You are here

AVG 7.5 finds trojan in notepad++ 4.2.2

15 posts / 0 new
Last post
sedgy
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-12 06:21
AVG 7.5 finds trojan in notepad++ 4.2.2

Hi My avg 7.5 found the trojan Vundo.t in both of my copies of notepad++ 4.2.2 anyone else had this issue or know more about it? or could tell me how to escalate this ?
the infected file is scilexer.dll file size is 168448 bytes.

cheers

sedgy

Maximilian
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-12 07:32
Same problem

Hi, I have the same problem.

I've sent the file to AVG as it is most likely a false positive, hopefully they can clear this up soon.

Maximilian

sedgy
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-12 06:21
Interesting

two versions of it as well; the dll i mentioned are different sizes and from unrelated installations (tho same version) curious how they both got hit one is 164.5 kb (portable apps 4.2.2 ) the other is 344 kb (standard install 4.2.2) what about yours?

rail
Offline
Last seen: 12 years 5 months ago
Joined: 2008-06-12 15:09
Ditto.AVG is flagging

Ditto.

AVG is flagging SciLexer.dll as being infected with trojan Vundo.T

SciLexer.dll is from PortableApps Notepad++ 4.2.2.0

WinXP is reporting that SciLexer.dll is 168,448 bytes but I'm not sure if that's accurate. I've tried copypasting and FileAlyzer but I'm being denied access to the file, probably by AVG. AVG is still in the process of scanning my computer.

Simeon
Simeon's picture
Offline
Last seen: 8 years 3 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
What do

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

Tim Clark
Tim Clark's picture
Offline
Last seen: 11 years 10 months ago
Joined: 2006-06-18 13:55
And don't forget

Things have got to get better, they can't get worse, or can they?

rail
Offline
Last seen: 12 years 5 months ago
Joined: 2008-06-12 15:09
Couldn't check

I wasn't able to check what other scanners said because AVG deleted the dll instead of quarantining it. I'm not sure why it did that.

I dl'ed the new portable apps Notepad++ with a new version of SciLexer.dll. AVG scanned and passed it.

This was the first false positive I've ever had.

andrewjbrady
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-12 16:55
AVG7.5 quarantined Notepad++/SciLexer.dll because of Vundu.T

I got this too.

I then updated to the very latest Virus Base using the
AVG Control Center "Check for Updates" to get:

Program version AVG Free 7.5.524
Virus base 270.3.0/1500 release date 12/06/2008 16:58

After restoring the quarantined file back to the Notepad++,
I re-ran the scan on the Notepad++ directory and the SciLexer.dll
file was no longer quarantined by AVG.

As Maximilian says, probably a false positive introduced in
the previous virus base that Grisoft have already fixed.

Note that I am not an expert. Just my thoughts.

Cheers,

Andy

sedgy
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-12 06:21
Same here still

Hi, did an update to the database version last night to the one you are using (270.3.0/1500) mine was a day younger, and I still have the issue, the one copy i have cannot be sent anywhere Sad even with all the avg process turned off Sad

Consuegra
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-14 04:18
also found in notepad++ via AVG

Hi, a day later I have the same problem. After AVG found and then "vaulted" the scilexer file, I rescanned my system the next morning and it found another copy in the Windows restore (System Volume Information) with, as expected, a completely different filename.

After deleting my notepad++ installation, rescanning and installing a new and updated version of notepad++ (mine was from last year don't know rev). A final reboot and scan showed no issues.

I guess I'm waiting to see if this thing is somehow rootkit'd and will reappear but I'm feeling pretty good about now.

It is unclear to me if this is (1) a false positive (2) the result of a new detection recently added to AVG that had been in notepad++ or a download of mine in the past or (3) something I opened or downloaded in the past few days. The only new files I 'executed' in the day prior to the detection were some JPGs, PDFs and Word and Excel documents from business colleagues and friends. Email scanning and resident protections detected nothing unusual at that time (though that could have just been the infection source).

Also:
- I was NOT able to examine the filesize to compare to others' notes here, sorry.
- Spybot S&D found no trouble at anytime (scan or resident).
- Zone Alarm has reported no new program attempts in or out.

I hope this helps anyone's investigation and that someone can confirm if this is or isn't a false positive from AVG.

I am happy to provide more details if needed to anyone.

--Mark.

a_non_e_mouse
Offline
Last seen: 14 years 7 months ago
Joined: 2007-08-26 22:38
same problem

hey guys..

i'm using AVG 8.0 free with the latest updates.
And I've installed notepad++ 4.1

AVG does also find the trojan horse vundo.t

I then reloaded the same version (notepad++ 4.1) from sourceforge.

AVG does also find the trojan in the newly loaded file.

So, there are two possibilities. There is really a trojan horse in the former versions of notepad++ or, what i believe and hope, it's a false positive.

I've send the "infected" file to avg. But there is only an automativ answer which states that the file is "infected".

What can we do now?

regards..

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 6 years 3 months ago
Joined: 2006-11-18 10:26
Everyone should read the top of this page.

Everyone should read the top of this page:

https://portableapps.com/support

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

sedgy
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-12 06:21
Also seen in non-portable

Thanks for this but this issue is also seen now in 4.1 mentioned above and I have this in both 4.22 portable and non-portable?

sedgy

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 6 years 3 months ago
Joined: 2006-11-18 10:26
I guess you didn't read or

I guess you didn't read or comprehend the information presented.

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

sedgy
Offline
Last seen: 14 years 7 months ago
Joined: 2008-06-12 06:21
I understood very well

I did read it and it suggests that portable apps and the compression techniques used can create false positives.

what it does not satisfy is why the non-portable version downloaded direct from sourceforge and the portable apps version for 4.2.2 and the same for the other forum poster of 4.1 actually see this issue

As discussed earlier in the the thread for some reason I cannot get my version of scilexer.dll off my machine even with virus checkers and firewall turned off. ClamWin does not detect it

Log in or register to post comments