Searchfilterhost.exe is not Virus.DOS32.Amalhtea.chy[ at ]798860 [Resolved]

Using CIS RC1 and it hiccupped on searchfilterhost.exe telling it is Virus.DOS32.Amalhtea.chy[ at ]798860. The searchfilterhost.exe is in c:\windows\system32\ and it is a Miicrosoft file.

The AV log also tells the date of the file is "Invalid Date\Time) .This The virus database is 401. The properties of the file tell it is made ‎2 ‎August ‎2008, ‏‎20:40:29 and changed 27 May ‎2008, ‏‎7:17:55. That looks contradictory.

I told CIS to ignore the file.

I am on Vista 32 SP1 with the following (security) programs:
Peer Guardian 2
A squared free 3.5 (a2service is running)
Supser Antispwyare free
Malwarebytes antispwyare free
Perfect Disk defragmenter.

I just see somebody reported it as well befroe me and other folks have confirmed. Please mods merge my findings with that thread.

I just got the same false positive. I think the program in question is Windows Search 4.0.

There are some malware here around peer to peer networks… The malware is disguised as a song/movie with the name of a popular artist… when you choose the download the infected file, some antivirus will intercept this… NOD32 antivirus calls it, trojan.wma.downloader… this trojan user searchfilter host protocol (windows seach 4.0) and searches all your harddrives for music and infects the songs and so it copies it self… and is settles itself in your sharing folder so other peer to peer downloader also getting infected… (:WIN)

I believe that what I am telling here has something to do with that * strange* behavior you are experiencing…


CIS RC1 caught a Trojan Dropper from Frostwire yesterday! It was brilliant. :slight_smile:


I just got what I think is a false-positive on searchfilterhost.exe in both
windows/system32 and windows/winsxs.

When scanned with Avira, it didn’t flag them.
(I trust Avira over comodo at the moment).
This thread confrims, for me at least, that comodo gave a false result.


Then it’s a FP.

Send the FP to the Labs and will be fixed.


tried sending it as an admin but it won’t let me open the file, saying I do not have enough permission… Then I tried opening with the full-admin account and it still says the same thing…

I ran the file through Jotti’s online malware scan and 20 scanners found no infection.

I emailed the FP as described by the url 3xist provided.

As of DB 407 this FP is resolved.

I’ll close this post now, if you need it reopened please pm an active mod.