Bloodhound.Exploit.6 False Positive Found by Antivirus in Forums and Hijack Logs

Symantec antivirus will have a common false positive if a web page contains a particular type of text which is common in HijackThis logs. This tech-recipe explains and duplicates this positive positive.


If you are running Symantec antivirus, this page may give you a false positive. If you post a comment, it will very likely give you a false positive. Do not worry. You are safe. Keep reading for the explanation.

The warning will contain information similar to the following text:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D14Q0F5Z\admin[1].htm
Location: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D14Q0F5Z
Computer: 5XBBT01
User: Administrator
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, December 07, 2004 11:18:39 AM

The scanner is picking up this text and giving a false positive:

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sextxsp.chm::/on-line. exe

This is text that is often seen in Bloodhound.Exploit.6 infections. The confusion occurs when text like this is posted in forums when trying to clean out infections on other systems.

This is very commonly seen in forums where infected HijackThis logs are posted.

This is a false positive. Your system is not infected.

 

About David Kirk

David Kirk is one of the original founders of tech-recipes and is currently serving as editor-in-chief. Not only has he been crafting tutorials for over ten years, but in his other life he also enjoys taking care of critically ill patients as an ICU physician.
View more articles by David Kirk

The Conversation

Follow the reactions below and share your own thoughts.