Avast WEBforum
Other => General Topics => Topic started by: George Yves on May 30, 2009, 06:27:30 AM
-
Yesterday I updated my Spywareterminator and ran a usual weekly scan. I was very surprised and confused with the results: ST identified SvchostAnalyzer as a TrojanGeneric. As you know, SvchostAnalyzer was developed by Neuber Software (http://www.neuber.com/free/svchost-analyzer/index.html) to list all svchost instances and check the services they contain and to uncover Svchost worms like the infamous Conficker worm. I have installed SvchostAnalyzer a month ago and used it without any complaints from ST till yesterday.
I wanted to report a false positive to ST developers but decided first to read Google. I have found that SvchostAnalyzer:
1) is a cloaked malware
http://www.prevx.com/filenames/143557879015720279-X1/SVCHOSTANALYZER.EXE.html
2) is clean and safe
http://www.downloadroute.com/Svchost-Process-Analyzer-A-M-Neuber-Software/antivirus_report.html
So, antivirus software (and my Avast, too) found it "not guilty" and specific anti-malware software found it "guilty". Which "jury" is right?
-
-= Try having a check at VirusTotal (http://virustotal.com)..
-
Here are the results:
http://www.virustotal.com/analisis/d29c79f390070692b2269636243f86c8296ed2a2cb11fdc87cb783183b327082-1243667508
These are the results from antiviruses only. But what about MBAM, ThreatFire and other anti-spyware?
-
-= In my opinion, it may be False Positive.. Since G-Data uses BitDefender.. It can be counted as one + the detection of Vipre.. A total of 2 antiviruses detected it..
-= To be sure, like what you say, you may try a scan with Malwarebytes Antimalware..
-
False positive of ST.
avast does not detect it as being infected.
-
I reported a FP to ST's forum but I am not sure they will correct their DB soon.
I don't want to remove my ST (it is not very reliable but it is fast in on-demand scanning and moderate in system resources consuming) and at the same time I would like to support it with another low-resources anti-malware. I already have SpywareBlaster but it only immunizes my PC. And the question is: could I install ThreatFire, for example? Would it be right to have on one PC: Avast, ST, SpywareBlaster, Trend Micro RUBotted and ThreatFire? Wouldn't I have any software conflict or high increase in resources consuming or Internet connection slowdown?
-
Could I install ThreatFire, for example?
You can... but, really, it will give you a lot of warnings about nothing...
Would it be right to have on one PC: Avast, ST, SpywareBlaster, Trend Micro RUBotted and ThreatFire?
No problems.
Wouldn't I have any software conflict or high increase in resources consuming or Internet connection slowdown?
For sure you'll notice delays on browsing and computing... three on-access scanners will have such impact.
-
I have read your posts, Tech, about problems with Firefox extensions. Do these problems exist now?
-
I use SVCHost Analyser too' avast!, SAS and MBAM have no objections, that and given the VT results I would say this is an FP. Especially if you actually installed this, rather than if you had no idea it was on your system.
-
I have read your posts, Tech, about problems with Firefox extensions. Do these problems exist now?
Most probably. But I never used ThreatFire again. It's more a sensation of protection that protection itself. I choose performance in this case. Also, safe browsing ;)
-
Yes, DavidR, I installed SvchostAnalyzer myself. I have immediately decided that it was ST's false positive but Prevx's File Investigation Report confused me.
The more I think the less I want to install ThreatFire. Tech says it interferes with Firefox extensions, other users say it is hard to remove it from a PC.
-
Prevx seems to be getting a lot of FPs lately. Though it is easy to call a file anything_you_like.exe but it doesn't mean that it is, so it is possible that the detection is on a different file content.
-
Halio George Yves,
I lost COMODOBoClean as standalone program and real sacnner due to discontinuation of it. Then decided on installing Threatfire, and until now, have experienced any problems with this, did a full scan with it twice, updated it, some scanners have problems with the MailPassViewer there, but again just like bob3160, no problems for me. Again what free alternative is there in the line of what COMODOBoClean was?
pozdrawiam,
polonus
-
***
I reported a FP to ST's forum but I am not sure they will correct their DB soon.
It seems to me that ST updates their database a few times a week ... about every 2 or 3 days.
***
-
polonus
As I understand you say that you have no problems with ThreatFire? Right? And what about problems with Firefox?
-
Hi George Yves,
I only use Firefox in combination with Threatfire, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090530 Shiretoko/3.5pre ID:20090530042121 with NoScript and RequestPolicy add-on to be precise, no issues found until now. Go to advanced tools, system activity monitor and have a look there what is getting in the way at your kompa.
Can you give "old pol" a fresh hijackthis 2.0.2 logfile list as an attached txt.file, just to give an analysis a swirl,
naboj!
polonus
-
And what about problems with Firefox?
Let's be fair. I had problems, specific ones, on updating common extensions (AdBlock, NoScript, etc.).
I did not test ThreatFire again after that.
Let's not propagate FUD.
-
polonus
My English is not as fluent as yours. You want me to attach hijackthis 2.0.2 logfile from my computer? I have installed the program and did a scan - the logfile is attached.
-
Hi George Yves,
Your English is quite OK, I wished my Russian was like yours.
