BitDefender registry keys detected as threats
I used Malwarebytes and Spybot S&D weekly as on-demand scanners when I had 2009. They never found anything and I never had any problems. My 2009 license just ran out, so I uninstalled 2009, then installed 2010. On the first scan, both Malwarebytes and Spybot found some items.
Spybot found three trojans in the registry. All were .exe files associated with BD according to a quick Google search. Malwarebytes found 11 .exe files in the registry, all of which were associated with BD. I assume these are false positives? I chose to ignore these files in future scans. Is that okay?
Comments
-
Hello gdobbs23,
Please post the exact paths of the detected files, as well as the detection names. Thank you.
Cris.0 -
I cannot find the exact Spybot extension since I clicked to ignore those objects and there is no place where I can find that I can un-ignore those problems in Spybot (so performing another scan will not find them) or retrieve a log that has the specific path. This is the best I could find:
found: Win32.Agent.tdd Settings
found: Win32.Delf.uv Settings
found: Win32.Delf.uv Settings
Again, Spybot called these 'registry trojans' and all three .exe files were associated with BD and started with a 'HKEY'. If I remember correctly, they were vsserv.exe, bdagent.exe, and livesrv.exe. This never happened with 2009, but upon the first scan with 2010, these popped up.
Here is what I got from Malwarebytes, which found this in both a deep and quick scan:Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Arrakis3.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdreinit.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdtkexec.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwizreg.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiscan.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrepl.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> No action taken.
As you can see, the same three that Spybot found Malwarebytes is also having a problem with, inlcuding 8 others.
BD after various system scans and deep system scans have found nothing.
Thanks for your help in this matter.0 -
Any update on this Cris?
0 -
Those detections are false positives from Malwarebytes and SpyBot.
I contacted MalwareBytes about this matter, and I'm trying them to convince them that this problem should be fixed (but they don't seem to really believe me, so it might take a while until they fix it, if it will happen at all).
About SpyBot, I haven't contacted them. If that detection cannot be ignored, please contact SpyBot's support department.
Bottom line: there is no infection. Those keys are clean and are part of the installation process.
Cris.0 -
Follow-up: The issue with Malwarebytes' Antimalware was resolved.
0 -
Bottom line: there is no infection. Those keys are clean and are part of the installation process.
Cris.
Thank you.0 -
ISSUE 1: Malwarebytes recently found 11 BD registry keys with the infection Security.Hijack. It was determined that these were false positives and a subsequent scan with Malwarebytes found nothing.
This evening I did a full scan with Malwarebytes and it is again listing one of those same keys with the same infection. That item is
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe (Security.Hijack)
Is this a false positive or has it been decided that it's not?
ISSUE 2: In addition, when the scan first started I got a pop up from BitDefender stating that BD had blocked access by msm to C\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\WSLib.dll --- and then at the bottom it said BD had removed this file because it couldn't be cleaned.
I Googled this and found instructions by Alex from this forum on what to do. However, when I tried to download the patch he said to use I got more alerts, something to do with Dropped:Trojan.Generic iexplore and it would not allow me to download the file. Does this file have to be downloaded in Safe mode?
Please help! I am getting so tired of the continuous problems with this 2010. Just when you think you've got things running something new pops up. It's really wearing on my nerves!0 -
ISSUE 2: In addition, when the scan first started I got a pop up from BitDefender stating that BD had blocked access by msm to C\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\WSLib.dll --- and then at the bottom it said BD had removed this file because it couldn't be cleaned.
I Googled this and found instructions by Alex from this forum on what to do. However, when I tried to download the patch he said to use I got more alerts, something to do with Dropped:Trojan.Generic iexplore and it would not allow me to download the file. Does this file have to be downloaded in Safe mode?
It says in the instructions given on the website that you need to restart the computer in Safe Mode with Networking in order to download the file.0 -
I thought he meant you had to be in Safe mode just to run the patch.
I went back to the post and the page on this from BD indicates that if there is a problem with this file you can not get your updates. After reading your answer I attempted to update my BitDefender and it worked fine. Does this mean I don't need the patch?0 -
Hello Nikilet,
Please post the exact detection name for WSLib.dll (you should find it by clicking View logs in BitDefender Security Center). Also, post here the exact link to the patch that you tried to download and was blocked (also, the exact detection name for it, as the one you posted seems incomplete). (NOTE: I just found out that this detection was removed yesterday. It was a false positive.)
Cris.
EDIT: About that detected key, please go to Start -> Run, type regedit and press Enter. Then go to this key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe
, select that key and make a screenshot similar to this:
Attach the screenshot to your next post. Thank you.0 -
Follow-up: I got a reply from MalwareBytes. The detection will be removed in their next update.
0