Bitdefender Not Detecting Rootkits

bitdefender does not detect rootkits at all. i had several rootkits which could disable all antiviruses except bitdefender. it even stopped MBAM. i had to install MBAM in chameleon mode which then detected the virus. Log of MBAM:

Registry Keys: 60
Trojan.Agent.CMO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINMGR.EXE, Quarantined, [af3b0a4689f23204154086405aa919e7], 
Trojan.Agent.CMO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINMGR.EXE, Quarantined, [af3b0a4689f23204154086405aa919e7], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe, Quarantined, [bd2d331d2d4e52e493f6080c986ba45c], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avconfig.exe, Quarantined, [8862a4ac15661c1ad2ba7c98ad56c33d], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgcsrvx.exe, Quarantined, [1ad01f31314a989e7b237a9a3cc7c53b], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgnt.exe, Quarantined, [89611a36ff7ca98d6047779d867dcd33], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgrsx.exe, Quarantined, [bc2e47092b504cead9d07f95ef147888], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe, Quarantined, [b139cd83fa8113235b5733e16a992fd1], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgui.exe, Quarantined, [1dcdaca485f6a78f06ad22f22ad944bc], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgwdsvc.exe, Quarantined, [7773d27e2a51db5b912869ab7a89857b], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avscan.exe, Quarantined, [00eadd731764c57111d231e363a00df3], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe, Quarantined, [f8f283cd9dde7db9fbfd5467ab588d73], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe, Quarantined, [9e4c59f7accf85b1e9a521f48083bf41], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe, Quarantined, [faf08dc3205b3ff77e020a0c956eb54b], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe, Quarantined, [29c13719106b40f66c8b714a04ff8080], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe, Quarantined, [32b85cf4ec8f62d4a6b51205df24c23e], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamgui.exe, Quarantined, [9b4f84cc403bbf779108e6db15ede51b], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbampt.exe, Quarantined, [a9410f4199e23204693a4382699a38c8], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamscheduler.exe, Quarantined, [6387361a7ffc93a38a60acece51d6898], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamservice.exe, Quarantined, [5496c8880972f73fb7a5c35413f0718f], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\Monitor.exe, Quarantined, [8565a1af80fbda5c484a22f5976c6e92], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe, Quarantined, [7b6fb8981e5d59dde9af5cbb1fe415eb], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe, Quarantined, [3faba2ae334852e4901a05121ce743bd], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe, Quarantined, [6e7cb39dd0abd75f01bcde39ce3545bb], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe, Quarantined, [c72390c0bbc0b086a51e47d0a65d738d], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\rstrui.exe, Quarantined, [b03aeb65a8d355e1b3958d8cf50ee21e], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe, Quarantined, [41a90050bcbfe2544c3ba7f24ab98a76], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe, Quarantined, [22c8cb85e09b7db9b34609b24cb733cd], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe, Quarantined, [cd1d0f41bebd94a2df3c63b836cdd62a], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE, Quarantined, [3eacb59b502b3ff7bcc9031144bfc937], 
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE, Quarantined, [bd2d79d7512ac175f8ddd63ea2616d93], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe, Quarantined, [ba309cb44e2ded49ddac70a4ce35a060], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avconfig.exe, Quarantined, [5d8d2828f18a0c2ac9c318fc05feae52], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgcsrvx.exe, Quarantined, [9951e36d5a215adc8717c153f310e51b], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgnt.exe, Quarantined, [44a66ce4057684b23473f123f60d2ed2], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgrsx.exe, Quarantined, [5c8e00509ae1bc7acddc33e161a229d7], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe, Quarantined, [13d71739a6d5c274238fe232d92aeb15], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgui.exe, Quarantined, [16d4351b88f3a0966251ad67798ae51b], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgwdsvc.exe, Quarantined, [7f6b8dc369129a9c77427e96798a2ed2], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avscan.exe, Quarantined, [569429273843a2945390be5663a0f20e], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe, Quarantined, [75752f212f4cc76f6a8e3f7cc3405ca4], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe, Quarantined, [d7133e12512a7fb76c225fb6a063728e], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe, Quarantined, [39b184cc74071c1a661a46d0db2837c9], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe, Quarantined, [27c34907bebd290d31c6e9d238cb55ab], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe, Quarantined, [46a453fd5b205cdaeb70a5720102ce32], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamgui.exe, Quarantined, [32b8b7994a317bbbe4b5625f16ecfb05], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbampt.exe, Quarantined, [ffeb52fec9b2072ff4af5570bb485ba5], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamscheduler.exe, Quarantined, [8466aca4ef8c45f1d1199ff938ca2dd3], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamservice.exe, Quarantined, [f1f98ac6f18ac76f18442dea29dad828], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\Monitor.exe, Quarantined, [4f9bcf812f4c171f8c060e093fc48977], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe, Quarantined, [ca20aea2d7a484b20593997e946f01ff], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe, Quarantined, [ba301d33473452e4c3e75dba11f2a759], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe, Quarantined, [ca20a0b0552665d16558de39a0637888], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe, Quarantined, [40aa97b99cdf7eb823a0b85ffe054cb4], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\rstrui.exe, Quarantined, [ab3fd17fdaa1ed4960e844d542c1ba46], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe, Quarantined, [6e7ca9a70d6e5ed882055c3d956e32ce], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe, Quarantined, [e00a0848ef8c26103abf3c7fb84b6d93], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe, Quarantined, [569452fed9a253e372a9c655f90a1ce4], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE, Quarantined, [54965df3621970c6e69fbd57de25fd03], 
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE, Quarantined, [5b8fc38d7704d95de7ee67ad05fe6898], 

