Are these spyware?

[shortmantuff]

Hey guys, I just ran a scan on SUPERAntiSpyware and it found 2 trojans. I don't think either of them are legit trojans but wanted your opinions.

C:\TOSHIBAUPDATE\UPDATEX86.EXE

&

C:\WINDOWS\CLOSESEC.EXE

Also, is there a place on the internet to check for legit spyware files? Like a list that lists them?

 

[Jonathan_King]

Sure, try uploading them here: VirusTotal - Free Online Virus and Malware Scan

That will run it through a number of scanners and give you a report.

 

[shortmantuff]

It said 4/41 programs found it to be spyware (at least I think that is what it means). So, does this mean it's legit?

 

[Jonathan_King]

I'd say it's probably legit. I didn't see much on Google about it being malware either.

 

[shortmantuff]

Both of them are Toshiba based programs. It was just weird because I've ran SUPERAntiSpyware earlier in the week and it didn't detect these. That's why I worried a little.

 

[Jonathan_King]

You know those anti-virus programs. One day they don't detect anything, the next day they do.

 

[jav]

can you post links from virustotal scans... please

 

[shortmantuff]

Virustotal. MD5: 9df7b80c4e0bed1c1e3a36a20c4074fd Trojan-Dropper.Win32.Mudrop.flp!A2 Trojan.Agent.ATV Trojan/Downloader.gen

...and I cannot find the other file. I've always been bad at locating files within the computer. I asked for some help on it before but no one responded to me.

 

[jav]

ok, as I can see you gave results for:

C:\WINDOWS\CLOSESEC.EXE

vendors which detec it right now according to virus total:

a-squared - Trojan-Dropper.Win32.Mudrop.flp!A2 (note that "A2" at the end it means that only a2 engine of the a-sqaured detected it. (a-sqaured uses it's own a2 and Ikarus AV engines)) A-sqaure is known for some False Positives.
CAT-QuickHeal - Trojan.Agent.ATV (not sure about QuickHeal)
McAfee+ Artemis - Artemis!9DF7B80C4E0B(note: McAfee dosen't detect it. It is detected by McAfee Atremis only!) Artemis is cloud based technology, known for some False Positives...
TheHacker - Trojan/Downloader.gen (can't comment on this one)

Further analyses of "C:\WINDOWS\CLOSESEC.EXE" led me to finding to this:
https://forum.f-prot.com/index.php?topic=1694.0

as you can see it's official F-prot (AV company) forum.
And as you can see a few months ago, this file was detected by F-prot as malware aswell.
But look at the last post by F-Prot virus researcher/developer that it is probably False Positive and soon will be deleted from database.
Now from virustotal link you posted, we can see it has indeed been taken out of database.

So, I would say it is probably False Positive.


P.S. Just noticed the Original Poster on the Forum link I gave uses laptop from Toshiba like you.

 

[shortmantuff]

Yeah, I found that link too. I found it after I posted this though.

 

[jav]

If you are still unsure and want real confirmations.
Or atleast in the future:

SUPERAntiSpyware.com -> False Positives

This is the section for False Positives on the offcial site of SuperAntiSpyware

And if you want to check files online:
There is a thread in our forum (I mean this forum ) for this: http://www.sevenforums.com/system-security/8557-online-file-scanner-sites.html

 

[thathagat]

Also, is there a place on the internet to check for legit spyware files? Like a list that lists them?

hi.....there are others too...
Anubis: Analyzing Unknown Binaries
ThreatExpert - Automated Threat Analysis
Malware Analysis Tool - Malware Sandbox ? Online Virus Testing
Joebox a secure Sandbox Application for Windows to analyse the Behaviour of Malware
Norman | Norman SandBox®
Wepawet Home
Comodo Instant Malware Analysis

 

[shortmantuff]

Weird...when I browse for TOSHIBAX86.EXE on Virus Total (online) I couldn't find the file. But I downloaded the tool to upload it via Send To and I found it when I browsed that way. Hmm....Oh well.

Thanks for all the help guys!