Need User Feedback: NDP1.1sp1-KB979906-X86.exe Malware or update?

[bluesbabe]

I was in an online, and I think my computer had been downloading updates, when a Spybot box opened saying it had "encountered and terminated a process listed as part of a malicious software." It was offering me the option to delete the file, but I wanted to research before I decided that. I updated spybot, immunized, and started a scan, while I googled the file. But having done that, I am only more confused. It almost seems the file is a windows security update. I'm not good at this stuff, but I'm real nervous about what to do. Any help, out there?
XP Pro, , Firefox 3.6.3, SpyBot 1.6.2.46, updated just now (6/14).

The spybot box that suddenly opened said this of the file:
process ID: 3792
filename: NDP1.1sp1-KB979906-X86.exe
Found in C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.1sp1-KB979906-X86.exe!
identified as SpyArsenal.HomeKeyLogger

In the spybot logs the following is what's listed for today:
6/14/2010 1:41:19 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!

6/14/2010 3:12:29 AM Allowed (based on user decision) value "NetFxUpdate_v1.1.4322" (new data: ""C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID") added in System Startup global entry!

6/14/2010 3:12:29 AM Encountered and terminated SpyArsenal.HomeKeyLogger in C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.1sp1-KB979906-X86.exe!

6/14/2010 3:12:31 AM Allowed (based on user decision) value "NetFxUpdate_v1.1.4322" (new data: "") deleted in System Startup global entry!

 

[Yodama]

hello,

if possible please send this file:
C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.1sp1-KB979906-X86.exe

to detections@spybot.info with a reference to this thread.
I checked our detection database for SpyArsenal.HomeKeyLogger and found an error which may have caused this issue. However we should make sure that the file is really not infected.

 

[bluesbabe]

hello,

if possible please send this file:
C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.1sp1-KB979906-X86.exe

Unfortunately I can't find the file. SpyBot prevented installation, and I recall that the computer deleted temp files because I was short of space. I will try updating, to see if it turns up again.

 

[bluesbabe]

No end of problems

hello,

if possible please send this file:
C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.1sp1-KB979906-X86.exe

Okay this is getting worse instead of better. MS update page thinks it has downloaded successfully, and I can't download it there. When I look for it in the KB section, I can't find anywhere to download it, it just wants me to go back to the update page, which thinks I already have it. (I knew there was a reason I hated MS). Since it's not on my computer anymore, I can't send it in to see what the glitch is, and I'm not sure it isn't malware until somebody with a brain tells me so.
Now what do I do.....

 

[Yodama]

this should be the manual download for the patch.
I am currently analyzing why the file was flagged by the TeaTimer.

 

[remdmm]

My firewall alerted me to this on 6-12-10 and ever since, I keep getting alerts that IE is trying to monitor user activity.

I did find the file in the windows temp. folder and will send it in.

Thanks,

Robert

 

[snowyman]

I too got the message that Filename: NDP1.1sp1-KB979906-X86.exe was identified as malware, when I did my updates, however it identified it as: Fraud.ProAntispyware2009

I was recently infected with a rogue antispyware program so I would be very interested to know whether this is a false positive, genuine malware or a genuine Windows spyware removal tool.

Unfortunately I also haven't got the file as Spybot deleted it.

Thanks for any information regarding this.

 

[Yodama]

I too got the message that Filename: NDP1.1sp1-KB979906-X86.exe was identified as malware, when I did my updates, however it identified it as: Fraud.ProAntispyware2009

I was recently infected with a rogue antispyware program so I would be very interested to know whether this is a false positive, genuine malware or a genuine Windows spyware removal tool.

Unfortunately I also haven't got the file as Spybot deleted it.

Thanks for any information regarding this.

please make sure to fully update Spybot S&D then restart your computer if the file should get flagged as Fraud.ProAntispyware2009 again, please send it to detections@spybot.info for analysis.

 

[bluesbabe]

any update on this (no pun intended)

this should be the manual download for the patch.
I am currently analyzing why the file was flagged by the TeaTimer.

Any luck figuring it out? I went ahead and did the manual download you linked, and had no problem installing. But then I found this: NDP1.1sp1-KB867460-X86.exe and I'm confused again.

I'd ask MS update support, but frankly they are worse than no help at all. It took me answering 4 emails from them (them saying "if update says it's installed, it's installed") to convince them maybe it wasn't after all.

BTW, thanks for all the help, Yodama.

 

[Yodama]

But then I found this: NDP1.1sp1-KB867460-X86.exe and I'm confused again.

what excactly do you mean by this? you downloaded the file manually, so it should be right where you put it right?

I have rechecked all detection rules within SpyArsenal.HomeKeyLogger and Fraud.ProAntispyware2009 that might cause a false positive with NDP1.1sp1-KB867460-X86.exe but there are no more, so TeaTimer should not be able to falsely detect NDP1.1sp1-KB867460-X86.exe as either of those.

 

[bluesbabe]

only version confusion

what excactly do you mean by this?

Sorry, I had tried to leave an actual link, but it didn't work. It was to a different version with the same name, and I got worried I had downloaded the wrong one, for my computer. I find this a lot when downloading manually, and I have trouble sorting out which version is right for me. I'm not that good with computers...
Thanks again for the assistance.