Registry Values: 14
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [3eacb59b502b3ff7bcc9031144bfc937]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [58924e0287f442f4e3a4da3ae91aa65a]
Hijack.Security, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGIDSAGENT.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [d416f759d6a55bdbb2bc6131659d8080]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [bd2d79d7512ac175f8ddd63ea2616d93]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [7c6e163a38430c2a29c3c94ce91a0bf5]
Hijack.Security, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INSTUP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [95555df3156641f5e8876f23e71b47b9]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [54965df3621970c6e69fbd57de25fd03]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [7d6dfd5391ea4fe7f691f3211be8cf31]
Hijack.Security, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGIDSAGENT.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [a3474709a0db90a60866415122e05ea2]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [5b8fc38d7704d95de7ee67ad05fe6898]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [d41686ca3d3e290d806ce62fd13233cd]
Hijack.Security, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INSTUP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [55951a36cbb0af873837e5addd25b848]
Backdoor.Agent, HKU\S-1-5-21-3463171804-1537994893-3906066650-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load, C:\Windows\system32\Microsoft.com, Quarantined, [4e9ce56b6417b284e53f0b79ce34f40c]
Backdoor.Agent.WUGen, HKU\S-1-5-21-3463171804-1537994893-3906066650-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|WindowsUpdate, "C:\Users\******\AppData\Local\Temp\notepad .exe", Quarantined, [7179123e7506092d4f07c8fee41f8878]

This has happened more than 3 times already.

Find more posts tagged with

Comments

AdrianHa

Malware evolves all the time, there are new threats created every day , maybe this is something not seen before.

Malwarebytes didn't recognise or stop this either.

1) What OS do you have.

2) Which Bitdefender product are you running.

3) What settings do you have for Bitdefender antivirus conrtol?

4) Where did you encounter the malware?

wajihero

Malware evolves all the time, there are new threats created every day , maybe this is something not seen before.

Malwarebytes didn't recognise or stop this either.

1) What OS do you have.

2) Which Bitdefender product are you running.

3) What settings do you have for Bitdefender antivirus conrtol?

4) Where did you encounter the malware?

