Symantec antivirus will have a common false positive if a web page contains a particular type of text which is common in HijackThis logs. This tech-recipe explains and duplicates this positive positive.
If you are running Symantec antivirus, this page may give you a false positive. If you post a comment, it will very likely give you a false positive. Do not worry. You are safe. Keep reading for the explanation.
The warning will contain information similar to the following text:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D14Q0F5Z\admin[1].htm
Location: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D14Q0F5Z
Computer: 5XBBT01
User: Administrator
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, December 07, 2004 11:18:39 AM
The scanner is picking up this text and giving a false positive:
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sextxsp.chm::/on-line. exe
This is text that is often seen in Bloodhound.Exploit.6 infections. The confusion occurs when text like this is posted in forums when trying to clean out infections on other systems.
This is very commonly seen in forums where infected HijackThis logs are posted.
This is a false positive. Your system is not infected.
