Jump to content
sparhawk77

Trojan.Dropper/SVCHost.exe-Fake.Process Real or not?

Recommended Posts

I recently started using your product. I received a warning that my SVCHOST.EXE was actually a Trojan.Dropper/SVCHost-Fake.Process. The program asked me for a full scan. Other than a bunch of adware the above noted file was the only one noted. I removed all items & was asked to reboot. After the reboot the program is once again stating the same item has been detected. Is this for real or a false positive? Thank you for any help you can offer.

Share this post


Link to post
Share on other sites
I recently started using your product. I received a warning that my SVCHOST.EXE was actually a Trojan.Dropper/SVCHost-Fake.Process. The program asked me for a full scan. Other than a bunch of adware the above noted file was the only one noted. I removed all items & was asked to reboot. After the reboot the program is once again stating the same item has been detected. Is this for real or a false positive? Thank you for any help you can offer.

Well as far as determining whether it is f/p or genuine trojan then identify the file address of the svchost.exe file it will shown in the scan results.

Next use VT upload to check against 32 AV databases:)

http://www.virustotal.com/

* Make sure you upload the svchost file from the address SAS is listing it at!

If VT comes back all clean then use report false positive function at the end of SAS scan on the file.

However if any of the VT databases flag the file as malware then you have an unknown quantity that is reloading the malware.

SAS HQ have excellent diagnostic tool that will track *unknown*s and allow them to update to target the loader but you will need to go through support channels to get that assistance!

It would then be advisable to upload support request here>>>

https://www.superantispyware.com/csrcreateticket.html

**Please leave link back to this topic so SAS hq can track it 8)

HTH:)

Share this post


Link to post
Share on other sites
I recently started using your product. I received a warning that my SVCHOST.EXE was actually a Trojan.Dropper/SVCHost-Fake.Process. The program asked me for a full scan. Other than a bunch of adware the above noted file was the only one noted. I removed all items & was asked to reboot. After the reboot the program is once again stating the same item has been detected. Is this for real or a false positive? Thank you for any help you can offer.

Can you post your scan log here? Also follow Fatdcuk's advice on Virus Total and submitting a support request.

Share this post


Link to post
Share on other sites

I ran my svchost.exe through the scanner at virustotal and it came up clean. I below is the log of the scan that showed it as a trojan:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 06/13/2008 at 06:01 PM

Application Version : 4.1.1046

Core Rules Database Version : 3459

Trace Rules Database Version: 1450

Scan type : Complete Scan

Total Scan Time : 00:59:25

Memory items scanned : 534

Memory threats detected : 0

Registry items scanned : 7059

Registry threats detected : 0

File items scanned : 28977

File threats detected : 10

Adware.Tracking Cookie

C:\Documents and Settings\Admin\Cookies\admin@tacoda[1].txt

C:\Documents and Settings\Admin\Cookies\admin@advertising[1].txt

C:\Documents and Settings\Admin\Cookies\admin@atwola[2].txt

C:\Documents and Settings\Admin\Cookies\admin@www.googleadservices[1].txt

C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt

C:\Documents and Settings\Admin\Cookies\admin@ehg-convergyscorp.hitbox[2].txt

C:\Documents and Settings\Admin\Cookies\admin@iacas.adbureau[2].txt

C:\Documents and Settings\Admin\Cookies\admin@2o7[1].txt

C:\Documents and Settings\Admin\Cookies\admin@hitbox[2].txt

.torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.search.torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.search.torrent-finder.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.xiti.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.toplist.cz [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

counter.search.bg [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

us.2.cqcounter.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.collective-media.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.usatoday1.112.2o7.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

www7.addfreestats.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

tracker.cztorrent.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

tracker.cztorrent.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.tracktrap.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

www2.addfreestats.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.usenext.de [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.usenext.de [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.usenext.de [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.list.ru [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

.rambler.ru [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

server.iad.liveperson.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

server.iad.liveperson.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\nlpp47ng.default\cookies.txt ]

Trojan.Dropper/SVCHost-Fake

C:\WINDOWS\SYSTEM32::SVCHOST.EXE

I'm hoping that it was just aan FP. Thank you to all of you that responded.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×