Searchfilterhost.exe-44162447.pf

[Xolup]

Hello
I scan my computer on a regular basis with Avast!
Avast has just detected a threat in c:\Windows\Prefetch\SEARCHFILTERHOST.EXE-44162447.pf
Would anyone know how to remove this threat?
Many thanks for your help.

[DavidR]

Well it is a bit strange finding anything in the prefetch folder as this SEARCHFILTERHOST.EXE-44162447.pf (.pf file) just contains location information the SEARCHFILTERHOST.EXE file.

Now I don't know if it is also following links in relation to this .pf file, which should lead it to the primary file. You can send it to the chest on detection but since you are running searchfilterhost.exe that .pf file would be recreated after a few reboots.

Lots of hits about this primary file http://www.google.co.uk/search?q=SEARCHFILTERHOST.EXE and some consider it bad.

But it is associated windows search indexing, so you could disable that function, if you don't particularly use this indexing, see http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/0321bed5-a9ad-49bf-b8e8-5bde8a05753f/ and http://www.processlibrary.com/directory/files/searchfilterhost/28179/.

~~~~
You could also check the offending/suspect file (SEARCHFILTERHOST.EXE-44162447.pf) at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

[Xolup]

Many thanks for your help, DavidR
I don't think to have been successful in my attempt to move the file to the chest anyway. Therefore I uploaded the file to VirusTotal and this is what I got:

File name:
SEARCHFILTERHOST.EXE-44162447.pf

Submission date:
2011-06-22 10:36:01 (UTC)

Current status:
finished




Result:
0/ 42 (0.0%)




Additional information

Show all
 


MD5   : 26466f8bf05e4a69ba2005564caa3696

 

SHA1  : 61fe9d2a60c18d8cea2a9194093d197678cf8971

 

SHA256: eefd0642d30096ce46afbeb0c405456ef4683810fe142033805277ab2c149c63

 

ssdeep: 384:sdglNvyBj7vJ4skz5xxAkjTOLqehlSr+R+:5WdQ3x/jOir+R+

 

File size : 17664 bytes

 

First seen: 2011-06-22 10:36:01

 

Last seen : 2011-06-22 10:36:01

 

TrID:
Unknown!

 

sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

[DavidR]

The easiest thing to do when posting VT results is just to copy the URL of the results page and post that.

Well that would pretty much confirm it as an FP, have you scanned it again on your system as the virus definitions at VT may differ from yours and you should ensure that you have the latest version before scanning it again.

[Xolup]

Sorry David, but what do you mean by FP? 
Many thanks.

[Lisandro]

False Positive: a clean file incorrectly marked as infected.