malwarebytes found a Trojan.FakeNPP



  • malwarebytes found a Trojan.FakeNPP in npp’s uninstall.exe file.

    In was found on w8.1-64 bit, but not on w10-64 bit whereas I had installed npp 7.6.2 on both with same downloaded installer.

    Any matter of concern?
    Thanks.

    mbam result



  • I would use https://www.virustotal.com/#/home/upload to see if other engines do report the same.



  • @V-S-Rawat

    same suggestion as @Eko-palypse
    and thanks for the screenshot

    here are the virustotal results of genuine uninstall.exe’s so you can compare sha-256 hash, file size and engine reports:

    uninstall.exe from notepad++ x86, 32 bit:
    https://www.virustotal.com/#/file/3d6a45166aafbbf7177779fe1bf77232e7b48713a846cbe985cfc19af6ff2628/detection
    SHA-256: 3d6a45166aafbbf7177779fe1bf77232e7b48713a846cbe985cfc19af6ff2628

    uninstall.exe from notepad++ x64, 64 bit:
    https://www.virustotal.com/#/file/31a82e5cc9dbd68b592b23e2467f2d9dc8673c02fe75f75c57552d91d1002b93/detection
    SHA-256: 31a82e5cc9dbd68b592b23e2467f2d9dc8673c02fe75f75c57552d91d1002b93

    don’t mind the suspicious.low.ml.score warning of trapware at the moment.
    as far as i’ve been able to find out in the last minutes, this seems just their machine learning score warning, that their engine can somehow not analyze it or not really “learn” it, and it happens often to files that are submitted very few times, and haven’t passed through their manual evaluation yet.

    any notepad++.exe for example will be clean for trapware too, so 100% clean without any warnings from around 71 different anti viruses, due to the larger amount of submits to their databases.



  • @Eko-palypse said:

    I would use https://www.virustotal.com/#/home/upload to see if other engines do report the same.

    oh, I had already got that removed by mbam itself. Next time if something comes up, I will remember your suggestion. Thanks.



  • Also, I had already scanned the system earlier, above 10 days ago, after installing npp 64-bit, once with mbam, and also with windows defender, then nothing was found.

    could it have been come in-between due to some other thing infecting my w8.1?

    thanks.



  • point to note is - someone has created FakeNPP trojan.

    developers of npp should take cognizance of that, and figure out what this trojan does, how it comes, how to easily find it and cure for it.

    If it is false alarm, then also developers of npp should interact with mbam to know what symptoms mbam is detecting to be this trojan.

    Thanks.



  • In theory, yes but most likely it was a false-positive.

    Even when using anti-whatsoever software, there is no 100% guarantee
    that it will detect viruses/trojans etc… before they got manifested on your disk.
    See rootkits, or hardware exploits or “trusted” certificates manipulation …
    you name it - the bad side is always one step in front of the light side ;-)



  • @V-S-Rawat

    could it have been come in-between due to some other thing infecting my w8.1?

    it’s a possibility, keep us informed if you find out something new.

    developers of npp should take cognizance of that, and figure out what this trojan does, how it comes, how to easily find it and cure for it.

    this would basically make notepad++ an antivirus by itself, and i guess the dev’s opinion would be: “we deliver clean code, if you get a virus it’s not our fault”

    If it is false alarm, then also developers of npp should interact with mbam to know what symptoms mbam is detecting to be this trojan.

    the virus total service has marked uninstall.exe as clean when tested with a malwarebytes scan, so there will not be any need to report to mbam, as there is no indication of a false alarm triggered by their engine.

    btw: thanks for your time to look into it and to share what you’ve experienced.



  • You are welcome.

    I myself was fully sure that there can’t be anything wrong with npp. so I intentionally posted to bring false alarm to the notice of others.



  • AFAIK, except the bad quality of anti-spyware, a lot of anti-spyware are the spyware in disguise.
    Choose your anti-spyware carefully.
    I use my common sense as anti-spyware.


Log in to reply