SvchostAnalyzer: Cloaked Malware or False Positive?

[George Yves]

Yesterday I updated my Spywareterminator and ran a usual weekly scan. I was very surprised and confused with the results: ST identified SvchostAnalyzer as a TrojanGeneric. As you know, SvchostAnalyzer was developed by Neuber Software to list all svchost instances and check the services they contain and to uncover Svchost worms like the infamous Conficker worm. I have installed SvchostAnalyzer a month ago and used it without any complaints from ST till yesterday.

I wanted to report a false positive to ST developers but decided first to read Google. I have found that SvchostAnalyzer:

1) is a cloaked malware
http://www.prevx.com/filenames/143557879015720279-X1/SVCHOSTANALYZER.EXE.html

2) is clean and safe
http://www.downloadroute.com/Svchost-Process-Analyzer-A-M-Neuber-Software/antivirus_report.html

So, antivirus software (and my Avast, too) found it "not guilty" and specific anti-malware software found it "guilty". Which "jury" is right?

[.: L' arc :.]

-= Try having a check at VirusTotal..

[George Yves]

Here are the results:
http://www.virustotal.com/analisis/d29c79f390070692b2269636243f86c8296ed2a2cb11fdc87cb783183b327082-1243667508

These are the results from antiviruses only. But what about MBAM, ThreatFire and other anti-spyware?

[.: L' arc :.]

-= In my opinion, it may be False Positive.. Since G-Data uses BitDefender.. It can be counted as one + the detection of Vipre.. A total of 2 antiviruses detected it..

-= To be sure, like what you say, you may try a scan with Malwarebytes Antimalware..

[Lisandro]

False positive of ST.
avast does not detect it as being infected.

[George Yves]

I reported a FP to ST's forum but I am not sure they will correct their DB soon.

I don't want to remove my ST (it is not very reliable but it is fast in on-demand scanning and moderate in system resources consuming) and at the same time I would like to support it with another low-resources anti-malware. I already have SpywareBlaster but it only immunizes my PC. And the question is: could I install ThreatFire, for example? Would it be right to have on one PC: Avast, ST, SpywareBlaster, Trend Micro RUBotted and ThreatFire? Wouldn't I have any software conflict or high increase in resources consuming or Internet connection slowdown?

[Lisandro]

Could I install ThreatFire, for example?

You can... but, really, it will give you a lot of warnings about nothing...

Would it be right to have on one PC: Avast, ST, SpywareBlaster, Trend Micro RUBotted and ThreatFire?

No problems.

Wouldn't I have any software conflict or high increase in resources consuming or Internet connection slowdown?

For sure you'll notice delays on browsing and computing... three on-access scanners will have such impact.

[George Yves]

I have read your posts, Tech, about problems with Firefox extensions. Do these problems exist now?

[DavidR]

I use SVCHost Analyser too' avast!, SAS and MBAM have no objections, that and given the VT results I would say this is an FP. Especially if you actually installed this, rather than if you had no idea it was on your system.

[Lisandro]

I have read your posts, Tech, about problems with Firefox extensions. Do these problems exist now?

Most probably. But I never used ThreatFire again. It's more a sensation of protection that protection itself. I choose performance in this case. Also, safe browsing

[George Yves]

Yes, DavidR, I installed SvchostAnalyzer myself. I have immediately decided that it was ST's false positive but Prevx's File Investigation Report confused me.

The more I think the less I want to install ThreatFire. Tech says it interferes with Firefox extensions, other users say it is hard to remove it from a PC.

[DavidR]

Prevx seems to be getting a lot of FPs lately. Though it is easy to call a file anything_you_like.exe but it doesn't mean that it is, so it is possible that the detection is on a different file content.

[polonus]

Halio George Yves,

I lost COMODOBoClean as standalone program and real sacnner due to discontinuation of it. Then decided on installing Threatfire, and until now, have experienced any problems with this, did a full scan with it twice, updated it, some scanners have problems with the MailPassViewer there, but again just like bob3160, no problems for me. Again what free alternative is there in the line of what COMODOBoClean was?

pozdrawiam,

polonus

[CharleyO]

***

I reported a FP to ST's forum but I am not sure they will correct their DB soon.

It seems to me that ST updates their database a few times a week ... about every 2 or 3 days.


***

[George Yves]

polonus
As I understand you say that you have no problems with ThreatFire? Right? And what about problems with Firefox?