Author Topic: SvchostAnalyzer: Cloaked Malware or False Positive?  (Read 13235 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #15 on: May 30, 2009, 08:31:38 PM »
Hi George Yves,

I only use Firefox in combination with Threatfire, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090530 Shiretoko/3.5pre ID:20090530042121 with NoScript and RequestPolicy add-on to be precise, no issues found until now. Go to advanced tools, system activity monitor and have a look there what is getting in the way at your kompa.

Can you give "old pol" a fresh hijackthis 2.0.2 logfile list as an attached txt.file, just to give an analysis a swirl,

naboj!

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #16 on: May 30, 2009, 08:38:58 PM »
And what about problems with Firefox?
Let's be fair. I had problems, specific ones, on updating common extensions (AdBlock, NoScript, etc.).
I did not test ThreatFire again after that.
Let's not propagate FUD.
The best things in life are free.

Offline George Yves

  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 4095
  • Help you I can
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #17 on: May 30, 2009, 09:22:45 PM »
polonus
My English is not as fluent as yours. You want me to attach hijackthis 2.0.2 logfile from my computer? I have installed the program and did a scan - the logfile is attached.
May the FOSS be with you!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #18 on: May 30, 2009, 09:52:02 PM »
Hi George Yves,

Your English is quite OK, I wished my Russian was like yours.
Fix this with HJT:
R3 - URLSearchHook: (no name) - - (no file) Nasty
I assume you know the url's being there in your hjt logfile.
Furthermore I see you do not have an active software firewall installed, which might put you at risk,
(solution for installing SP2, SP3 can be found here: http://en.kioskea.net/faq/sujet-1633-wga-windows-genuine-advantage)


pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline George Yves

  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 4095
  • Help you I can
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #19 on: May 30, 2009, 10:10:30 PM »
Fix this with HJT:
R3 - URLSearchHook: (no name) - - (no file) Nasty
Is this point dangerous for my computer? What does it mean?

Quote
I assume you know the url's being there in your hjt logfile.
Yes, I do.

Quote
Furthermore I see you do not have an active software firewall installed, which might put you at risk,
(solution for installing SP2, SP3 can be found here: http://en.kioskea.net/faq/sujet-1633-wga-windows-genuine-advantage)
I'm using Vista Firewall Control. As you have read in my logfile, my OS is Vista Home Basic SP1 and it is fully legitimate - no need to remove WGA.

Maybe my logfile was not full, so I ran HJT as administrator and attached the newer version.
« Last Edit: May 30, 2009, 10:16:50 PM by George Yves »
May the FOSS be with you!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #20 on: May 30, 2009, 10:24:03 PM »
Hi George Yves,

Yep that is why that was not alerted, and I did not expect you're on Vista, so Vista has SP1 and with implementing SP2 you can still wait a bit, just out. OK, we have that settled then.

Now the Url Search Hook issue. It is like this:

R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as http:// or ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered.

For your own reference, it is safe to check this item in HijackThis and remove it. You will not notice a change. It is just more secure, my friend. If it was just an orphaned entry of adware, you can remove it as well,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline George Yves

  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 4095
  • Help you I can
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #21 on: May 30, 2009, 10:30:42 PM »
And what about this R3?

R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll

Should I remove it too?
May the FOSS be with you!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #22 on: May 30, 2009, 10:40:53 PM »
Hello

Yes, I would uninstall it. 1. Click on View -> Toolbars -> Deselect ICQ toolbar.
or
2. Click on Start -> Settings -> Control panel -> Add/Remove Programs -> Scroll to ICQ Toolbar -> Click delete. This option will permanently remove the toolbar from your system.

Not because it is malcode as such, but there were vulnerabilities with it.
Security problems found in the ICQ Toolbar v1.3 may allow attackers to
control and change configuration settings and to inject scripting code
in RSS feed contents and execute it in the contetxt of the feed
interface (IE's Local Zone)
I
ICQ Toolbar 1.3 for Internet Explorer is a Browser Helper Object that
provides several features including: search, pop-up blocker, ICQmail
notifier, RSS feeds and others. The ICQ toolbar, is one of the various
products offered by ICQ and it is available for download at
hxtp://download.icq.com/download/toolbar/

A problem was found in the way the ICQ Toolbar implements its web
configuration interface that lets attackers controlling a malicious
website change the ICQ toolbar's configuration settings without users of
the ICQ toolbar for Internet Explorer noticing that an attack is taking
place.

Additionally, Cross Site Scripting vulnerabilities in the RSS Feeds
interface could allow malicious RSS feeds to execute scripting code in
the context of the Feeds interface, and allow attackers to access (and,
in specific cases, change) configuration settings.

f that happened in the past, I would not trust such a BHO for the future either.
You can check also for all the latest patches etc. for IE BHO's and Firefox browsers add-ons/plug-ins with the new beta that PSI Secunia has just brought out: http://secunia.com/PSISetupBeta.exe

polonus aka Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline George Yves

  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 4095
  • Help you I can
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #23 on: May 30, 2009, 11:24:25 PM »
Thanks for your advice, polonus. I removed the toolbar and fixed the line in HJT. But the problem still exists: to install or not to install ThreatFire?
May the FOSS be with you!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #24 on: May 30, 2009, 11:40:27 PM »
Hi Georges Yves,

Whenever I experience problems with Threatfire you will be the first to know, I will report it to you.
I have read con's and pro's here in this forum. Some users here used it for years without much ado, like bob3160, others reported issues, like Tech (But Tech reported issues with various things, not Tech?  :D )
You must not have this real time scanner, there are alternatives, avast does all the real time scanning it should also through the shields. An additional quick scan of MBAM and SAS and keeping the databases of these programs up to date will do a lot. If you are doing your online activities with a normal user account, you already have reduced the payload of 92% of the malware to your OS to a minimal.
An alternative to ThreatFire is installing the Arovax shield, a good free Ukranian alternative, download from their site: http://www.arovaxshield.com/

I hope this will help you to take the right decision,

polonus

P.S. Arovax Shield is completely compatible with Windows Vista
« Last Edit: May 30, 2009, 11:48:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #25 on: May 30, 2009, 11:44:58 PM »
I think the alternative to a HIPS program is safe browsing and a good firewall. Online Armour does the job (I'm using a giveawayoftheday offer).
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #26 on: May 30, 2009, 11:58:29 PM »
Hi Tech,

I agree with you that one cannot add the one security apps and pile it upon the other, this will cost you too much cycle and will hamper your computer and the additional security delivered is minimal anyway. I think the PCTools ThreatFire application has some issues with certain firewalls installed rather than browsers etc. I have it now with ZA and as I told George Yves no issues so far.
What a person tries to do as good as he, she, it can is closing the vulnerability window as good as can be. So a software firewall, a resident av solution, some additional non-resident scanning with some other databases (a pity rather avast now has an issue with free ClamWin), additional anti-malware scanners like MBAM and SAS  and SpywareBlaster in the background should be enough. Furthermore I have a browser with enough in-browser-security extensions, like NoScript, RequestPolicy, Perspectives, ABP (the malware list) , Firekeeper extension, and a series of installed and on-demand pre-link scanners as far as they are real time: DrWeb's, finjan). I think that is a rather full fletched security cocktail and then also multi-layered, so let us not overdo it....

polonus
« Last Edit: May 31, 2009, 12:01:03 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline George Yves

  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 4095
  • Help you I can
Re: SvchostAnalyzer: Cloaked Malware or False Positive?
« Reply #27 on: June 01, 2009, 04:19:43 PM »
The FP on SvchostAnalyzer "will be removed in DB version 3.006.002.000" in Spywareterminator.
May the FOSS be with you!