Nope it first stopped MBAM, installing MBAM in chamaleon mode( Proprietary technology of MBAM to install that prevents MBAM from installing and working ability ). after that it detected it and stopped it

1) windows 8.1 update 1

2) Bitdefender Total Security 2014

3) AVC Normal, On access scanning normal

4) Have no idea

Rampant

Note the date of the creation of this topic. Do not you think that the infection is very similar.

http://forum.bitdefender.com/index.php?showtopic=49797

wajihero

Note the date of the creation of this topic. Do not you think that the infection is very similar.

http://forum.bitdefender.com/index.php?showtopic=49797

hmmm, interesting its the same thing then why didnt the bitdefender catch this virus??? by now the database would have the signatures apart from that, the one i am having is not having any registry keys to disable bitdefender and did you submit the virus files to bitdefender?

Rampant

I do not know why the developers ignore my theme, I immediately sent the necessary samples, but the main problem is that bitdefender does not delete the infected registry keys. Look at the other threads by me in this forum section.

wajihero

I do not know why the developers ignore my theme, I immediately sent the necessary samples, but the main problem is that bitdefender does not delete the infected registry keys. Look at the other threads by me in this forum section.

that is exactly what i am saying, they are not doing anything to disinfect the registry. also there isnt an option to scan the registry as well

columbo

Here is an example of a Rootkit thread Rampant was talking about:

http://forum.bitdefender.com/index.php?s=&...st&p=211422 see also post# 5.

From the above thread, is shown what each scan, scans for in post# 4:

http://forum.bitdefender.com/index.php?s=&...st&p=211423

You can create a Custom Rootkit scan for the registry (check/un-check boxes as desired). I know it doesn't resolve your original concern of why BD didn't detect the Rootkit, or disinfect the registry. But I hope it gives you an idea of what each scan does, and the ability of creating a Custom Rootkit registry scan.

edit:sp

Rampant

It's not quite a rootkit is a multi network worm that uses rootkit techniques to conceal its in the system. The worm blocks the ability to run some antivirus software, Firewall and monitoring programs for this he makes changes to the registry Windows. In the registry branch -

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \],

create a registry key containing the name of the blocked file and string - "Debugger =" ntsd-d ntsd "". As a result of these actions, instead of launching the application is redirected to the debugger ntsd. Created registry keys are as follows:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ avp.exe]

Debugger = "ntsd-d"

Where "avp.exe" and "Mcagent.exe" - the names of the blocked file, such keys created more than 50 pieces.

In order to circumvent the protection of detecting the worm searches and closes the Task Manager. Then attempts to connect to remote servers on the Internet, where attempts to download malware (viruses, Trojan, BackDoor, etc.). If this is successful, copy it to the system directory Windows (% System%) and launches the downloaded malware to perform.

wajihero

It's not quite a rootkit is a multi network worm that uses rootkit techniques to conceal its in the system. The worm blocks the ability to run some antivirus software, Firewall and monitoring programs for this he makes changes to the registry Windows. In the registry branch -

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \],

create a registry key containing the name of the blocked file and string - "Debugger =" ntsd-d ntsd "". As a result of these actions, instead of launching the application is redirected to the debugger ntsd. Created registry keys are as follows:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ avp.exe]

Debugger = "ntsd-d"

Where "avp.exe" and "Mcagent.exe" - the names of the blocked file, such keys created more than 50 pieces.

In order to circumvent the protection of detecting the worm searches and closes the Task Manager. Then attempts to connect to remote servers on the Internet, where attempts to download malware (viruses, Trojan, BackDoor, etc.). If this is successful, copy it to the system directory Windows (% System%) and launches the downloaded malware to perform.

Rampant can you send me the files you sent to bitdefender for analysis??

Here is an example of a Rootkit thread Rampant was talking about:

http://forum.bitdefender.com/index.php?s=&...st&p=211422 see also post# 5.

From the above thread, is shown what each scan, scans for in post# 4:

http://forum.bitdefender.com/index.php?s=&...st&p=211423

You can create a Custom Rootkit scan for the registry (check/un-check boxes as desired). I know it doesn't resolve your original concern of why BD didn't detect the Rootkit, or disinfect the registry. But I hope it gives you an idea of what each scan does, and the ability of creating a Custom Rootkit registry scan.

edit:sp

wow they have made an excellent job in making it ultra complicated. a new user will keep on wandering. every scan conducted should provide the user with areas which user wishes to scan