Bitdefender Av Can't Catch Viruses.

Hey...


Someone please tell me what the ###### is this mess? I mean there are around 3 absolute viruses settling in my PC and yet with having run various scans and them actively screwing around the system, Bitdefender AntiVirus doesn't even seem to smell their stinky ######! <_<


I have no freaking doubts about this.These are the exposed files in System32 folder which I found to be the so-called parasites: w.exe - ss.exe - fxssend.exe - afisicx.exe


And here goes the log file of a scan performed on those files:


BitDefender Log File


Product : BitDefender Antivirus 2009


Version : BitDefender UIScanner v.12


Scanning task : Contextual Scan


Log date : 2009/04/04 12:36:01 AM


Log path : C:\Documents and Settings\Mehrdad\Application Data\BitDefender\Desktop\Profiles\Logs\contextual\1238789161_1_00.xml


Scan Paths:Path 0000: C:\WINDOWS\system32\ss.exe


Path 0001: C:\WINDOWS\system32\w.exe


Path 0002: C:\WINDOWS\system32\afisicx.exe


Path 0003: C:\WINDOWS\system32\fxssend.exe


Scan Options:Scan for viruses : Yes


Scan for adware : Yes


Scan for spyware : Yes


Scan for applications : Yes


Scan for dialers : Yes


Scan for rootkits : No


Target Selection Options:Scan registry keys : No


Scan cookies : No


Scan boot sectors : No


Scan memory processes : No


Scan archives : Yes


Scan runtime packers : Yes


Scan emails : Yes


Scan all files : Yes


Heuristic Scan : Yes


Scanned extensions :


Excluded extensions :


Target Processing:Default action for infected objects : Disinfect


Default action for suspicious objects : None


Default action for hidden objects : None


Default action for encrypted infected objects : None


Default action for encrypted suspicious objects : None


Default action for password-protected objects : Prompt for password


Scan engines summaryNumber of virus signatures : 2818629


Archive plugins : 45


Email plugins : 6


Scan plugins : 13


System plugins : 5


Unpack plugins : 7


Overall scan summaryScanned items : 0


Infected items : 0


Suspicious items : 0


Resolved items : 0


Unresolved items : 0


Password-protected items : 0


Overcompressed items : 0


Individual viruses found : 0


Scanned directories : 0


Scanned boot sectors : 0


Scanned archives : 0


Input-output errors : 0


Scan time : 00:00:01


Files per second : 0


Scanned processes summaryScanned : 0


Infected : 0


Scanned registry keys summaryScanned : 0


Infected : 0


Scanned cookies summaryScanned : 0


Infected : 0


I will perhaps get rid of these viruses via one way or the other.But if I couldn't, then what on earth would I do?


In fact, the main point that I'm trying to make here is that Bitdefender falls short of being a capable Antivirus; despite the fact that it helped me out in removing quite a few other viruses, two days ago.


Guess I put too much trust in Bitdefender.

Comments

  • Hello Aquarius,


    First of all, please understand that there isn't any security software that can offer 100% detection rate and protection against all threats, It's simply impossible to achieve this goal.


    This being said, please submit those files for analysis. They will be checked and detection will be added as necessary.


    To submit the files, please put them in a password-protected archive (with the password infected), upload the archive on a file-sharing server and send me the download link through PM. I will forward the files for analysis ASAP and let you know the result.


    More details about file submission here: http://forum.bitdefender.com/index.php?s=&...post&p=1222


    Thank you.


    Cris.

  • Hello Aquarius,


    First of all, please understand that there isn't any security software that can offer 100% detection rate and protection against all threats, It's simply impossible to achieve this goal.


    This being said, please submit those files for analysis. They will be checked and detection will be added as necessary.


    To submit the files, please put them in a password-protected archive (with the password infected), upload the archive on a file-sharing server and send me the download link through PM. I will forward the files for analysis ASAP and let you know the result.


    More details about file submission here: http://forum.bitdefender.com/index.php?s=&...post&p=1222


    Thank you.


    Cris.


    I see that your scan did not scan anything "Overall scan summaryScanned items : 0" which seems very very weird. I had something similar but when I moved the contextual scam up a folder-level it did then scan

  • Hello Cris and thanks for your reply.


    I'm sorry if I sounded a bit rough in the original post.


    I sent you the zip file containing the 'more than likely' malwares.


    However, since creating this topic, I have researched about the file 'fxssend.exe' and found that it isn't a malware.It's a legitimate file for the fax services. But I doubted about its nature because it was created the same day as those malwares, though its creation hour is right when I decided to repair Windows; I didn't notice the latter hence the original post's mistake.


    And to give a bit of background, the Windows repair decision was due to some serious malfunctions caused by several viruses which jumped onto the computer via the flash drive of a friend of mine( I knew something's wrong with that since I could see the .exe files inside the drive were maliciously hidden. And yes...I hadn't any AV installed at the time due to so and so reason... ).


