chalawah Posted January 7, 2008 Hi I d/l Notepad++ v4.7.3 from sourceforge.net [ npp.4.7.3.Installer.exe ] The MD5 is: 68924D4C0DCC91E3AC0AD9D0871EBCFD At the end of the install SAS pop up alerts to say, '...detected and blocked a potentially harmful application from running'. When I click on details I read: 'Trojan.Unknown Origin. C:\Docume~1\name\LOCALS~1\TEMPNSB397.TMP|NS39A.TMP If I navigate to the above location I cannot find the .TMP file. If I click 'allow' and navigate to the location I still cannot locate TEMPNSB397.TMP|NS39A.TMP This SAS alert also occured with Notepad++ v4.7.1 I am using: SAS Pro v 3.9.1008 | Core 3375 | Trace 1379 XP Home SP2 Fully updated. Hope this helps. Share this post Link to post Share on other sites
Pandato Posted January 12, 2008 Your definitions are not current and I think you have transposed some numbers. After updating to the current definitions, you may wish to scan again and if the file is still detected, submit a false positive report from within the program. Share this post Link to post Share on other sites
chalawah Posted January 12, 2008 Your definitions are not current and I think you have transposed some numbers. After updating to the current definitions, you may wish to scan again and if the file is still detected, submit a false positive report from within the program. I am pretty sure that I didn't transpose any numbers Pandato. I have SAS Pro set to check every 8 hours and at program start-up, so I am wondering just how far off the current update for that specific time [Mon Jan 07, 2008 9:56 pm] my definitions were ? To expand further, at the end of the install SAS pop up alerts to say, '...detected and blocked a potentially harmful application from running', not only could I not find the file 'Trojan.Unknown Origin. C:\Docume~1\name\LOCALS~1\TEMPNSB397.TMP|NS39A.TMP' using a manual search, but clicking on the 'scan now' option also gave no further results - only a clean computer. Pandato, on Sat Jan 12, 2008 6:27 pm I noticed that I had posted this possible false positive in the incorrect part forum so I posted a link to this thread in False Positives: https://forums.superantispyware.com/view ... =5492#5492 Could you please also advise as to where I should continue to post regarding this matter - it is not my intention to make this thread scattered and difficult to follow. Thankyou for your time in providing assistance on this matter, I really appreciate it. Share this post Link to post Share on other sites
chalawah Posted January 13, 2008 The current definitions as posted on the Home page here are Core: 3379 and Trace: 1373, so I think you might have got your numbers wrong! Have you tried updating recently? Hi Madeline Yes, that is the same Core and Trace definitions that I have as at Sunday 6.57PM 13/01/07 [GMT+10] Updates for me are completed automatically [in SAS Pro] by using the Preferences>Automatic updates> both ticks applied. In addition I always manually check for updates before manual scans. I have searched the definition update history page https://www.superantispyware.com/definit ... story.html and can see that I was in fact up to date on the Core definitions for the original issue posted on 07/01/08 I am not able to double check the Trace definitions for that specific period as there doesn't appear to be any listing that I can see - so I hope I didn't make a typo mistake there. I realise that today's Trace is 1373, so it could be a possible typo as I had them as Trace 1379.... I doubt very much that seeing that auto update is/was working perfectly and Core definitions were correct [verified by the defintionupdatehistory.html] that the Trace might have been incorrect [ putting any Trace definition typo aside for the moment]. So I am still interested in any answer to my original question. Go well. Share this post Link to post Share on other sites
SUPERAntiSpy Posted January 13, 2008 We need the original file from you, can you do the false-positive report after scanning your drive? Share this post Link to post Share on other sites
chalawah Posted January 13, 2008 We need the original file from you, can you do the false-positive report after scanning your drive? Sorry Nick, at the time of the event I could not find the file, either by a subsequent scan by prompted by the SAS Pro pop-up alert, or by doing a manual search to the directory-location given in the pop-up:? From my original post: at the end of the install SAS pop up alerts to say, '...detected and blocked a potentially harmful application from running', not only could I not find the file 'Trojan.Unknown Origin. C:\Docume~1\name\LOCALS~1\TEMPNSB397.TMP|NS39A.TMP' using a manual search, but clicking on the 'scan now' option also gave no further results - only a clean computer. and: This SAS alert also occured with Notepad++ v4.7.1 Share this post Link to post Share on other sites