Fix this with HJT:
R3 - URLSearchHook: (no name) - - (no file) Nasty
I assume you know the url's being there in your hjt logfile.
Furthermore I see you do not have an active software firewall installed, which might put you at risk,
(solution for installing SP2, SP3 can be found here: http://en.kioskea.net/faq/sujet-1633-wga-windows-genuine-advantage)
pol
-
Fix this with HJT:
R3 - URLSearchHook: (no name) - - (no file) Nasty
Is this point dangerous for my computer? What does it mean?
I assume you know the url's being there in your hjt logfile.
Yes, I do.
Furthermore I see you do not have an active software firewall installed, which might put you at risk,
(solution for installing SP2, SP3 can be found here: http://en.kioskea.net/faq/sujet-1633-wga-windows-genuine-advantage)
I'm using Vista Firewall Control. As you have read in my logfile, my OS is Vista Home Basic SP1 and it is fully legitimate - no need to remove WGA.
Maybe my logfile was not full, so I ran HJT as administrator and attached the newer version.
-
Hi George Yves,
Yep that is why that was not alerted, and I did not expect you're on Vista, so Vista has SP1 and with implementing SP2 you can still wait a bit, just out. OK, we have that settled then.
Now the Url Search Hook issue. It is like this:
R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as http:// or ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered.
For your own reference, it is safe to check this item in HijackThis and remove it. You will not notice a change. It is just more secure, my friend. If it was just an orphaned entry of adware, you can remove it as well,
polonus
-
And what about this R3?
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
Should I remove it too?
-
Hello
Yes, I would uninstall it. 1. Click on View -> Toolbars -> Deselect ICQ toolbar.
or
2. Click on Start -> Settings -> Control panel -> Add/Remove Programs -> Scroll to ICQ Toolbar -> Click delete. This option will permanently remove the toolbar from your system.
Not because it is malcode as such, but there were vulnerabilities with it.
Security problems found in the ICQ Toolbar v1.3 may allow attackers to
control and change configuration settings and to inject scripting code
in RSS feed contents and execute it in the contetxt of the feed
interface (IE's Local Zone)
I
ICQ Toolbar 1.3 for Internet Explorer is a Browser Helper Object that
provides several features including: search, pop-up blocker, ICQmail
notifier, RSS feeds and others. The ICQ toolbar, is one of the various
products offered by ICQ and it is available for download at
hxtp://download.icq.com/download/toolbar/
A problem was found in the way the ICQ Toolbar implements its web
configuration interface that lets attackers controlling a malicious
website change the ICQ toolbar's configuration settings without users of
the ICQ toolbar for Internet Explorer noticing that an attack is taking
place.
Additionally, Cross Site Scripting vulnerabilities in the RSS Feeds
interface could allow malicious RSS feeds to execute scripting code in
the context of the Feeds interface, and allow attackers to access (and,
in specific cases, change) configuration settings.
f that happened in the past, I would not trust such a BHO for the future either.
You can check also for all the latest patches etc. for IE BHO's and Firefox browsers add-ons/plug-ins with the new beta that PSI Secunia has just brought out: http://secunia.com/PSISetupBeta.exe
polonus aka Damian
-
Thanks for your advice, polonus. I removed the toolbar and fixed the line in HJT. But the problem still exists: to install or not to install ThreatFire?
-
Hi Georges Yves,
Whenever I experience problems with Threatfire you will be the first to know, I will report it to you.
I have read con's and pro's here in this forum. Some users here used it for years without much ado, like bob3160, others reported issues, like Tech (But Tech reported issues with various things, not Tech? :D )
You must not have this real time scanner, there are alternatives, avast does all the real time scanning it should also through the shields. An additional quick scan of MBAM and SAS and keeping the databases of these programs up to date will do a lot. If you are doing your online activities with a normal user account, you already have reduced the payload of 92% of the malware to your OS to a minimal.
An alternative to ThreatFire is installing the Arovax shield, a good free Ukranian alternative, download from their site: http://www.arovaxshield.com/
I hope this will help you to take the right decision,
polonus
P.S. Arovax Shield is completely compatible with Windows Vista
-
I think the alternative to a HIPS program is safe browsing and a good firewall. Online Armour does the job (I'm using a giveawayoftheday offer).
-
Hi Tech,
I agree with you that one cannot add the one security apps and pile it upon the other, this will cost you too much cycle and will hamper your computer and the additional security delivered is minimal anyway. I think the PCTools ThreatFire application has some issues with certain firewalls installed rather than browsers etc. I have it now with ZA and as I told George Yves no issues so far.
What a person tries to do as good as he, she, it can is closing the vulnerability window as good as can be. So a software firewall, a resident av solution, some additional non-resident scanning with some other databases (a pity rather avast now has an issue with free ClamWin), additional anti-malware scanners like MBAM and SAS and SpywareBlaster in the background should be enough. Furthermore I have a browser with enough in-browser-security extensions, like NoScript, RequestPolicy, Perspectives, ABP (the malware list) , Firekeeper extension, and a series of installed and on-demand pre-link scanners as far as they are real time: DrWeb's, finjan). I think that is a rather full fletched security cocktail and then also multi-layered, so let us not overdo it....
polonus
-
The FP on SvchostAnalyzer "will be removed in DB version 3.006.002.000" in Spywareterminator.