Bitdefender Not Detecting Rootkits

wajihero
edited May 2014 in Antivirus

<img class=" />


bitdefender does not detect rootkits at all. i had several rootkits which could disable all antiviruses except bitdefender. it even stopped MBAM. i had to install MBAM in chameleon mode which then detected the virus. Log of MBAM:


Registry Keys: 60
Trojan.Agent.CMO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINMGR.EXE, Quarantined, [af3b0a4689f23204154086405aa919e7],
Trojan.Agent.CMO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINMGR.EXE, Quarantined, [af3b0a4689f23204154086405aa919e7],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe, Quarantined, [bd2d331d2d4e52e493f6080c986ba45c],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avconfig.exe, Quarantined, [8862a4ac15661c1ad2ba7c98ad56c33d],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgcsrvx.exe, Quarantined, [1ad01f31314a989e7b237a9a3cc7c53b],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgnt.exe, Quarantined, [89611a36ff7ca98d6047779d867dcd33],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgrsx.exe, Quarantined, [bc2e47092b504cead9d07f95ef147888],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe, Quarantined, [b139cd83fa8113235b5733e16a992fd1],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgui.exe, Quarantined, [1dcdaca485f6a78f06ad22f22ad944bc],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgwdsvc.exe, Quarantined, [7773d27e2a51db5b912869ab7a89857b],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avscan.exe, Quarantined, [00eadd731764c57111d231e363a00df3],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe, Quarantined, [f8f283cd9dde7db9fbfd5467ab588d73],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe, Quarantined, [9e4c59f7accf85b1e9a521f48083bf41],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe, Quarantined, [faf08dc3205b3ff77e020a0c956eb54b],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe, Quarantined, [29c13719106b40f66c8b714a04ff8080],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe, Quarantined, [32b85cf4ec8f62d4a6b51205df24c23e],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamgui.exe, Quarantined, [9b4f84cc403bbf779108e6db15ede51b],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbampt.exe, Quarantined, [a9410f4199e23204693a4382699a38c8],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamscheduler.exe, Quarantined, [6387361a7ffc93a38a60acece51d6898],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamservice.exe, Quarantined, [5496c8880972f73fb7a5c35413f0718f],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\Monitor.exe, Quarantined, [8565a1af80fbda5c484a22f5976c6e92],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe, Quarantined, [7b6fb8981e5d59dde9af5cbb1fe415eb],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe, Quarantined, [3faba2ae334852e4901a05121ce743bd],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe, Quarantined, [6e7cb39dd0abd75f01bcde39ce3545bb],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe, Quarantined, [c72390c0bbc0b086a51e47d0a65d738d],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\rstrui.exe, Quarantined, [b03aeb65a8d355e1b3958d8cf50ee21e],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe, Quarantined, [41a90050bcbfe2544c3ba7f24ab98a76],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe, Quarantined, [22c8cb85e09b7db9b34609b24cb733cd],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe, Quarantined, [cd1d0f41bebd94a2df3c63b836cdd62a],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE, Quarantined, [3eacb59b502b3ff7bcc9031144bfc937],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE, Quarantined, [bd2d79d7512ac175f8ddd63ea2616d93],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe, Quarantined, [ba309cb44e2ded49ddac70a4ce35a060],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avconfig.exe, Quarantined, [5d8d2828f18a0c2ac9c318fc05feae52],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgcsrvx.exe, Quarantined, [9951e36d5a215adc8717c153f310e51b],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgnt.exe, Quarantined, [44a66ce4057684b23473f123f60d2ed2],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgrsx.exe, Quarantined, [5c8e00509ae1bc7acddc33e161a229d7],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe, Quarantined, [13d71739a6d5c274238fe232d92aeb15],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgui.exe, Quarantined, [16d4351b88f3a0966251ad67798ae51b],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgwdsvc.exe, Quarantined, [7f6b8dc369129a9c77427e96798a2ed2],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avscan.exe, Quarantined, [569429273843a2945390be5663a0f20e],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe, Quarantined, [75752f212f4cc76f6a8e3f7cc3405ca4],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe, Quarantined, [d7133e12512a7fb76c225fb6a063728e],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe, Quarantined, [39b184cc74071c1a661a46d0db2837c9],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe, Quarantined, [27c34907bebd290d31c6e9d238cb55ab],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe, Quarantined, [46a453fd5b205cdaeb70a5720102ce32],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamgui.exe, Quarantined, [32b8b7994a317bbbe4b5625f16ecfb05],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbampt.exe, Quarantined, [ffeb52fec9b2072ff4af5570bb485ba5],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamscheduler.exe, Quarantined, [8466aca4ef8c45f1d1199ff938ca2dd3],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamservice.exe, Quarantined, [f1f98ac6f18ac76f18442dea29dad828],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\Monitor.exe, Quarantined, [4f9bcf812f4c171f8c060e093fc48977],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe, Quarantined, [ca20aea2d7a484b20593997e946f01ff],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe, Quarantined, [ba301d33473452e4c3e75dba11f2a759],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe, Quarantined, [ca20a0b0552665d16558de39a0637888],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe, Quarantined, [40aa97b99cdf7eb823a0b85ffe054cb4],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\rstrui.exe, Quarantined, [ab3fd17fdaa1ed4960e844d542c1ba46],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe, Quarantined, [6e7ca9a70d6e5ed882055c3d956e32ce],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe, Quarantined, [e00a0848ef8c26103abf3c7fb84b6d93],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe, Quarantined, [569452fed9a253e372a9c655f90a1ce4],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE, Quarantined, [54965df3621970c6e69fbd57de25fd03],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE, Quarantined, [5b8fc38d7704d95de7ee67ad05fe6898],