    I have to say though that I'm grateful of BD for the removal of some nasty virus called 'W32.virut.r' which was a ###### pain in the neck. I see the curent mess as a possible result of Virut infections, though.


    Also worthy of note in this regard is that Virut( or maybe some other malware associated with it) effectively disarmed BD several times by deleting uiscan.exe( how come BD couldn't prevent this?!); I managed to repair BD and get it to scan files only with applying a number of precautions like shifting my account's type from admin to limited, entering safe mode and disabling some shady startup items and services through msconfig, backing up uiscan.exe file to a memory card and making it read-only etc. ZoneAlarm firewall has helped me a lot too in stabilizing the situation.


    I'm still afraid of logging into the admin account in normal -not safe- mode.In fact, there's one error message box that keeps popping up once in a admin account. It says:


    "Faulting application logonui.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x00650401."


    Right before this error, an info message box pops up that appears to be related to DEP and it informs that DEP has closed logonui.exe to prevent viruses from affecting the system(can't remember the exact message). Not sure though if this kind of message is genuine and sent by Windows itself.


    @ronchicago: Yes it's weird.I initiated similar scans on legitimate Windows files in the same folder and the result summary was just like that of the malwares i.e '0 scanned items'. I manged to recreate another alike scan log (with no scanned items) as well by scanning some dll file in Program Files folder. This case couldn't be reproduced with scanning files in My Documents.


    I did a deep system wide scan to no avail.

  • alexcrist
    alexcrist
    edited April 2009

    I have sent the files for analysis.I haven't tested them so I can't say if they're suspicious or not, but as soon as I'll get the official result I'll let you know.


    As for the infection you had, please download this tool: BitDefender AVIS, unzip it in an empty folder, and run AVIS.exe. Then go to System info and create a complete report:


    avis.jpg


    When the report is generated, please send it to me through PM so I can take a look at it.


    Please don't change the options for the log generation.


    Also, please don't make a system scan with AVIS. It's engine is only based on high heuristic scanning and it has a very high false positive rate. It's not recommended to be used for scanning unless specifically told to do so.


    As for the "0 items scanned", please open BitDefender Security Center (Advanced), go to Antivirus, and set it to Aggressive. BitDefender has an option not to scan the same file again (if it was scanned before), so in consecutive scans over the same sets of files, those files will be skipped. Usually, this option is useful, because it increases a lot the scanning speeds, but in case of serious infections I'd recommend disabling the option (you can re-enable it when you're finished cleaning). The option is called Scan only new and changed files and can be changed by clicking Custom level. (this option is enabled with the Default settings, and disabled with Aggressive settings).


    Cris.


    EDIT: Hold on a little with the AVIS report. I don't know how it works under a limited account, because it needs administrative rights to fully access all needed points. Let me test it a little and I'll tell you exactly what to do.

  • Davo
    edited April 2009

    Bitdefender misse's alot of Unknown Viruses but try to subimit them to Lab.


    Nothing more we can do, many AV's miss alot of Unknown samples, Bitdefender2009 will soon have HIPS i hope and then it will detect even all these Unkown and all future Variant viruses/samples.


    Just tonight i subimit over 20 samples to support @ bitdefender.com and virus_submission @ bitdefender.com


    Let's wait and see when they will be detected, hope soon.

  • Thanks in part to Cris' helps and suggestions and also to myself, the nasty viruses seem to have gone down the drain.


    None the less, I'm having troubles opening the Help and Support Center in Windows XP, that is when I try to launch it, a dozen of 'web page unavailable while offline' dialog boxes come up and afterwards, when I respond to each of them with 'Stay Offline', nothing opens up, no windows, no help, no errors whatsoever.


    I even tried repairing Windows and the Windows Help config file(pchealth.inf) last night to no avail.


    Also worth of note is the Trojan Rlsloupa.A that breached into my computer several times and placed its infected files e.g F.TMP on the root of C drive.Thank god, Bitdefender wiped it away in a moment.


    These incidents prompt me to suspect that my machine could be still infected. I mean how come a trojan can be downloaded while I have a firewall turned on and nothing remotely risky I was doing then?

  • Pretty scary stuff I found out...


    Look..just look...


    With only help and support center clicked and helpctr.exe running but with no window as explained in previous post:


    7d37ab1c2f.jpg


    With no action taken whatsoever i.e help and support center not running :


    e15e63294d.jpg


    And be sure to check this out: http://www.siteadvisor.com/sites/zief.pl/summary/


    Pretty self-explanatory, eh?


    Just today I performed a deep scan and no infection was found. I'm lost for words.

  • Aquarius, there is probably something injected into your Help and Support Center (and that's why it probably didn't show up in the initial AVIS log).


    Please make an AVIS log while Help and Support is running and send it to me through PM (like you did with the other one). I will take a closer look to what is going on with that process and hopefully, something will show up.


    Cris.

  • Alright. It seems you can't do anything about it; I hope I'm mistaken though.


    And just to state the facts, the effects of the injected malware isn't only limited to Help and Support Center ; apparently It can get activated with opening the Adobe Reader help viewer too.