chalawah Posted January 13, 2008 Ok, I have just run the Notepad++ v4.7.3.Installer.exe again, over the top of the existing Notepad++ v4.7.3 to test the results again. Here is the method I used: 1. Click on SAS and manually update/check updates: Core 3379 Trace 1373 2. Open the Notepad++ v4.7.3.Installer.exe 3. This time close to the beginning of the install SUPERAntispyware Alert window pops up: SUPERAntispyware has detected and blocked a potentially harmful application from running.SUPERAntiSpyware Alert Options Click here to view your details about the blocked items Click hereto scan your system now [recommended] I do not click the 'Finish' button in the Notepad++ Setup window. 4. I click on the option to view details of which on this install of Notepad++ there are four!: Identification: Trojan.Unknown Origin.Process Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS74.TMP Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS73.TMP Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS72.TMP Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS71.TMP Description of Item: Spyware/Adware Application Explanation Summary: Trojan.Unknown Origin.Process Unknown Description: Randomly (or deceptively-) named application process. Contains deceptive, incomplete, or missing version or company information and is installed in the Temp, Windows, System, System32, or Application Data directories. May also be found under randomly named sub-directories under these folders or Program Files. This application is most likely downloaded and installed by another application that is considered to be adware or spyware. Threat Level: 10 (1-10) Process:* (08E3ECF3.EXE) (SYSIHZX.EXE) (HHQLO.DLL) (EAKHGWTDAX.EXE) (VHYXAAAA.EXE) (DAYCDY.EXE) (IBFMHQ.EXE) (ZR*EUROSIGN*GAA>EXE) (MM5.EXE) (SHEX.EXE) (WIN3B.TMP.EXE) (PP.EXE) (MA.EXE) (LOAD.EXE) (WINC.TMP.EXE) (NA.EXE) (YNOLUPQV.DLL) (DRVZOH.DLL) (EYGXGHWF.EXE) (5.EXE) (1.EXE) (3.EXE) (4.EXE) (21.EXE) (0XF9.EXE) (VIGQG.EXE) (~TMP1174.EXE) (PIBM.EXE) (BBI0011.EXE) (SYST212.EXE) (6.TMP) (TMP1.EXE) (CHECK.EXE) ((NDEDFENKJ.EXE) (TT.EXE) (TMP2.EXE) (DMXRGP.EXE) (BX18DXV.DAT) (NS5.TMP) ........................and more and more and more................. 5. When I navigate to: Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS74.TMP Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS73.TMP Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS72.TMP Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\NS71.TMP I can find nsx6F.tmp only, and inside this directory I can see no other .TMP or .tmp files other than the following: InstallOptions.dll ioSpecial.ini LangDLL.dll modern-header.bmp modern-wizard.bmp nsExec.dll UserInfo.dll I have a copy of these saved. 6. I now click on 'Finish' on the Notepad++ Setup window....and attempt to navigate to: Blocked Item: C:\Docume~1\NAME\LOCALS~1\TEMP\NSX6F.TMP\ but find that this no longer exists This explains why I could not find it in my original post, as I had already clicked on the 'Finish' button in Notepad Setup 7. Clicking on the option to Scan in the SUPERAntiSpyware Alert pop up window and selecting full scan results in the computer being confirmed as clean: 'Scanning is complete - No harmful software was found'. 8. I am now going to run the Notepad installer again, but this time not click finish and run the SAS scan at the prompt from SUPERAntiSpyware Alert pop up window. I will post back my findings in a following post. I have also completed a manual scan [using SAS] of the nsx6F.tmp that I saved - no harmful software was found. Share this post Link to post Share on other sites
chalawah Posted January 14, 2008 I will post back my findings in a following post. I have now completed the same method and actions as in items 1 to 5 . Same results... a similar alert from SAS. I immediately clicked on the option to scan in the SAS pop up alert [before clicking on Finish in the Notepad++ Setup]. The result of a Full scan is: 'Scanning is complete - No harmful software was found'. I have saved the nsa166.tmp directory that SAS alerts as containing problem .tmp files. I can see no .tmp files in there. When comparing the two files nsa166.tmp and nsx6f.tmp they contain the same files: InstallOptions.dll ioSpecial.ini LangDLL.dll modern-header.bmp modern-wizard.bmp nsExec.dll UserInfo.dll If I convert ioSpecial.ini to a txt file I can read that it relates to Notepad++ v4.7.3 Setup Hope this helps in attempting to find out what is happening. Thanks for your time on this matter. Share this post Link to post Share on other sites
SUPERAntiSpy Posted January 14, 2008 We'll take a look at this and see what we can find! Share this post Link to post Share on other sites
chalawah Posted January 14, 2008 Same similar issue with new version of notepad++ v4.7.4.Installer.exe Share this post Link to post Share on other sites
chalawah Posted January 15, 2008 Latest definitions are now Core: 3380 Trace: 1374. I hope you get this sorted soon. Good luck with it! Hi Madeline, The definitions match exactly the ones I have on this computer and the ones found on the definition update history page. Share this post Link to post Share on other sites
chalawah Posted January 18, 2008 Same similar issue with new version of notepad++ v4.7.5 Share this post Link to post Share on other sites
chalawah Posted March 3, 2008 Pleased to say subsequent releases up to the latest v4.8.1 are not being flagged by SAS. Seems like this has been resolved. Thanks Nick and team. Share this post Link to post Share on other sites