Registry Values: 14
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [3eacb59b502b3ff7bcc9031144bfc937]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [58924e0287f442f4e3a4da3ae91aa65a]
Hijack.Security, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGIDSAGENT.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [d416f759d6a55bdbb2bc6131659d8080]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [bd2d79d7512ac175f8ddd63ea2616d93]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [7c6e163a38430c2a29c3c94ce91a0bf5]
Hijack.Security, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INSTUP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [95555df3156641f5e8876f23e71b47b9]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [54965df3621970c6e69fbd57de25fd03]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [7d6dfd5391ea4fe7f691f3211be8cf31]
Hijack.Security, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGIDSAGENT.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [a3474709a0db90a60866415122e05ea2]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [5b8fc38d7704d95de7ee67ad05fe6898]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [d41686ca3d3e290d806ce62fd13233cd]
Hijack.Security, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INSTUP.EXE|Debugger, C:\Windows\system32\Microsoft.com, Quarantined, [55951a36cbb0af873837e5addd25b848]
Backdoor.Agent, HKU\S-1-5-21-3463171804-1537994893-3906066650-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load, C:\Windows\system32\Microsoft.com, Quarantined, [4e9ce56b6417b284e53f0b79ce34f40c]
Backdoor.Agent.WUGen, HKU\S-1-5-21-3463171804-1537994893-3906066650-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|WindowsUpdate, "C:\Users\******\AppData\Local\Temp\notepad .exe", Quarantined, [7179123e7506092d4f07c8fee41f8878]


This has happened more than 3 times already. :/

Comments

  • Malware evolves all the time, there are new threats created every day , maybe this is something not seen before.


    Malwarebytes didn't recognise or stop this either.


    1) What OS do you have.


    2) Which Bitdefender product are you running.


    3) What settings do you have for Bitdefender antivirus conrtol?


    4) Where did you encounter the malware?

  • wajihero
    edited May 2014
    Malware evolves all the time, there are new threats created every day , maybe this is something not seen before.


    Malwarebytes didn't recognise or stop this either.


    1) What OS do you have.


    2) Which Bitdefender product are you running.


    3) What settings do you have for Bitdefender antivirus conrtol?


    4) Where did you encounter the malware?


    Nope it first stopped MBAM, installing MBAM in chamaleon mode( Proprietary technology of MBAM to install that prevents MBAM from installing and working ability ). after that it detected it and stopped it


    1) windows 8.1 update 1


    2) Bitdefender Total Security 2014


    3) AVC Normal, On access scanning normal


    4) Have no idea :/

  • Rampant
    Rampant ✭✭

    Note the date of the creation of this topic. Do not you think that the infection is very similar.


    http://forum.bitdefender.com/index.php?showtopic=49797

  • wajihero
    edited May 2014
    Note the date of the creation of this topic. Do not you think that the infection is very similar.


    http://forum.bitdefender.com/index.php?showtopic=49797


    hmmm, interesting its the same thing then why didnt the bitdefender catch this virus??? by now the database would have the signatures apart from that, the one i am having is not having any registry keys to disable bitdefender and did you submit the virus files to bitdefender?

