Only Bitdefender found this...

Discussion in 'other anti-virus software' started by Frank the Perv, Aug 8, 2006.

Thread Status:
Not open for further replies.
  1. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    This is what jotti's says:

    ===========

    ....is Bitdefender really that out front, or is this a false positive?
     
  2. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Without knowing the full path of the file I would guess that this file relates to Wild Tangent. If so, I would say that this is not a false positive.
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Doesnt the following line answer the question?
    BD seems to be known (atleast to jottis) to produce more false positives than other scanners...
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Jotti says this for every AV with heuristics...
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Frank try scaning that file on virustotal.com also. ;) And submitt it for analyse to ESET, KAV or to Softwin and let us know the result. :)
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    But in this case it doesn't look like a heuristic detection? Seems to be a detection by signature?
     
  7. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Dallen is on top of it. It does have to do with Wild Tangent. Dallen is becoming (for me) one of the people on this board who is worth listening to.

    I don't have the full path right now (I'm at work), but I'll post it tonight.

    But my computer is acting strangely..... and I don't like it.

    Oh, and Bitdefender (online scan version) could not remove it. McAfee AV, Panda online scan, Ewido, A2, Spybot, Win Defender, PestPatrol and Trend AS (online scan) also didn't find it. Bitdefender is the only one.

    Thanks pykko, I'll try it on virustotal.com tonight.

    And I'd guess this is detection by signature since Bitdefender picked it up in their online scan & also at Jotti's.

    Thanks for the replies...

    v/r ftp
     
  8. andreas_pej

    andreas_pej Registered Member

    Joined:
    Aug 9, 2006
    Posts:
    1
    that file is suspected with spyware, i belive. Because i searched on google and alot of people hade been infected with:Trojan.Exploit.Html.Codebaseexec.CC.
    I dont think its a FP, but pls upload it at virustotal and see if other detect it.
     
    Last edited: Aug 9, 2006
  9. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
  10. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Mr. Perv;) ,
    These remarks are too kind, but I appreciate them nevertheless. There are certainly people within this forum that I feel the same about.

    I will be on the forum tonight. Wild Tanget, from what I've read, can be a little tricky to remove (assuming removal is your desired course of action).
     
  11. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    If you want my two cents on this, I think its a false positive. The malware
    in question is actually an exploit. Some web pages are written in such a way
    that it'll make your browser download a file and execute it. So while opening
    any web page if you get this alert then it is serious. But this is not a web
    page. I know its an EXE file but we don't know for sure what it does.

    BitDefender is known to make FPs.

    Here is an interesting page. Please have a look at this.

    The best thing in this situation is to send this file to be analysed.
     
  12. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    STATUS: FINISHEDComplete scanning result of "blastrb2.exe", received in VirusTotal at 08.10.2006, 03:22:30 (CET).

    Antivirus Version Update Result
    AntiVir 6.35.1.0 08.09.2006 no virus found
    Authentium 4.93.8 08.09.2006 no virus found
    Avast 4.7.844.0 08.09.2006 no virus found
    AVG 386 08.09.2006 no virus found
    BitDefender 7.2 08.10.2006 Trojan.Exploit.Html.Codebaseexec.CC
    CAT-QuickHeal 8.00 08.09.2006 AdWare.WinAD (Not a Virus)

    ClamAV devel-20060426 08.10.2006 no virus found
    DrWeb 4.33 08.09.2006 no virus found
    eTrust-InoculateIT 23.72.91 08.09.2006 no virus found
    eTrust-Vet 30.3.3007 08.09.2006 no virus found
    Ewido 4.0 08.09.2006 no virus found
    Fortinet 2.77.0.0 08.10.2006 no virus found
    F-Prot 3.16f 08.09.2006 no virus found
    F-Prot4 4.2.1.29 08.09.2006 no virus found
    Ikarus 0.2.65.0 08.09.2006 no virus found
    Kaspersky 4.0.2.24 08.10.2006 no virus found
    McAfee 4825 08.09.2006 no virus found
    Microsoft 1.1508 08.04.2006 no virus found
    NOD32v2 1.1700 08.10.2006 no virus found
    Norman 5.90.23 08.09.2006 no virus found
    Panda 9.0.0.4 08.09.2006 no virus found
    Sophos 4.08.0 08.09.2006 no virus found
    Symantec 8.0 08.10.2006 no virus found
    TheHacker 5.9.8.189 08.09.2006 no virus found
    UNA 1.83 08.09.2006 no virus found
    VBA32 3.11.0 08.09.2006 no virus found
    VirusBuster 4.3.7:9 08.09.2006 no virus found
     
  13. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Lots of good info since I left last.

    Thanks for the info andreas_pej, tobacco, and AMRX and dallen.

    First, results from VirusTotal above.
    Bitdefender is still the only one who detects.... well, along with CAT -QuickHeal - whatever that is.

    From the links and info provided, Codebaseexec.CC definitely appears to be 'something.'

    What would happen if I just deleted the file C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe?

    Could I not just reload the info I needed from the Logitech website?

    But I suppose that would be too easy.

    And dallen...... please, call me Frank. When you refer to me as "Mr. Perv," I start looking around for my dad.


    -ftp
     
  14. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Frank it is, pleas accept my apologies both for being late and for the manner in which I referred to you.

    I have encountered Wild Tangent in the past, but I cannot remember exactly where for sure. If my memory serves me well, it came pre-installed on my girlfriend's Dell.

    The method I used to remove it was simple, but I'm sure that you do not want to utilize it. I simply nuked her hard disk to eliminate all of the unnecessary hidden partitions that also came with the system and re-built her system properly. This is an option for you, but I am going to assume that it won’t be your preferred method.

    AMRX raises three points and I disagree with only two. I would like to preface this with the fact that I have not yet followed the link he provided, but I soon will.

    First point
    He thinks this is a false positive (FP). I do not think so. I think this is something that could be viewed as legitimate and is classified as such by many. I use a Logitech mouse and their Setpoint software and you can bet that Wild Tangent is not, and will not be, on my system. Admittedly, I have more research to do on this topic and will commence immediately and report back my findings.

    Second point
    He claims BitDefender is known for FPs. I am fairly new to the product, but have been testing BitDefender 9 Standard pretty intensely, not to mention researching the hell out of it. As a probable future user, migrating from Symantec, I have not experienced FPs. If you do not believe me, then look at the results on AV-Comparatives website. There is a category for FPs and BitDefender is consistently scored “few.”

    Third point
    He advises to have the file in question analyzed. I agree with this advice.

    Frank,
    After golfing today, I went to Best Buy and bought me a 900 watt uninterruptible power supply. This took longer than I anticipated and is the reason that it took me so long to reply. I cannot promise that I will complete my research on this before the weekend as I am leaving for southern Kentucky tomorrow to do a little fishin' and enjoy some rest and relaxation on Lake Cumberland before school begins. However, I imagine that you are eager to figure this out, so I will try to have something before tomorrow if possible.
     
    Last edited: Aug 10, 2006
  15. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Thank you dallen for your insights. Please check out the link I have provided.
    I still think its an FP as you can see that even in VirusTotal scan, none of
    the AVs detected it as codebase exploit. Its a very common exploit and
    almost all the AVs (even TMIS) detect it. So HAD it been really the trojan,
    results would have been different.

    CAT Quickheal is an Indian AV and it used to generate a lot of FPs but now
    its stabilized. Still it has a long way to go. It made the detection 'properly'
    as a adware. Few years ago almost all the AVs would have done so. But why
    not now? You'll know this when you'll follow the link I have provided.

    I used BitDefender for a longtime and I have different experience, so has
    my friends who used it. So I have a different point of view. You have
    different experience so its ok. Andreas Clementi's March 2006 test terms
    BD with 'few' FPs. Only one test, I wouldn't call that consistent. Also I
    had only two FPs with DrWeb not 'many'. I'm not saying that these tests are
    false though. I have all the respect for Andreas Clementi et al.

    I'd recommend Frank to send the file for analysis. Also I'd like to tell you
    that the 'strange act' your computer is putting up might be for a totally
    different reason. So it'd be better if you tell us what exactly is the 'strange
    act'. Otherwise you might tame the Wild Tangent but will it serve the
    purpose if your computer is still acting strangely?
     
  16. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I thinik Wild Tangent came installed on my Dell, and it has something to do with some games. Other than that I don't know anything abut it.

    Jerry
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I personally feel it's neither and based on the findings from one of the most trusted researches in the field....I'll put my stock in the fact that Wild Tangent is correctly categorized as Low Risk Adware. That being said and nothing against VT's free malware scan service but if indeed the majority of the industry does classify it as adware then not only are We spinning wheels in regards to program ABC being out front but We also are spinning our wheels in regards to a possible False positive. What does BitD classify this find as ? Do they have a facility available where it shows their classifications ? If this is indeed adware....then attempting to show that other AV's do not detect this find is non-productive.

    JMO,
    Bubba
     
  18. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    If it is indeed low-risk, maybe BD should categorise it differently in much the same way Quickheal has done by saying it's "Not a Virus", according to the VirusTotal results posted above.
     
  19. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    So I read the links and information that everybody posted -- thanks.

    Dallen – good and seemingly solid info. Thanks again.

    OK, so maybe codebaseexec.cc is not a classic piece of malware. I still don’t want it on my computer.

    So I just went to…

    C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe

    ..and I deleted the wild tangent folder. I read that it only has a games application. And I’m not a gamer, so it seemed expendable to me.

    Anyway, I deleted the folder, and then I ran CCleaner to try and make sure it was gone.

    And then I ran Bitdefender again, and everything came up clean.

    But then, just to be sure, I ran Bitdefender one more time, and it found this…

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o)=>zlib_nsis0018 Infected with: Trojan.Exploit.Html.Codebaseexec.CC

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o)=>zlib_nsis0018 Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o)=>zlib_nsis0018 Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1000\A0062577.exe=>(NSIS o) Update failed

    …which appears to be the same stuff in some sort of backup location. Why didn’t CCleaner flush it out after I deleted it I wonder? So I ran CCleaner and the new McAfee system cleaner hoping it would flush it out of there. No go.

    My computer has acted funny in that it rebooted itself twice while I was not even with the computer. So that’s pretty strange. It’s a first on this system anyway.

    Also, McAfee repeatedly has found a virus, which I have deleted through McAfee, but seems to keep coming back. And McAfee just finds it in a free floating kind of way. That is, it’s just floating on my system; I don’t even have to be cruising the internet for McAfee to pop up with the warning. And crap, I have not yet written down the name of the virus, it’s poly… something. But I guess that’s my next mission.

    But with everything I’ve read about wild tangent, it seems pretty well known. I don’t think I need to submit it to AV guys.

    So that’s the deal.

    How do I get the backup data (if that’s what it is) off my system?

    Wilder's rocks.
     
  20. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Go to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.
     
  21. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Okay...I survived my trip to Kentucky. Wow!!! I thought about taking my laptop with the hopes that I would stumble across a WiFi Network. It turns out that it would have been nothing more than unnecessary luggage. Boy was I wrong. It turned out that I was going to the back woods. "Internet...what that?"

    Sorry for the delay Frank, but it sounds like you've read up on Wild Tangent and arrived at a similar conclusion as I. People can say what they want and haggle over specifics of classifications. Bottom line, I don't need it, I don't like the way it sounds, and, therefore, I don't want it on my system.

    Whether an AV is better for detecting it or worse for not, I don't know. It's probably a matter of personal preference when all is said and done.

    Regarding your current BitDefender finds, it sounds like tobacco's instructions for flushing out the restore points are right on. A couple added words of caution though. One, you will lose any restore points. Two, I would be weary of creating a new restore point prior to ensuring that my system was clean. Doing so could serve to make cleaning any virus more involved, or worse, it could even allow the survival of any malicious nasty that may be on your system.

    Regarding the removal of Wild Tangent, it seems that tobacco's link to PC Hell Wild Tangent removal instructions may be a good start. Also, if you Google Wild Tangent Removal, you will come across a few other sets of instructions that are similar. I will tell you when I know something and when I do not. I do not have experience at removing this nasty beyond doing a fresh installation of the OS and all programs, so I would be misleading you if I tried to advise you on its removal.

    Regarding your potential virus, the name is definitely important. You said "Poly...something. Was it either polymorphic, or "new poly win32"?

    I do not know much about your current setup, system expectations, or your willingness to invest time/money so I am reluctant to offer my advice.

    I do not like relying on system Windows built in System Restore. I like having my valuable data backed up on an external HD. I also don't mind spending a little over $26.98 to ensure that I have an easy, guaranteed solution to many problems, including the one(s) that you're currently faced with. Therefore, I use Image for Windows/DOS. This combination allows me to simply pull off any critical data on to my external HD and restore an image of my last known good setup with a few key strokes. If this is not an option for whatever reason, I understand and I will do anything I can to help you clean up your system. If it is an option, and I think it is the best long-term solution, then know that it involves formatting your HD and re-installing your necessary programs.

    Many might disagree with my advice, but since I like you, I feel compelled to be honest and give you my honest opinion. My opinion is that developing an effective and efficient long-term solution that involves an imaging software is essential in today's environment. A measure this drastic may not be necessary, but it certainly sufficient. Also, there is no better time to invest the time, than when you are faced with a troubling system. Let me know your thoughts and we'll go from there.
     
  22. Denise_M

    Denise_M Registered Member

    Joined:
    Aug 15, 2006
    Posts:
    19
    Hi,

    I'm sorry to barge in on your post but I thought this might help as I'm having the same problem as you are with this Trojan. Every scan that I ran did not find this Trojan except for BitDefender:


    I first ran CCleaner, then Spybot, Panda Active Scan, Trend Micro House Call, AVG, Windows Defender, Microsoft Malicious Spyware Removal Tool, Ad-Aware, Spyware Doctor, HiJackThis, McAfee Avert Stinger, RegSeeker, Spy Sweeper, Ewido, CW Shredder, Kill2Me, a-squared and Avast. Some of the programs were run in both normal mode and Safe Mode, and some were run in Safe Mode with Networking. None of these programs found anything named Wild Tangent or Trojan.Exploit.Html.Codebaseexec.CC except for BitDefender.

    These files showed up on my pc only a few days ago. I Googled Trojan.Exploit.Html.Codebaseexec.CC and it came up with very little information except for posts from a few people who have these files and have written to forums requesting help. It's how I found this forum.

    "http://www.google.com/search?hl=en&lr=&sa=G&q="Trojan.Exploit.Html.Codebaseexec.CC""

    I don't have WildTangent in Add/Remove Programs. It looks like it might very well be a FP, but I'll be keeping an eye on it. My pc is no worse for wear since I picked it up.

    I also Googled WildTangent and came up with this

    "http://www.pchell.com/support/wildtangent.shtml"

    Again, I'm sorry for barging in but I thought that my info might help a bit.

    Denise
     
    Last edited: Aug 15, 2006
  23. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Denise_M,
    Please do not apologize. These forums are here for people to help other people learn and solve issues like yours and Franks.

    A few questions came to mind while reading your posting. First, when you say, "These files showed up on my pc only a few days ago." What exactly do you mean? To clarify my question, do you mean that the file(s) in question were installed a few days ago? Or do you mean that you run BD scans frequently and a few days ago BD first detected them?
     
  24. Denise_M

    Denise_M Registered Member

    Joined:
    Aug 15, 2006
    Posts:
    19
    I don't run BitDefender frequently . . . maybe once a month, along with Trend Micro, Spyware Doctor, Microsoft Malicious Spyware Removal Tool, CW Shredder, McAfee Avert Singer, and Windows Defender.

    I run CCleaner several times a day, and Regseeker once a day along with PC onPoint.

    I run Spybot, AVG, and Ad-Aware once a week.

    I run Spyware Doctor, HiJackThis, Panda, McAfee Avert Stinger, Spy Sweeper, Ewido, a-squared and Avast only if there's a problem, and Kill2Me just sits there in case I can't uninstall a program.

    I discovered these FP's when I was deleting a program through Control Panel > Add/Remove Programs. I noticed that, all of a sudden, I had 3 new programs that I never had before: Logitech Desktop Manager, Logitech iTouch Software, and Logitech Resource Center. I have a Logitech mouse and keyboard but I didn't think that a mouse and keyboard needed 3 programs running for them, especially since they were plug and play. I often install new programs and I either keep them or delete them so I'm in Add/Remove Programs at least twice a week (if not more) and I'm very familiar with the programs that are listed there. The programs couldn't have been in my pc for more than a few days.

    So I did what I usually do when I get curious . . . I Googled the programs and checked about 10 sites and found no useful information. There were no changes to the way my pc was running so I went along with the old saying, "If it ain't broke, don't fix it," but I was keeping an eye out for sluggishness, being re-directed, programs that weren't working properly, etc, :shifty: but no symptoms appeared.

    When I did my monthly "whole ball of wax" scans, BitDefender picked up those files. I then ran the remainder of the programs but, as I said, they didn't show up under any other scan. When I Googled Trojan.Exploit.Html.Codebaseexec.CC yesterday, the Google search result was
    I then ran a HiJackThis scan and there wasn't anything unusual in it. I clicked on a few more links and, like I said in my original post, I found only posts from a few people who have these files and have written to forums requesting help.

    So for now, I tend to agree that the results are FP's because, if they aren't, one of the other programs that I ran would have picked up something. How and why they got into my pc is a mystery though. I use Sygate firewall and AVG anti-virus and the programs and the files got past them so, to me, that enforces the results of all the other scans. But, I've also seen it snow in July.

    Denise
     
  25. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Denise,
    Keep in mind that just because BitDefender is the only scanner flagging this does not necessarily mean that it is a false positive. You are justified in being suspicious for that reason; however, I would use caution in using that solely as the basis for arriving at that conclusion.

    I have been in contact with BitDefender, submitted Franks scan results to them for analysis, and requested more information of the supposed threat. I was told that I would receive a reply within 24 hours.
     
Loading...
Thread Status:
Not open for further replies.