    Help files of many other programs seem to be infected/ corrupted as well, one of which being the Task Manager's help index and also IE's deformed and broken html help file, another one the Registry Editor's. It implies that any html file is somehow infected or damaged.


    I'm starting to suspect that the main infected file here isn't helpctr.exe, rather some kind of file associated with viewing html help files, perhaps hh.exe.I don't know...


    I'm awaiting your thoughts on this, Cris.

  • alexcrist
    alexcrist
    edited May 2009

    Hello,


    Sorry for the very late reply.


    I've been trying to get the slightest clue about what's wrong with Help Center on your system. Nobody could give me any idea, since everything in the log you've sent me looks just fine.


    The only possible cause might be that some files were completely re-written in your system. I don't remember, but did you run the sfc /scannow command on your system?


    To make an extremely wild guess, which might be totally wrong... please find these files, pack them in a password protected archive (with the password infected) and send it to me like you did with the AVIS logs:


    c:\windows\system32\ieframe.dll
    c:\windows\pchealth\helpctr\binaries\helpctr.exe


    Also, try to make an AVIS log while running Adobe Reader help viewer and send it to me. To minimize the number of processes, close unnecessary applications before making the log.


    Cris.

  • Whoa! Cris! :blink:


    Please have a look through these log files which were produced by two separate system and deep scans.


    Log File 1


    Log File 2


    It couldn't disinfect or delete half the crapware. What to do now? Should I still send you those files? Is it anymore needed?


    By the way, yes I did run sfc more than twice.

  • Aquarius, please stand by before you make any move on those files. I think there might be a FP case. I will talk to someone from the analysis department.


    Yes, please send me the files I asked for.


    Cris.

  • csalgau
    csalgau ✭✭
    edited May 2009

    That was ..horifying..


    Please archive and upload the helpctr folder in \windows\pchealth\


    As I can see successive scans are cleaning Files.


    You have less detections/file in the second scan(1241552824_1_02.xml).

  • mehrdad
    edited May 2009

    Okay Cris. I'm afraid I will only send you the .dll file this time around; Because I believe by now that the infection is only injected into html files and it has nothing to do with exe files.Want proof?


    After I initiated the first scan and was shocked by a host of unresolved items, I went ahead and selected to 'delete' the infections. So BD started wiping the crap out of my system, though halfway through I cancelled the operation 'cause I had to leave home in a hurry.


    Now, many of Adobe Reader help files were amongst those deleted/disinfected objects. Guess what? The Adobe Reader help viewer opens up like it was never infected, albeit there are still some infected sections of the help that need to get cleaned; they all open a page with only this text in it: File not found. <removed> (I was not connected to the Internet at the time).


    Therefore I guess BD did the right job of detecting the infections.


    That said, another system scan was run a few minutes ago and lo and behold! no freakin' infection found even though as you can see in the second log file there is a load of dirt left in the wild!


    I mean ######?! If that's a FP, so be it! Give me more false positives BD!


    My goodness, I'll be damned If I ever again attach a flash memory to a Windows system running without an Anti Virus. :wacko:

  • alexcrist
    alexcrist
    edited May 2009

    Yes, I admit saying that the detection is a FP was a big mistake from my part, and I realized it after I talked to Catalin. I didn't have time to take a careful look at the logs you attached, I just took a very fast peak (a few seconds). I noticed some BD files were detected, and I thought something was wrong.


    On the other hand, I said "there might be a FP case". :)


    Please let BitDefender disinfect all your files, send us the requested files, and then make make another scan to see if anything else shows up.


    Again, I'm sorry for my previous post.


    Cris.


    P.S.: Please don't post links to possibly infected files on the forum. Thank you.


    EDIT: Also please send me the files that Catalin asked for. I will send them to him to take a look.

  • Okay Cris.


    No need to be sorry for that mistake. It doesn't matter as the infections are all scripts injected into html files and no worms or active trojans. So no problem. :)


    As per request, I sent you the files.Although I don't think you or Catalin would find anything of note in them.Anyways...


    Now, I want to let you know that the Help and Supprt Center is working as it should; It opens up smoothly and I can navigate thru the different sections as well, though I haven't gone through every link so I'm not sure if every page is OK; actually there are a few minor issues with most of those sections that I checked out, for example the index is not functional at all, so is the options section and the History panel is messed up altogether; Also when I navigate back to the home, half of it is suddenly gone, that is under the 'Pick a Help topic' heading. Perhaps I'll have to repair either only the Help or the whole Winows once again.


    And as I touched on it in my previous post, it really makes me wonder why Bitdefender doesn't find any more viruses after the second scan(that I posted its log file above).


    What went wrong really? Because I am sure as ###### that a crapload of trojans were left untouched and only maybe 1/3 of the infections got treated.


    By the way, that link to that malicious site was kinda unintentional, 'cause I just copy/pasted the text. But yeah I admit that I knew it will turn into a link yet didn't take action. :P Sorry about that.