Jump to content

Recommended Posts

This has completely bamboozled me....

 

First off, computer goes into a router with NAT/SPI Firewall. Outpost pro installed on computer too. GRC Shields up scan = all green/pass.

 

Using computer as normally, not downloaded anything or opened any emails, so I'm quite surprised when Kaspersky pops up telling me its found a Trojan in:

 

C:\WINDOWS\system32\notepad.exe

 

Trojan Name: Trojan.Win32.StartPage.adh

 

KAV recommends I delete the file (which I do). Then I get a Windows File Protection warning, and KAV pops up again telling me theres a trojan in:

 

C:\WINDOWS\system32\dllcache\notepad.exe

 

Trojan Name: Trojan.Win32.StartPage.adh

 

I also delete this (recommended). KAV now shuts up but Notepad has gone.

 

At this point, im thinking "WTF!" because I know my system isn't vunerable to worms like BLASTER because of the NAT/Firewalls, and I know I haven't downloaded anything suspect/opened any emails. I've also done a full Spyware scan with both Spyware Doctor and Outpost and nothing was found.

 

My next step was restoring the computer back to when I'd last reformatted with everything installed (about a month ago -- computer was TOTALLY CLEAN then). I fire up TrueImage (boot cd) and restore.

 

After restore complete + reboot I log back on to Windows. KAV immediately updates the AV Database, and then low and behold:

 

Trojan.Win32.StartPage.adh detected in C:\WINDOWS\system32\notepad.exe

 

SAME thing happening.. I can't accept that there's a virus there because the computer was totally clean then and I hadn't done anything before. I proceeded to delete the notepad again to shut KAV up.

 

I then performed a full system scan using the extended DB in KAV, scanning all 3 of my HDDS (C: WINDOWS/ D: MUSIC/GAMES E: PROGRAMS)... totally clean, no viruses found.

 

So now this leads me to think that it's a false positive newly added into the KAV database, so I go to my sisters computer (who's also running KAV 5 Personal/XP). I update her KAV database to ensure we're using the same DB and try to open Notepad on her machine.. it opens, no virus detected.... so this kinda rules out a false positive.

 

But with what's happened if I were to totally reformat the computer and reload XP on etc (which I don't have the time to do, and restoreing from the TrueImage backup is the same) I feel that as soon as I install / update KAV this "trojan" would be found again.

 

Any help would be GREAT, I don't know what to do for the best here, can't understand why this has happened--- it just makes NO sense.

 

Thanks in advance :(

 

untitled7bv.th.jpg

Share this post


Link to post

The same thing happened to me...

 

And the interesting part is that if i put my Windows XP cd w/SP2 in the drive and then tell kasperky to scan for viruses... It finds that same virus inside the cd in notepad.exe :(

 

It's strange because I have this cd since sp2 was first distributed and it never had gone wrong once...

 

My guess is... It was probably some faulty update :unsure:

 

Hopefully it will be resolved soon

 

P.S. Sorry for my bad English

Share this post


Link to post

Well, I got the same problem over here. The best part of it is there is no extra information on the virus list. Means I got a computer without a notepad for a while - especially as I left my Win XP disks at home :(

 

So, if someones got some more information on this, please shout!

 

I had Notepad on a second computer and was about to network it over - and KAV detected it as the same virus... and I have Norton on the second computer fully updated, does not detect a thing. I am going to presume this is a false report - but why??

 

cheers

 

RobinB

Robin Bourne

Share this post


Link to post

Strange. I too wonder if perhaps this might be a false positive. I just rightclicked on Notepad in my start menu, and as soon as I did, Kaspersky warned me about the very same troyan. As in your case, I can't image that anything should have installed on my system.

If you search the internet, startpage.adh is detected by many antivirus packages and it is listed as a browser hijacker.

 

Better wait a bit, until one of the real forum techies reply.

Share this post


Link to post

Very interesting.

 

I just turned KAV off on my computer, and copied my C:\WINDOWS\SYSTEM32\NOTEPAD.exe across to my sisters PC. She is using the exact same version of KAV as me, with the same database in use. I go on her computer, scan my NOTEPAD.exe and its clean. KAV just won't shutup for me.

 

Even after I restore twice it's still happening so I cant see why it wouldn't affect her KAV too.

Share this post


Link to post
Very interesting.

 

I just turned KAV off on my computer, and copied my C:\WINDOWS\SYSTEM32\NOTEPAD.exe across to my sisters PC. She is using  the exact same version of KAV as me, with the same database in use. I go on her computer, scan my NOTEPAD.exe and its clean. KAV just won't shutup for me.

 

Even after I restore twice it's still happening so I cant see why it wouldn't affect her KAV too.

Schnitzel

 

Could you please send the detected files via the "Send files for analysis" link, found under the supporttab in the main Kaspersky window, because i can't reproduce this.