  • Rampant
    Rampant ✭✭
    edited May 2014

    I do not know why the developers ignore my theme, I immediately sent the necessary samples, but the main problem is that bitdefender does not delete the infected registry keys. Look at the other threads by me in this forum section.

  • I do not know why the developers ignore my theme, I immediately sent the necessary samples, but the main problem is that bitdefender does not delete the infected registry keys. Look at the other threads by me in this forum section.


    that is exactly what i am saying, they are not doing anything to disinfect the registry. also there isnt an option to scan the registry as well :/

  • columbo
    columbo
    edited May 2014

    Here is an example of a Rootkit thread Rampant was talking about:


    http://forum.bitdefender.com/index.php?s=&...st&p=211422 see also post# 5.


    From the above thread, is shown what each scan, scans for in post# 4:


    http://forum.bitdefender.com/index.php?s=&...st&p=211423


    You can create a Custom Rootkit scan for the registry (check/un-check boxes as desired). I know it doesn't resolve your original concern of why BD didn't detect the Rootkit, or disinfect the registry. But I hope it gives you an idea of what each scan does, and the ability of creating a Custom Rootkit registry scan.


    post-4566-1399987073_thumb.jpg


    edit:sp

  • Rampant
    Rampant ✭✭

    It's not quite a rootkit is a multi network worm that uses rootkit techniques to conceal its in the system. The worm blocks the ability to run some antivirus software, Firewall and monitoring programs for this he makes changes to the registry Windows. In the registry branch -


    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \],


    create a registry key containing the name of the blocked file and string - "Debugger =" ntsd-d ntsd "". As a result of these actions, instead of launching the application is redirected to the debugger ntsd. Created registry keys are as follows:


    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ avp.exe]


    Debugger = "ntsd-d"


    Where "avp.exe" and "Mcagent.exe" - the names of the blocked file, such keys created more than 50 pieces.


    In order to circumvent the protection of detecting the worm searches and closes the Task Manager. Then attempts to connect to remote servers on the Internet, where attempts to download malware (viruses, Trojan, BackDoor, etc.). If this is successful, copy it to the system directory Windows (% System%) and launches the downloaded malware to perform.

  • wajihero
    edited May 2014
    It's not quite a rootkit is a multi network worm that uses rootkit techniques to conceal its in the system. The worm blocks the ability to run some antivirus software, Firewall and monitoring programs for this he makes changes to the registry Windows. In the registry branch -


    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \],


    create a registry key containing the name of the blocked file and string - "Debugger =" ntsd-d ntsd "". As a result of these actions, instead of launching the application is redirected to the debugger ntsd. Created registry keys are as follows:


    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ avp.exe]


    Debugger = "ntsd-d"


    Where "avp.exe" and "Mcagent.exe" - the names of the blocked file, such keys created more than 50 pieces.


    In order to circumvent the protection of detecting the worm searches and closes the Task Manager. Then attempts to connect to remote servers on the Internet, where attempts to download malware (viruses, Trojan, BackDoor, etc.). If this is successful, copy it to the system directory Windows (% System%) and launches the downloaded malware to perform.


    Rampant can you send me the files you sent to bitdefender for analysis??


    Here is an example of a Rootkit thread Rampant was talking about:


    http://forum.bitdefender.com/index.php?s=&...st&p=211422 see also post# 5.


    From the above thread, is shown what each scan, scans for in post# 4:


    http://forum.bitdefender.com/index.php?s=&...st&p=211423


    You can create a Custom Rootkit scan for the registry (check/un-check boxes as desired). I know it doesn't resolve your original concern of why BD didn't detect the Rootkit, or disinfect the registry. But I hope it gives you an idea of what each scan does, and the ability of creating a Custom Rootkit registry scan.


    post-4566-1399987073_thumb.jpg


    edit:sp


    wow they have made an excellent job in making it ultra complicated. a new user will keep on wandering. every scan conducted should provide the user with areas which user wishes to scan