Only Bitdefender found this...

This is what jotti's says:

===========

....is Bitdefender really that out front, or is this a false positive?

 

Without knowing the full path of the file I would guess that this file relates to Wild Tangent. If so, I would say that this is not a false positive.

 

Doesnt the following line answer the question?

BD seems to be known (atleast to jottis) to produce more false positives than other scanners...

 

Jotti says this for every AV with heuristics...

 

Frank try scaning that file on virustotal.com also. And submitt it for analyse to ESET, KAV or to Softwin and let us know the result.

 

But in this case it doesn't look like a heuristic detection? Seems to be a detection by signature?

 

Dallen is on top of it. It does have to do with Wild Tangent. Dallen is becoming (for me) one of the people on this board who is worth listening to.

I don't have the full path right now (I'm at work), but I'll post it tonight.

But my computer is acting strangely..... and I don't like it.

Oh, and Bitdefender (online scan version) could not remove it. McAfee AV, Panda online scan, Ewido, A2, Spybot, Win Defender, PestPatrol and Trend AS (online scan) also didn't find it. Bitdefender is the only one.

Thanks pykko, I'll try it on virustotal.com tonight.

And I'd guess this is detection by signature since Bitdefender picked it up in their online scan & also at Jotti's.

Thanks for the replies...

v/r ftp

 

that file is suspected with spyware, i belive. Because i searched on google and alot of people hade been infected with:Trojan.Exploit.Html.Codebaseexec.CC.
I dont think its a FP, but pls upload it at virustotal and see if other detect it.

 

Have a look here http://www.tech-forums.net/showthread.php?threadid=114937



Entry- C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018 Infected Trojan.Exploit.Html.Codebaseexec.CC

Some removal instructions- http://www.pchell.com/support/wildtangent.shtml

 

Mr. Perv ,
These remarks are too kind, but I appreciate them nevertheless. There are certainly people within this forum that I feel the same about.

I will be on the forum tonight. Wild Tanget, from what I've read, can be a little tricky to remove (assuming removal is your desired course of action).

 

If you want my two cents on this, I think its a false positive. The malware
in question is actually an exploit. Some web pages are written in such a way
that it'll make your browser download a file and execute it. So while opening
any web page if you get this alert then it is serious. But this is not a web
page. I know its an EXE file but we don't know for sure what it does.

BitDefender is known to make FPs.

Here is an interesting page. Please have a look at this.

The best thing in this situation is to send this file to be analysed.

 

STATUS: FINISHEDComplete scanning result of "blastrb2.exe", received in VirusTotal at 08.10.2006, 03:22:30 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.0 08.09.2006 no virus found
Authentium 4.93.8 08.09.2006 no virus found
Avast 4.7.844.0 08.09.2006 no virus found
AVG 386 08.09.2006 no virus found
BitDefender 7.2 08.10.2006 Trojan.Exploit.Html.Codebaseexec.CC
CAT-QuickHeal 8.00 08.09.2006 AdWare.WinAD (Not a Virus)
ClamAV devel-20060426 08.10.2006 no virus found
DrWeb 4.33 08.09.2006 no virus found
eTrust-InoculateIT 23.72.91 08.09.2006 no virus found
eTrust-Vet 30.3.3007 08.09.2006 no virus found
Ewido 4.0 08.09.2006 no virus found
Fortinet 2.77.0.0 08.10.2006 no virus found
F-Prot 3.16f 08.09.2006 no virus found
F-Prot4 4.2.1.29 08.09.2006 no virus found
Ikarus 0.2.65.0 08.09.2006 no virus found
Kaspersky 4.0.2.24 08.10.2006 no virus found
McAfee 4825 08.09.2006 no virus found
Microsoft 1.1508 08.04.2006 no virus found
NOD32v2 1.1700 08.10.2006 no virus found
Norman 5.90.23 08.09.2006 no virus found
Panda 9.0.0.4 08.09.2006 no virus found
Sophos 4.08.0 08.09.2006 no virus found
Symantec 8.0 08.10.2006 no virus found
TheHacker 5.9.8.189 08.09.2006 no virus found
UNA 1.83 08.09.2006 no virus found
VBA32 3.11.0 08.09.2006 no virus found
VirusBuster 4.3.7:9 08.09.2006 no virus found

 

Lots of good info since I left last.

