SvchostAnalyzer: Cloaked Malware or False Positive?

Yesterday I updated my Spywareterminator and ran a usual weekly scan. I was very surprised and confused with the results: ST identified SvchostAnalyzer as a TrojanGeneric. As you know, SvchostAnalyzer was developed by Neuber Software to list all svchost instances and check the services they contain and to uncover Svchost worms like the infamous Conficker worm. I have installed SvchostAnalyzer a month ago and used it without any complaints from ST till yesterday.

I wanted to report a false positive to ST developers but decided first to read Google. I have found that SvchostAnalyzer:

  1. is a cloaked malware
    http://www.prevx.com/filenames/143557879015720279-X1/SVCHOSTANALYZER.EXE.html

  2. is clean and safe
    http://www.downloadroute.com/Svchost-Process-Analyzer-A-M-Neuber-Software/antivirus_report.html

So, antivirus software (and my Avast, too) found it “not guilty” and specific anti-malware software found it “guilty”. Which “jury” is right?

-= Try having a check at VirusTotal

Here are the results:
http://www.virustotal.com/analisis/d29c79f390070692b2269636243f86c8296ed2a2cb11fdc87cb783183b327082-1243667508

These are the results from antiviruses only. But what about MBAM, ThreatFire and other anti-spyware?

-= In my opinion, it may be False Positive… Since G-Data uses BitDefender… It can be counted as one + the detection of Vipre… A total of 2 antiviruses detected it…

-= To be sure, like what you say, you may try a scan with Malwarebytes Antimalware…

False positive of ST.
avast does not detect it as being infected.

I reported a FP to ST’s forum but I am not sure they will correct their DB soon.

I don’t want to remove my ST (it is not very reliable but it is fast in on-demand scanning and moderate in system resources consuming) and at the same time I would like to support it with another low-resources anti-malware. I already have SpywareBlaster but it only immunizes my PC. And the question is: could I install ThreatFire, for example? Would it be right to have on one PC: Avast, ST, SpywareBlaster, Trend Micro RUBotted and ThreatFire? Wouldn’t I have any software conflict or high increase in resources consuming or Internet connection slowdown?

You can… but, really, it will give you a lot of warnings about nothing…

No problems.

For sure you’ll notice delays on browsing and computing… three on-access scanners will have such impact.

I have read your posts, Tech, about problems with Firefox extensions. Do these problems exist now?

I use SVCHost Analyser too’ avast!, SAS and MBAM have no objections, that and given the VT results I would say this is an FP. Especially if you actually installed this, rather than if you had no idea it was on your system.

Most probably. But I never used ThreatFire again. It’s more a sensation of protection that protection itself. I choose performance in this case. Also, safe browsing :wink:

Yes, DavidR, I installed SvchostAnalyzer myself. I have immediately decided that it was ST’s false positive but Prevx’s File Investigation Report confused me.

The more I think the less I want to install ThreatFire. Tech says it interferes with Firefox extensions, other users say it is hard to remove it from a PC.

Prevx seems to be getting a lot of FPs lately. Though it is easy to call a file anything_you_like.exe but it doesn’t mean that it is, so it is possible that the detection is on a different file content.

Halio George Yves,

I lost COMODOBoClean as standalone program and real sacnner due to discontinuation of it. Then decided on installing Threatfire, and until now, have experienced any problems with this, did a full scan with it twice, updated it, some scanners have problems with the MailPassViewer there, but again just like bob3160, no problems for me. Again what free alternative is there in the line of what COMODOBoClean was?

pozdrawiam,

polonus


It seems to me that ST updates their database a few times a week … about every 2 or 3 days.


polonus
As I understand you say that you have no problems with ThreatFire? Right? And what about problems with Firefox?

Hi George Yves,

I only use Firefox in combination with Threatfire, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090530 Shiretoko/3.5pre ID:20090530042121 with NoScript and RequestPolicy add-on to be precise, no issues found until now. Go to advanced tools, system activity monitor and have a look there what is getting in the way at your kompa.

Can you give “old pol” a fresh hijackthis 2.0.2 logfile list as an attached txt.file, just to give an analysis a swirl,

naboj!

polonus

Let’s be fair. I had problems, specific ones, on updating common extensions (AdBlock, NoScript, etc.).
I did not test ThreatFire again after that.
Let’s not propagate FUD.

polonus
My English is not as fluent as yours. You want me to attach hijackthis 2.0.2 logfile from my computer? I have installed the program and did a scan - the logfile is attached.

Hi George Yves,

Your English is quite OK, I wished my Russian was like yours.
Fix this with HJT:
R3 - URLSearchHook: (no name) - - (no file) Nasty
I assume you know the url’s being there in your hjt logfile.
Furthermore I see you do not have an active software firewall installed, which might put you at risk,
(solution for installing SP2, SP3 can be found here: http://en.kioskea.net/faq/sujet-1633-wga-windows-genuine-advantage)

pol

Is this point dangerous for my computer? What does it mean?

I assume you know the url's being there in your hjt logfile.
Yes, I do.
Furthermore I see you do not have an active software firewall installed, which might put you at risk, (solution for installing SP2, SP3 can be found here: http://en.kioskea.net/faq/sujet-1633-wga-windows-genuine-advantage)
I'm using Vista Firewall Control. As you have read in my logfile, my OS is Vista Home Basic SP1 and it is fully legitimate - no need to remove WGA.

Maybe my logfile was not full, so I ran HJT as administrator and attached the newer version.