 

Please post the result, oh and be sure to include "False positive" in the subjectline. :)

Share this post


Link to post
Schnitzel

 

Could you please send the detected files via the "Send files for analysis" link, found under the supporttab in the main Kaspersky window, because i can't reproduce this.

 

Please post the result, oh and be sure to include "False positive" in the subjectline. :)

 

I received the mail from Kaspersky Lab, It is a False positive

 

-----------------

Hello. NOTEPAD.EXE - is clean Microsoft file. It is our mistake. It will be fixed in 15 minutes. Update your bases.

 

-----------------

Regards, Alexey Romanenko

Virus Analyst, Kaspersky Lab.

 

Ph.: +7(095) 797-8700

E-mail: newvirus@kaspersky.com

http://www.kaspersky.com http://www.viruslist.com

Share this post


Link to post

Thanks Don, I've sent it.

 

Interestingly, when I browse for C:\WINDOWS\system32\notepad.exe to attach to the email thing, it tells me that the file is clean.

 

Contrary to the KAV popups lol.

Share this post


Link to post

I received the mail from Kaspersky Lab, It is a False positive

 

-----------------

Hello. NOTEPAD.EXE - is clean Microsoft file. It is our mistake. It will be fixed in 15 minutes. Update your bases.

 

-----------------

Regards, Alexey Romanenko

Virus Analyst, Kaspersky Lab.

 

I just updated my databases: problem solved. That's what I call quick service!

Share this post


Link to post

The second time this year (Notepad FP). It seems to have been corrected in the latest update.

Share this post


Link to post

I do not know what on earth has happend. I Bought a brand new hard drive only Yesterday. Have been careful like crazy putting my securtiy apps on and my notepad has acquired a trojan in only one day and i cant use it no more.

 

I do not know where it has come from, i have only been looking at respectible forums such as here. Online Armors and Wilders.

 

I am using KAV 5.390 Personal.

 

Please help. It is asking me to deleate my entire notepad from my machine. So is there a way i can just clean it without deleating the whole thing.

 

Thanks

post-1739-1134670856.png

Share this post


Link to post

Thanks, i was worried there for a minute.

 

Also, can i ask is there a way to set up KAV 5. That immediately when a new database is released it automacally updates it if i am online at that exact moment of the databases release, instead of what i have now which is waiting for a scheduled time each day.

 

Thanks

Share this post


Link to post
Thanks, i was worried there for a minute.

 

Also, can i ask is there a way to set up KAV 5. That immediately when a new database is released it automacally updates it if i am online at that exact moment of the databases release, instead of what i have now which is waiting for a scheduled time each day.

 

Thanks

You're welcome. No, not with Kav 5.0 (Avast Pro with it's push updates are the only one which has an updating procedure like you describe AFAIK). Kaspersky 2006 can be set to every 5 minutes though. :)

Share this post


Link to post

@Anthony1uk

>> …waiting for a scheduled time each day.

 

You probably know it, but I just want to mention:

You are not “forced” to wait 60 min for the next update. If you want, you can perform a manual update (check) by right-clicking the K-icon and select Update Anti-Virus database.

 

About the Notepad FP

To be fair, KL fixes their mistakes very quickly. When I still used Symantec’s products I had a FP alert (also concerning some of my own apps). It took 3 months before they adjusted the signatures. (And what a fight…)

 

My previous Notepad FP event

The “bad” thing with Notepad.exe; it seems to be protected by Windows. KAV deleted the file, Windows created a new copy, KAV deleted it… I got files like Notepad.exe.new. Just a mess; I had to disable the Net connection & KAV until there was a new update.

Share this post


Link to post
Update your bases and rescan, don't delete, it was a FP which is fixed already! :)

 

Don ... i deleted it :(

 

what can i do now? how can i get it back?

 

am running xp pro sp2 but i dont have the sp2 cd cause i used ms update. I only got xp pro cd (the original)

 

help appreciated

Share this post


Link to post
Don ... i deleted it :(

 

what can i do now? how can i get it back?

 

am running xp pro sp2 but i dont have the sp2 cd cause i used ms update. I only got xp pro cd (the original)

 

help appreciated

Hi loosecannon

 

Restore it from "View backup" in the main Kav 5.0 window. :)

Share this post


Link to post
Hi loosecannon

 

Restore it from "View backup" in the main Kav 5.0 window. :)

 

ok Don ... i found 4 entries in there all called notepad.exe

 

one in c/windows/servicepack..../i386

one in c/.....dllcahe

one in c/.....system32

and one in c/windows

do i restore all of them Don ?

Share this post


Link to post
Yes, then update your bases and do a scan. :)

 

done!

my xp notepad shortcut was pointing to the camera wizard application so i changed to notepad.exe manually.

 

its working now.

i hope i did it right.

 

thnx a bunch Don

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.