sparhawk77 Posted June 14, 2008 I recently started using your product. I received a warning that my SVCHOST.EXE was actually a Trojan.Dropper/SVCHost-Fake.Process. The program asked me for a full scan. Other than a bunch of adware the above noted file was the only one noted. I removed all items & was asked to reboot. After the reboot the program is once again stating the same item has been detected. Is this for real or a false positive? Thank you for any help you can offer. Share this post Link to post Share on other sites
fatdcuk Posted June 14, 2008 I recently started using your product. I received a warning that my SVCHOST.EXE was actually a Trojan.Dropper/SVCHost-Fake.Process. The program asked me for a full scan. Other than a bunch of adware the above noted file was the only one noted. I removed all items & was asked to reboot. After the reboot the program is once again stating the same item has been detected. Is this for real or a false positive? Thank you for any help you can offer. Well as far as determining whether it is f/p or genuine trojan then identify the file address of the svchost.exe file it will shown in the scan results. Next use VT upload to check against 32 AV databases:) http://www.virustotal.com/ * Make sure you upload the svchost file from the address SAS is listing it at! If VT comes back all clean then use report false positive function at the end of SAS scan on the file. However if any of the VT databases flag the file as malware then you have an unknown quantity that is reloading the malware. SAS HQ have excellent diagnostic tool that will track *unknown*s and allow them to update to target the loader but you will need to go through support channels to get that assistance! It would then be advisable to upload support request here>>> https://www.superantispyware.com/csrcreateticket.html **Please leave link back to this topic so SAS hq can track it HTH:) Share this post Link to post Share on other sites
SUPERAntiSpy Posted June 15, 2008 I recently started using your product. I received a warning that my SVCHOST.EXE was actually a Trojan.Dropper/SVCHost-Fake.Process. The program asked me for a full scan. Other than a bunch of adware the above noted file was the only one noted. I removed all items & was asked to reboot. After the reboot the program is once again stating the same item has been detected. Is this for real or a false positive? Thank you for any help you can offer. Can you post your scan log here? Also follow Fatdcuk's advice on Virus Total and submitting a support request. Share this post Link to post Share on other sites
sparhawk77 Posted June 15, 2008 I ran my svchost.exe through the scanner at virustotal and it came up clean. I below is the log of the scan that showed it as a trojan: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 06/13/2008 at 06:01 PM Application Version : 4.1.1046 Core Rules Database Version : 3459 Trace Rules Database Version: 1450 Scan type : Complete Scan Total Scan Time : 00:59:25 Memory items scanned : 534 Memory threats detected : 0 Registry items scanned : 7059 Registry threats detected : 0 File items scanned : 28977 File threats detected : 10 Adware.Tracking Cookie C:\Documents and Settings\Admin\Cookies\admin@tacoda[1].txt C:\Documents and Settings\Admin\Cookies\admin@advertising[1].txt C:\Documents and Settings\Admin\Cookies\admin@atwola[2].txt C:\Documents and Settings\Admin\Cookies\admin@www.googleadservices[1].txt C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt C:\Documents and Settings\Admin\Cookies\admin@ehg-convergyscorp.hitbox[2].txt C:\Documents and Settings\Admin\Cookies\admin@iacas.adbureau[2].txt C:\Documents and Settings\Admin\Cookies\admin@2o7[1].txt C:\Documents and Settings\Admin\Cookies\admin@hitbox[2].txt .torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .search.torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .search.torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .xiti.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .toplist.cz [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] counter.search.bg [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] us.2.cqcounter.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .usatoday1.112.2o7.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] www7.addfreestats.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] tracker.cztorrent.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] tracker.cztorrent.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .tracktrap.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] www2.addfreestats.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .usenext.de [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .usenext.de [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .usenext.de [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .list.ru [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] .rambler.ru [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] server.iad.liveperson.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] server.iad.liveperson.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ] Trojan.Dropper/SVCHost-Fake C:\WINDOWS\SYSTEM32::SVCHOST.EXE I'm hoping that it was just aan FP. Thank you to all of you that responded. Share this post Link to post Share on other sites
SUPERAntiSpy Posted June 15, 2008 That's on an Alternate Data Stream - likley not a false positive. Share this post Link to post Share on other sites
sleazoid Posted November 24, 2009 Hey. I got the same thing. And i actually had a trojan worm which SAS couldn't get away. So I used AVG http://free.avg.com/ww-en/homepage [ALL free anti-virus software] and it doest get detected by SAS anymore. cheers Share this post Link to post Share on other sites