Thanks for the info andreas_pej, tobacco, and AMRX and dallen.

First, results from VirusTotal above.
Bitdefender is still the only one who detects.... well, along with CAT -QuickHeal - whatever that is.

From the links and info provided, Codebaseexec.CC definitely appears to be 'something.'

What would happen if I just deleted the file C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe?

Could I not just reload the info I needed from the Logitech website?

But I suppose that would be too easy.

And dallen...... please, call me Frank. When you refer to me as "Mr. Perv," I start looking around for my dad.


-ftp

 

Frank it is, pleas accept my apologies both for being late and for the manner in which I referred to you.

I have encountered Wild Tangent in the past, but I cannot remember exactly where for sure. If my memory serves me well, it came pre-installed on my girlfriend's Dell.

The method I used to remove it was simple, but I'm sure that you do not want to utilize it. I simply nuked her hard disk to eliminate all of the unnecessary hidden partitions that also came with the system and re-built her system properly. This is an option for you, but I am going to assume that it won’t be your preferred method.

AMRX raises three points and I disagree with only two. I would like to preface this with the fact that I have not yet followed the link he provided, but I soon will.

First point
He thinks this is a false positive (FP). I do not think so. I think this is something that could be viewed as legitimate and is classified as such by many. I use a Logitech mouse and their Setpoint software and you can bet that Wild Tangent is not, and will not be, on my system. Admittedly, I have more research to do on this topic and will commence immediately and report back my findings.

Second point
He claims BitDefender is known for FPs. I am fairly new to the product, but have been testing BitDefender 9 Standard pretty intensely, not to mention researching the hell out of it. As a probable future user, migrating from Symantec, I have not experienced FPs. If you do not believe me, then look at the results on AV-Comparatives website. There is a category for FPs and BitDefender is consistently scored “few.”

Third point
He advises to have the file in question analyzed. I agree with this advice.

Frank,
After golfing today, I went to Best Buy and bought me a 900 watt uninterruptible power supply. This took longer than I anticipated and is the reason that it took me so long to reply. I cannot promise that I will complete my research on this before the weekend as I am leaving for southern Kentucky tomorrow to do a little fishin' and enjoy some rest and relaxation on Lake Cumberland before school begins. However, I imagine that you are eager to figure this out, so I will try to have something before tomorrow if possible.

 

Thank you dallen for your insights. Please check out the link I have provided.
I still think its an FP as you can see that even in VirusTotal scan, none of
the AVs detected it as codebase exploit. Its a very common exploit and
almost all the AVs (even TMIS) detect it. So HAD it been really the trojan,
results would have been different.

CAT Quickheal is an Indian AV and it used to generate a lot of FPs but now
its stabilized. Still it has a long way to go. It made the detection 'properly'
as a adware. Few years ago almost all the AVs would have done so. But why
not now? You'll know this when you'll follow the link I have provided.

I used BitDefender for a longtime and I have different experience, so has
my friends who used it. So I have a different point of view. You have
different experience so its ok. Andreas Clementi's March 2006 test terms
BD with 'few' FPs. Only one test, I wouldn't call that consistent. Also I
had only two FPs with DrWeb not 'many'. I'm not saying that these tests are
false though. I have all the respect for Andreas Clementi et al.

I'd recommend Frank to send the file for analysis. Also I'd like to tell you
that the 'strange act' your computer is putting up might be for a totally
different reason. So it'd be better if you tell us what exactly is the 'strange
act'. Otherwise you might tame the Wild Tangent but will it serve the
purpose if your computer is still acting strangely?

 

I thinik Wild Tangent came installed on my Dell, and it has something to do with some games. Other than that I don't know anything abut it.

Jerry

 

I personally feel it's neither and based on the findings from one of the most trusted researches in the field....I'll put my stock in the fact that Wild Tangent is correctly categorized as Low Risk Adware. That being said and nothing against VT's free malware scan service but if indeed the majority of the industry does classify it as adware then not only are We spinning wheels in regards to program ABC being out front but We also are spinning our wheels in regards to a possible False positive. What does BitD classify this find as ? Do they have a facility available where it shows their classifications ? If this is indeed adware....then attempting to show that other AV's do not detect this find is non-productive.

JMO,
Bubba

 

If it is indeed low-risk, maybe BD should categorise it differently in much the same way Quickheal has done by saying it's "Not a Virus", according to the VirusTotal results posted above.

 

So I read the links and information that everybody posted -- thanks.

Dallen – good and seemingly solid info. Thanks again.

OK, so maybe codebaseexec.cc is not a classic piece of malware. I still don’t want it on my computer.

So I just went to…

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe

..and I deleted the wild tangent folder. I read that it only has a games application. And I’m not a gamer, so it seemed expendable to me.

Anyway, I deleted the folder, and then I ran CCleaner to try and make sure it was gone.

And then I ran Bitdefender again, and everything came up clean.

But then, just to be sure, I ran Bitdefender one more time, and it found this…

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o)=>zlib_nsis0018 Infected with: Trojan.Exploit.Html.Codebaseexec.CC

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o)=>zlib_nsis0018 Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o)=>zlib_nsis0018 Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o) Update failed

…which appears to be the same stuff in some sort of backup location. Why didn’t CCleaner flush it out after I deleted it I wonder? So I ran CCleaner and the new McAfee system cleaner hoping it would flush it out of there. No go.

My computer has acted funny in that it rebooted itself twice while I was not even with the computer. So that’s pretty strange. It’s a first on this system anyway.

Also, McAfee repeatedly has found a virus, which I have deleted through McAfee, but seems to keep coming back. And McAfee just finds it in a free floating kind of way. That is, it’s just floating on my system; I don’t even have to be cruising the internet for McAfee to pop up with the warning. And crap, I have not yet written down the name of the virus, it’s poly… something. But I guess that’s my next mission.

But with everything I’ve read about wild tangent, it seems pretty well known. I don’t think I need to submit it to AV guys.

So that’s the deal.

How do I get the backup data (if that’s what it is) off my system?

Wilder's rocks.

 

Go to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

 

Okay...I survived my trip to Kentucky. Wow!!! I thought about taking my laptop with the hopes that I would stumble across a WiFi Network. It turns out that it would have been nothing more than unnecessary luggage. Boy was I wrong. It turned out that I was going to the back woods. "Internet...what that?"

Sorry for the delay Frank, but it sounds like you've read up on Wild Tangent and arrived at a similar conclusion as I. People can say what they want and haggle over specifics of classifications. Bottom line, I don't need it, I don't like the way it sounds, and, therefore, I don't want it on my system.

Whether an AV is better for detecting it or worse for not, I don't know. It's probably a matter of personal preference when all is said and done.

Regarding your current BitDefender finds, it sounds like tobacco's instructions for flushing out the restore points are right on. A couple added words of caution though. One, you will lose any restore points. Two, I would be weary of creating a new restore point prior to ensuring that my system was clean. Doing so could serve to make cleaning any virus more involved, or worse, it could even allow the survival of any malicious nasty that may be on your system.

Regarding the removal of Wild Tangent, it seems that tobacco's link to PC Hell Wild Tangent removal instructions may be a good start. Also, if you Google Wild Tangent Removal, you will come across a few other sets of instructions that are similar. I will tell you when I know something and when I do not. I do not have experience at removing this nasty beyond doing a fresh installation of the OS and all programs, so I would be misleading you if I tried to advise you on its removal.

Regarding your potential virus, the name is definitely important. You said "Poly...something. Was it either polymorphic, or "new poly win32"?

I do not know much about your current setup, system expectations, or your willingness to invest time/money so I am reluctant to offer my advice.

I do not like relying on system Windows built in System Restore. I like having my valuable data backed up on an external HD. I also don't mind spending a little over $26.98 to ensure that I have an easy, guaranteed solution to many problems, including the one(s) that you're currently faced with. Therefore, I use Image for Windows/DOS. This combination allows me to simply pull off any critical data on to my external HD and restore an image of my last known good setup with a few key strokes. If this is not an option for whatever reason, I understand and I will do anything I can to help you clean up your system. If it is an option, and I think it is the best long-term solution, then know that it involves formatting your HD and re-installing your necessary programs.

Many might disagree with my advice, but since I like you, I feel compelled to be honest and give you my honest opinion. My opinion is that developing an effective and efficient long-term solution that involves an imaging software is essential in today's environment. A measure this drastic may not be necessary, but it certainly sufficient. Also, there is no better time to invest the time, than when you are faced with a troubling system. Let me know your thoughts and we'll go from there.

 

Hi,

I'm sorry to barge in on your post but I thought this might help as I'm having the same problem as you are with this Trojan. Every scan that I ran did not find this Trojan except for BitDefender:

I first ran CCleaner, then Spybot, Panda Active Scan, Trend Micro House Call, AVG, Windows Defender, Microsoft Malicious Spyware Removal Tool, Ad-Aware, Spyware Doctor, HiJackThis, McAfee Avert Stinger, RegSeeker, Spy Sweeper, Ewido, CW Shredder, Kill2Me, a-squared and Avast. Some of the programs were run in both normal mode and Safe Mode, and some were run in Safe Mode with Networking. None of these programs found anything named Wild Tangent or Trojan.Exploit.Html.Codebaseexec.CC except for BitDefender.

These files showed up on my pc only a few days ago. I Googled Trojan.Exploit.Html.Codebaseexec.CC and it came up with very little information except for posts from a few people who have these files and have written to forums requesting help. It's how I found this forum.

"http://www.google.com/search?hl=en&lr=&sa=G&q="Trojan.Exploit.Html.Codebaseexec.CC""

I don't have WildTangent in Add/Remove Programs. It looks like it might very well be a FP, but I'll be keeping an eye on it. My pc is no worse for wear since I picked it up.

I also Googled WildTangent and came up with this

"http://www.pchell.com/support/wildtangent.shtml"

Again, I'm sorry for barging in but I thought that my info might help a bit.

Denise

 

Denise_M,
Please do not apologize. These forums are here for people to help other people learn and solve issues like yours and Franks.

A few questions came to mind while reading your posting. First, when you say, "These files showed up on my pc only a few days ago." What exactly do you mean? To clarify my question, do you mean that the file(s) in question were installed a few days ago? Or do you mean that you run BD scans frequently and a few days ago BD first detected them?

 

I don't run BitDefender frequently . . . maybe once a month, along with Trend Micro, Spyware Doctor, Microsoft Malicious Spyware Removal Tool, CW Shredder, McAfee Avert Singer, and Windows Defender.

I run CCleaner several times a day, and Regseeker once a day along with PC onPoint.

I run Spybot, AVG, and Ad-Aware once a week.

I run Spyware Doctor, HiJackThis, Panda, McAfee Avert Stinger, Spy Sweeper, Ewido, a-squared and Avast only if there's a problem, and Kill2Me just sits there in case I can't uninstall a program.

I discovered these FP's when I was deleting a program through Control Panel > Add/Remove Programs. I noticed that, all of a sudden, I had 3 new programs that I never had before: Logitech Desktop Manager, Logitech iTouch Software, and Logitech Resource Center. I have a Logitech mouse and keyboard but I didn't think that a mouse and keyboard needed 3 programs running for them, especially since they were plug and play. I often install new programs and I either keep them or delete them so I'm in Add/Remove Programs at least twice a week (if not more) and I'm very familiar with the programs that are listed there. The programs couldn't have been in my pc for more than a few days.

So I did what I usually do when I get curious . . . I Googled the programs and checked about 10 sites and found no useful information. There were no changes to the way my pc was running so I went along with the old saying, "If it ain't broke, don't fix it," but I was keeping an eye out for sluggishness, being re-directed, programs that weren't working properly, etc, but no symptoms appeared.

When I did my monthly "whole ball of wax" scans, BitDefender picked up those files. I then ran the remainder of the programs but, as I said, they didn't show up under any other scan. When I Googled Trojan.Exploit.Html.Codebaseexec.CC yesterday, the Google search result was

I then ran a HiJackThis scan and there wasn't anything unusual in it. I clicked on a few more links and, like I said in my original post, I found only posts from a few people who have these files and have written to forums requesting help.

So for now, I tend to agree that the results are FP's because, if they aren't, one of the other programs that I ran would have picked up something. How and why they got into my pc is a mystery though. I use Sygate firewall and AVG anti-virus and the programs and the files got past them so, to me, that enforces the results of all the other scans. But, I've also seen it snow in July.

Denise

 

Denise,
Keep in mind that just because BitDefender is the only scanner flagging this does not necessarily mean that it is a false positive. You are justified in being suspicious for that reason; however, I would use caution in using that solely as the basis for arriving at that conclusion.

I have been in contact with BitDefender, submitted Franks scan results to them for analysis, and requested more information of the supposed threat. I was told that I would receive a reply within 24 hours.