Since updating to the latest virus definitions a few days ago, Avast has been reporting that my notepad.exe is infected with a trojan (Win32:Trojan-gen) and moved it to the virus chest. I was suspicious that this might be a false positive so I uploaded the file to virustotal & a few other sites and only Avast and GData (which uses Avast as one of it’s scanners) report it as a virus while all the other scanners say it’s clean. With this knowledge in hand, I sent the file to the Avast virus lab about 20 hours ago and have yet to hear anything from anyone about it so I thought I would also make a post here to see if there were any updates to this issue.

From VirusTotal:

Antivirus results
AhnLab-V3 - 2010.11.26.02 - 2010.11.26 - -
AntiVir - 7.10.14.125 - 2010.11.26 - -
Antiy-AVL - 2.0.3.7 - 2010.11.26 - -
Avast - 4.8.1351.0 - 2010.11.26 - Win32:Trojan-gen
Avast5 - 5.0.594.0 - 2010.11.26 - Win32:Trojan-gen
AVG - 9.0.0.851 - 2010.11.26 - -
BitDefender - 7.2 - 2010.11.26 - -
CAT-QuickHeal - 11.00 - 2010.11.26 - -
ClamAV - 0.96.4.0 - 2010.11.26 - -
Command - 5.2.11.5 - 2010.11.26 - -
Comodo - 6858 - 2010.11.26 - -
DrWeb - 5.0.2.03300 - 2010.11.26 - -
Emsisoft - 5.0.0.50 - 2010.11.26 - -
eSafe - 7.0.17.0 - 2010.11.24 - -
eTrust-Vet - 36.1.8003 - 2010.11.26 - -
F-Prot - 4.6.2.117 - 2010.11.26 - -
F-Secure - 9.0.16160.0 - 2010.11.26 - -
Fortinet - 4.2.254.0 - 2010.11.26 - -
GData - 21 - 2010.11.26 - Win32:Trojan-gen
Ikarus - T3.1.1.90.0 - 2010.11.26 - -
Jiangmin - 13.0.900 - 2010.11.26 - -
K7AntiVirus - 9.69.3095 - 2010.11.26 - -
Kaspersky - 7.0.0.125 - 2010.11.26 - -
McAfee - 5.400.0.1158 - 2010.11.26 - -
McAfee-GW-Edition - 2010.1C - 2010.11.26 - -
Microsoft - 1.6402 - 2010.11.26 - -
NOD32 - 5652 - 2010.11.26 - -
Norman - 6.06.10 - 2010.11.26 - -
nProtect - 2010-11-26.01 - 2010.11.26 - -
Panda - 10.0.2.7 - 2010.11.26 - -
PCTools - 7.0.3.5 - 2010.11.26 - -
Prevx - 3.0 - 2010.11.26 - -
Rising - 22.75.03.04 - 2010.11.26 - -
Sophos - 4.60.0 - 2010.11.26 - -
SUPERAntiSpyware - 4.40.0.1006 - 2010.11.26 - -
Symantec - 20101.2.0.161 - 2010.11.26 - -
TheHacker - 6.7.0.1.091 - 2010.11.26 - -
TrendMicro - 9.120.0.1004 - 2010.11.26 - -
TrendMicro-HouseCall - 9.120.0.1004 - 2010.11.26 - -
VBA32 - 3.12.14.2 - 2010.11.26 - -
VIPRE - 7420 - 2010.11.26 - -
ViRobot - 2010.11.19.4158 - 2010.11.26 - -
VirusBuster - 13.6.62.0 - 2010.11.26 - -
File info:
MD5: 0cc6db295f6baf6c4be159ae939d5bc8
SHA1: 6ec194f3d81b387d61935a44f1d9db4e3e504dbc
SHA256: 0cef4d21fb891033f5e9a68ffbe9abada9682d791eb2f06099203be6086f862b
File size: 218624 bytes
Scan date: 2010-11-26 22:50:00 (UTC)

Cheers,
Dave

Rescan the file and see if it still alerts - as there have been three updates today

I did that right before making this post. Still showing up

Engine & Definitions: Already up to date (current version: 101126-2)

What operating system do you have?

Windows XP Pro SP3.

I have xp pro sp3 fully up to date and notepad.exe in two locations, windows and windows\system32, both come up clean, see image.

With an MD5: 5E28284F9B5F9097640D58A73D38AD4C for both.

Edit: I uploaded my copy which I know is clean and would you believe it esafe (never heard of it) thinks it is Win32.Banker, which is c**p.
http://www.virustotal.com/file-scan/report.html?id=865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5-1290815508

Note the MD5 on mine is different to the one in your post, which means they are different.

I have the Brico packs installed from crystalxp.net which may account for the different file sizes (and possibly the MD5’s as well) and from your link it is saying your version is confirmed maleware, but that is besides the point. All I want to know is if my version is really infected or is Avast just throwing off the alert because the filesize is different then the reg filesize or some other reason. I need to get this taken care of one way or another asap.

Cheers,
Dave

No a single detection is hardly confirmation and usually considered an FP, more so if there is a detection from a lesser known AV.

In your case you are going to have to send the sample to avast for further analysis. If this has been on your system for some time and is only now detected it is possibly that it is an FP as the Win32:Trojan-gen is a generic signature and also gdata uses avast as one of its two scanners, so yours is effectively only one detection.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

• In the meantime (if you accept the risk), add the full path to the file to the exclusions lists:
  File System Shield, Expert Settings, Exclusions, Add and
  avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

If you don’t accept that risk, you could use another text editor for the time being (I use editpad lite as my text editor of choice) whilst it is being analysed.

I did submit the file to the lab (as I said in my OP) about 22 hours ago now and still no response from the avast folks which is why I started this topic.

You don’t normally get a reply to your submission from the chest or if you emailed it unless they need more info.

You need to do as I mentioned, in relation to excluding and restoring the file:

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

One of the avast team replied in the forums in a little over 30 minutes, albeit to ask a question. However, with the other replies you should be able to work round this until the file is analysed and if conformed an FP a correction issued in the next available virus definitions update.

Looks like it has been sorted out in the latest definition update (101127-0) Thanks for verifying the file as safe and adding it to the whitelist.

They are usually quite quick in correcting the signature after analysis when they confirm it is an FP. They don’t white list the file as such (as far as I’m aware) but modify the signature which was a generic one designed to catch more than one variant.

Hello,

It seems that Avast is detecting Notepad++ as malware again

Hello,
from the screenshot I see that avast! is detecting “notepad++.exe” not “notepad.exe”. Send the file to virus@avast.com and put “false positive” to email subject.

Milos