wizard.bmp

nsExec.dll

UserInfo.dll

If I convert ioSpecial.ini to a txt file I can read that it relates to Notepad++ v4.7.3 Setup

Hope this helps in attempting to find out what is happening.

Thanks for your time on this matter.

[SUPERAntiSpy]

We'll take a look at this and see what we can find!

[chalawah]

Same similar issue with new version of notepad++ v4.7.4.Installer.exe

[chalawah]

Latest definitions are now Core: 3380 Trace: 1374. I hope you get this sorted soon. Good luck with it!

Hi Madeline,

The definitions match exactly the ones I have on this computer and the ones found on the definition update history page.

[chalawah]

Same similar issue with new version of notepad++ v4.7.5

[chalawah]

Pleased to say subsequent releases up to the latest v4.8.1 are not being flagged by SAS.

Seems like this has been resolved.

Thanks Nick and team.

[SUPERAntiSpy]

No problem!