False Positive? or a infected windows cd :)

avast reports that my notepad.exe is infected by Win32:Qqpass-DY [Trj]
so i moved it to the virus container and extracted it from my windows cd.
avast reports infection again.
so i scanned NOTEPAD.EX_ from the windows cd and avast told me its inflected too :slight_smile:
cant be true right?

its A Windows XP Sp2 Home Edition, German CD
i Am using Avast 4.7 Home with VPS from 26.10.2006

i have uploaded the ‘infected’ files here
http://www.badongo.com/file/1607828

Please tell me avast is wrong here


A quick look on the forum under the recent posts would help you find your answer
“[avast! 4.x Home/Pro] Re: Virus alert after last update ???”
I’ll let you find it yourself if you haven’t already.

hi
notepad.exe does indeed trigger a false positive, and this started today.

if you deleted the files it said were infected

then run SFC /scannow (or you used the XP automatic systemfile replacement warning popup that gets triggered when you delete this)

then this will again trigger the false positive soon as notepad is extracted from the CDROM.

kind regards, Jaak
MVP windows shell user
https://mvp.support.microsoft.com/profile=5B34DA69-2FE2-45CF-8BA3-27B089131886

Not anymore with 0643-6 virus database version (VPS) :wink:

thanks

Okay, just made it do an update.

will again run sfc /scannow


I took the Trojan warnings serious and moved the “infected” files to the container (“chest”). This happened during a scan that was launched outside Windows XP. After having finished the scan Windows started automatically.

I read in the forum about the false alarm and started to restore the notepad.exe files as soon I had installed the update mentioned above.

Unfortunately it took me some time to find ashChest.exe in my D:\Programs\Alwil 
 folder. I found no link to it: neither in the Start/Programs/avast 
 menu nor with the avast tray icons.

I wonder if I had made an installation mistake (maybe choosing Volume D for the installation) or if everyone faces this difficulty.

Last: Even after I had restored all the notepad.exe files, I could not start notepad.exe the usual way via the Start menu, because the link %Systemroot%\system32\notepad.exe had been replaced by C:\windows\system32\actmovie.exe .

I have no explanation for that. ???

Indeed you need to start avast antivirus, right click the skin and choose Chest from there.
No links or tray icon for the Chest.

Yes, most probably all your avast installation is there on D.
Uninstall, boot, install it on C will do the job.

What do you mean? How are you trying to start notepad? Clicking on the file, using run program
?

The Chest is supposed to be accessed by clicking the Chest icon in the Simple User Interface, for example.

Most likely a feature of Windows shell - when a link points to a non-existent file and you use it, it tries to find the “closest” match and update the link

I usually do it like this (German menu)

Start
Programme
Zubehör
Editor

And “Editor” was suddenly linked to actmovie.exe instead of notepad.exe

Meanwhile I read Igor’s explanation. I had a suspicion like this.

Now I’ve found the container icon. Thx for all.

Glad you’ve solved it.
Welcome to avast forums 8)

Hi

it was really shortlived, I got three calls soon after I had seen avast do the update (one in my main, and one in a virtual machine on a testrig).
I told these people to not delete.

they did get another false when they booted, then apparently avast updated, and when rebooted (I had advised F8, no reboot when critical error happens) that was a thing of the past.

I thought I would have seen more reports, but this was really shortlived.
you guys do fast bug reporting/fixin’
kind regards, Jaak
MVP windows shell user
https://mvp.support.microsoft.com/profile=5B34DA69-2FE2-45CF-8BA3-27B089131886

I’m becoming to be proud about the new signatures updates :slight_smile: