found Win32:Cfd.exe.back [Adw]

Hello all,

Doing a boot time Avast scan, I found the following :

CFD.exe.back C:\Program Files\Broadjump\Client Foundation 16/12/2002 time 21/04/2008 Win32:Cfd[Adw]

I sent this file to the chest.

What is surprising for me is the fact that this file was lying on my PC for months and never been detected
by Avast before. As far as I can remember, I have in the past changed the name of this file, because
I could read somewhere on Internet that Broadjump Fundation was somewhat suspicious and a way
to freeze it was to rename this file.

So I added the .back suffix.

How do you explain that this file was not detected as [Adw] by Avast before ? Was it detected
because the last version of Avast now detects Spyware and Adware infections ???
(I have the Apr2008 Avast version {4.8.1169}

The day after I ran the boot scan, I made a SpywareTerminator run. It produced the following report :

Invalid Startup Items (Invalid)
The ‘Invalid Startup Items’ are items that are linked to non-existing file in your Registry.

Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BJCFD=
C:\Program Files\Broadjump\Client Fundation\CFD.exe

(just to tell, as far I can understand, that the linking entry entry was still there, despite linked
object was no more there; should not Windows XP warn me when a program entry is missing at
boot time?)

(I have now deleted the Broadjump Fundation entry from my PC using the “Ajout/Suppression
des programmes” using my configuration Panel).

Shall I post the infected file by E-mail to ALWIL ?

Many thanks in advance for any comments.

Hi crococ,

As we are seeing from this anti-malware routine, this is more than likely a false positive:
http://www.malwareremoval.com/forum/viewtopic.php?f=11&p=290867

polonus

Detection signatures are continually updated so it could catch it at any point in the future of its arrival on your system.

AS suggested it might be an FP.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.


Most likely it is a false positive. It was probably installed by your Internet Service Provider.

Broadjump\Client Fundation\CFD.exe is used by various ISPs for on-line troubleshooting.

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.technet&tid=2c02653f-047c-42c7-8fec-e905f85a4713

http://www.superadblocker.com/definition/cfd/

http://www.auditmypc.com/process/cfd.asp


Here are the results :

start →
Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.4.24.0 2008.04.24 -
AntiVir 7.8.0.8 2008.04.24 -
Authentium 4.93.8 2008.04.24 -
Avast 4.8.1169.0 2008.04.24 Win32:Cfd
AVG 7.5.0.516 2008.04.23 -
BitDefender 7.2 2008.04.24 -
CAT-QuickHeal 9.50 2008.04.23 -
ClamAV 0.92.1 2008.04.24 -
DrWeb 4.44.0.0917 2008.04.24 -
eSafe 7.0.15.0 2008.04.24 -
eTrust-Vet 31.3.5731 2008.04.24 -
Ewido 4.0 2008.04.23 -
F-Prot 4.4.2.54 2008.04.24 -
F-Secure 6.70.13260.0 2008.04.24 -
FileAdvisor 1 2008.04.24 -
Fortinet 3.14.0.0 2008.04.23 -
Ikarus T3.1.1.26 2008.04.24 -
Kaspersky 7.0.0.125 2008.04.24 -
McAfee 5280 2008.04.24 -
Microsoft 1.3408 2008.04.24 -
NOD32v2 3051 2008.04.24 -
Norman 5.80.02 2008.04.23 -
Panda 9.0.0.4 2008.04.24 -
Prevx1 V2 2008.04.24 -
Rising 20.41.30.00 2008.04.24 -
Sophos 4.28.0 2008.04.24 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.24 -
TheHacker 6.2.92.290 2008.04.24 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.23 -
Webwasher-Gateway 6.6.2 2008.04.24 -

← end

Why only Avast detects this file? Does it mean this file definitively is a FP ?
I have moved it in a separate folder, shall I delete it ?

Will it mean that all people with this Broadjump Fundation and Avast last version
together might be warned the same way ?

(I have rummaged around the Internet and could read this product is at most consided
as spyware/adware and can be removed without any problem, so one can think Avast
is the only one doing the right way :wink: , but perhaps depending the trick it uses to do so ).

TIA

this false positive will be fixed soon… we treated it as a PUP, but it looks to be legit though…

What is PUP?

Potentially Unwanted (or unnecessary) Program ;D

Thanks :wink: