• Announcements

    • cpucean

      Bitdefender Business Support Forum Rules - Read carefully before posting   09/13/2016

      Bitdefender Business Support Forum Rules (PLEASE READ BEFORE POSTING) In order to post to the Official Bitdefender Support Forums, you will need to register using a valid email address, and following the instructions to validate your membership. If you like to register, click here. GENERAL RULES Understand that once you have registered as a new user, you consequently agree with ALL THE FORUM RULES written below. These rules were designed to ensure you get the most from interacting with other users in a pleasant and constructive manner and to prevent any sort of abuse. 1. First and foremost, this is a support forum for Bitdefender. Do NOT post comparative tests for security software for they are unrelated to the main character of the forum. Also, the support process can take many forms: a troubleshooting routine is meant to locate the cause of the issue not offer a permanent solution –do NOT post replies in the form of "I need a fix now" instead of the information requested for without locating the cause there isn't any way to implement a fix. 2. Once an official position has been posted concerning a bug in Bitdefender and the ETA for the fix, the topic will be closed down. Do not ask for the topic to be reopened unless you still have the bug after the update targeted to handle this issue. 3. Users that have reached a 50% warn level will have their posts subjected to moderator approval and if they continue to ignore forum rules their account will be banned. 4. Users are not allowed to use clones(using more than one account by a single person). Breaking this rule will lead to a permanent IP ban. 5. Users are not allowed to use anonymous proxy. Breaking this rule will first result in a warning, followed by subjecting the user's posts to moderator approval/banning of the account. 6. When reporting an issue concerning Bitdefender make sure to offer the following basic information: - name and version of your Bitdefender product; - name and version of your Operating System; - the complete error message (if any) that you receive and, if possible, attach a screenshot with it; - name of other security solutions that you are running; - when asking questions about (un)detected files (false alarms, or files that you suspect to be infected, but aren't detected), please attach a complete Bitdefender scan log. Be sure to keep Bitdefender fully updated so the log contains accurate info – on the support forum we only accept the posting of scan logs, for sample submission of false positive/false negative samples please upload them onto a web based platform where we can retrieve and analyze them. 7. Topics related to the lack of response from the support department need to be backed up by as much information as possible concerning the issue that you have been facing. When you send an e-mail to support a Ticket ID will automatically be created - make sure to mention it in the forum post for it will speed up the entire process. 8. Moderators do NOT offer support by PM. Do not send personal messages to moderators unless they expressly request it from your side/ you wish to have a closed topic re-opened/ you wish to report a forum member or topic for abusive language or spam/ you are unsure as to posting a possible solution and you wish to consult with a moderator first. All users are treated as equal on this forum and by sending a PM to a moderator you will not be entitled to faster support. In case of rule violation reports, you can also use the built-in Report button to announce all moderators that there's a topic/post/user that violated the posting rules. Please do NOT use this function to ask for help, or announce the moderating team that you need urgent support! As said, all issues are handled as fast as possible, and none has priority over another. 9. Any form of aggressive language, directed at other forum members or at the Bitdefender Moderating Team or staff is completely forbidden. Continuous attacks will result in an account suspension or BAN. Also, any form of explicit, antisemitic or racial language, or social attacks (by images, text, PMs, signature, or any other form of communication on Bitdefender forum) will NOT be tolerated and will result in an immediately account BAN. Take into consideration that this forum a public place. Treat everyone else just like you want to be treated. 10. Users are not allowed to open polls on the Bitdefender Support Forum. The only members that are allowed to open polls are the moderators. FORUM SIGNATURES, AVATARS AND DISPLAY NAMES The signature is optional on the forum, and should be a personal message of the user that chooses it. Moderators are obliged to include a link for the Bitdefender Forum Rules in their signature. Users will only be allowed to display a custom signature after having completed 15 posts on the forum. The following will NOT be tolerated: 1. Any type of explicit reference to the brand name and symbols of other security solutions available on the international market today, except Bitdefender. This is a support forum dedicated only to Bitdefender and advertising competitor products will lead to editing out the advertisement and a 20% increase in the warn level. 2. The use of images higher than 300 pixels width and/or 100 pixels height. 3. The use of images or text containing the words "Moderator", "Administrator" or "Admin" in the signatures. These will only confuse other users. 4. The use of images taken from other users of this forum. Please use unique avatars. 5. Use of signatures pointing to external links,they will be removed without any notice. WARNINGS Those who repeatedly violate these rules will receive a warn/suspend/ban. POSTING RULES 1. Topic titles must be as concise as possible, and starting posts must provide relevant information on the issues included, to ensure a fast and precise response from those who are willing to help. For example: avoid titles such as "Heeeeeelp!" but instead write "Question about the Bitdefender Antivirus". The last title has a lot more chances of receiving fast responses. Also, topic titles such as "Program X ######! " together with the lack of any constructive arguments will not be tolerated, the topic will be deleted and the user will receive a 20% warning. 2. Post new topics in the correct sections. The forum is structured by Product type (Home/Office or Business protection) and by product version (2008, 2009, 2010 or older versions). If you post the question in the correct section, you have a higher chance of getting a correct answer for your problems. 3. Bumps/Topic advertisements or any other attempts to make a topic more visible without adding any new or relevant information will NOT be tolerated and the post will be DELETED. 4. When posting a reply on a topic try to keep the suggestion within a relevant range – for example, when there is a post concerning an error message in Bitdefender 2009 do not recommend downgrading to Bitdefender 2008 for this suggestion does not address the original issue. Multiple posting of this type will lead to an increase of the warn level with 20%. 5. Off-topic replies (those that have nothing to do with the topic) will be deleted, and users will also receive a written warning . Repeated posting of off-topic replies will lead to an increase in the warn level with 10%. 6. Keep text color, fonts and letter casing within a normal and pleasant range - any post that contains only upper case text will automatically be subjected to editing, the same applies to posts containing characters larger than size 20. 7. Before opening a new topic, we strongly suggest that you use the SEARCH button, to be sure that the problem was not already discussed. In case you start a new topic with an issue that was already discussed, the new topic will be closed down, redirected and merged into the initial one. 8. Do not ask the same thing on more sections of the forum. Do not post the same topic more than once. Twin topics will be removed and redirected to the original one in order to avoid confusion. 9. Do NOT request/post warez software, cracks, serial numbers or any other actions which involve software piracy. Topics and replies related to cracking security software, advice on breaching security systems, cracking security protocols, flood attacks or posts that promote cracking or Internet attacks in any way will be deleted at once and the users that posted them will have their accounts suspended at once. Also, no support will be offered for users that are using a cracked version of BitDefender on their systems. 10. Please avoid topic titles such as "URGENT" since all cases are treated as soon as possible. 11. Be patient – there are a lot of issues on the forum and we are doing the best we can to answer them all. Therefore, you may receive your answer immediately, but it may also take several days just as well. 12. We do not allow people to post threads that advertise or solicit any products, services, funds or donations – all topics of this type will be automatically DELETED . Explicit advertising is also prohibited. FORUM RULES ARE SUBJECTED TO CONTINUOUS MODERATION AND CAN BE CHANGED AT ANY GIVEN TIME WITHOUT PRIOR NOTIFICATION. ANY TOPIC DEBATING FORUM RULES WILL BE CLOSED DOWN AND AUTOMATICALLY DELETED FOR THESE RULES ARE NOT SUBJECTED TO DEBATE. Bitdefender Business Support Forum Team
    • Aurelian Neagu

      Malware Area Rules   09/14/2016

      Here you have a number of rules for this malware subforum.   Please read them carefully before posting:   1. Any user posting here is automatically assumed to have agreed with the Forum Rules.   2. This area is dedicated to those having problems cleaning the system or simply suspecting an infection.
      Also, those who post here are supposed to be BitDefender users (either home-use products or scan online services).
      If this condition is not met, we reserve the right to refuse support.   3. It is forbidden to attach any suspicious files, infected or potentially dangerous (Viruses, Trojans, Spyware, False Detections or potentially dangerous links).   4. It is forbidden to refer to other security solutions for system disinfection.It is also forbidden posting comparative tests between BitDefender and other security products.   5. When opening a new topic, give as many details about the problem as you can along with a recent scan report and screenshots (if necessary).   6. It is recommended for the scan report to be copied in the topic (not attached) so everyone can see it.   7. Removal instructions will be offered only by persons approved (forum moderators for example) or having knowledge about viruses and how to remove them.   8. Users that provide misleading information will be sanctioned.   9. Topics not covered in this format will be deleted or moved.

      10. If you have a False Positive or a False Negative to report please use our Submit Form   Thank you.
Neweb

Audio Ads Playing In Background

28 posts in this topic

Over the past couple of days I have noticed audio Ads playing in the background every now and then on my computer.

Yesterday I did a full scan on my system and it resolved 5 items and ignored 2

The two where hidden items called iexplore.exe and it took no action.

Here is the log following the scan.

Product: BitDefender Total Security 2010

Version: BitDefender Antivirus Scanner

Scanning task: Deep System Scan

Log date: 04/08/2010 18:01:01

Log path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1280941261_1_02.xml

Scan paths:

Path 0000: C:\

Path 0001: D:\

Path 0002: F:\

Path 0003: S:\

Path 0004: K:\

Scan Level:

Scan for viruses: Yes

Scan for adware: Yes

Scan for spyware: Yes

Scan for applications: Yes

Scan for dialers: Yes

Scan for rootkits: Yes

Scan for keyloggers: Yes

Virus Scanning Options:

Scan registry keys: Yes

Scan cookies: Yes

Scan boot sectors: Yes

Scan memory processes: Yes

Scan archives: Yes

Scan runtime packers: Yes

Scan e-mails: Yes

Scan all files: Yes

Heuristic Scan: Yes

Scanned extensions: not configured

Excluded extensions: not configured

Target Processing:

Default first action for infected objects: Disinfect

Default second action for infected objects: None

Default first action for suspect objects : None

Default second action for suspicious objects: None

Default action for hidden objects: None

Default first action for encrypted infected objects: Disinfect

Default second action for encrypted infected objects: None

Default first action for encrypted suspicious objects: None

Default second action for encrypted suspicious objects: None

Default action for password-protected objects: Log only

Scan Engines Summary

Virus signatures: 6199967

Archive plugins: 44

E-mail plugins: 6

Scan plugins: 14

System plugins: 5

Unpack plugins: 10

Basic

Scanned items: 1165708

Infected items: 5

Suspect items: 0 (no suspected items have been detected)

Hidden items: 2

Resolved items: 5

Unresolved items: 2

Advanced

Scan time: 03:45:52

Files per second: 86

Skipped items: 232160

Password-protected items: 0

Over-compressed items: 0

Individual viruses found: 4

Scanned folders: 40985

Scanned boot sectors: 5

Scanned archives: 21444

Input-output errors: 1

Scanned processes: 110

Infected processes: 0

Scanned registry keys: 1462

Infected registry keys: 0

Scanned cookies: 423

Infected cookies: 4

Remaining issues:Object Path Threat Name Final Status

C:\Program Files\Internet Explorer\IEXPLORE.EXE Rootkit-Hidden items: Hidden (object was not found)

C:\Program Files\Internet Explorer\IEXPLORE.EXE Rootkit-Hidden items: Hidden (object was not found)

Resolved issues:Object Path Threat Name Final Status

<System>=>C:\Documents and Settings\LocalService\Cookies\system@apmebf[2].txt Cookie.Apmebf Deleted

<System>=>C:\Documents and Settings\LocalService\Cookies\system@bs.serving-sys[1].txt Cookie.BS.Serving-Sys Deleted

<System>=>C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt Cookie.DoubleClick Deleted

<System>=>C:\Documents and Settings\LocalService\Cookies\system@doubleclick[2].txt Cookie.DoubleClick Deleted

D:\Shop Outlook\shopFiles.pst=>[subject: Scan from a Xerox WorkCentre Pro N 0785688][From: Bridgett Acosta]=>Xerox WorkCentreReader.zip=>Xerox WorkCentreReader.exe Trojan.Downloader.Small.ABKN Deleted

How can I stop these ads from playing in the background.

I have tried everything to get rid of them with no success.

Share this post


Link to post
Share on other sites

Hello Neweb,

Please follow the instructions presented here: http://kb.bitdefender.com/KB490

Upload the 2 logs on a file sharing server of your choice (such as sendspace.com) and send me a PM with the download link. Please paste in your PM the link to this post.

Cris.

Share this post


Link to post
Share on other sites

Please try to download and run this too: http://students.info.uaic.ro/~cristian.dra...er/m96i52vq.exe

It's the latest version of gmer. Leave it with this random name, because some malware might prevent running gmer based on it's process name. Please post if you still have problems running it.

Cris.

Share this post


Link to post
Share on other sites

Tried that and the same thing happens. It turns the computer off.

Can you get anything from the file I sent you (the first one)

Share this post


Link to post
Share on other sites

Please try to download Rootkit Unhooker: students.info.uaic.ro/~cristian.dragusanu/other/bitdefender/RKUnhookerLE.EXE

Save it with a random name (doesn't matter what, as long as it has the extension .exe) and run it.

Before running it, open BitDefender, go to Antivirus -> Shield, click Advanced settings and disable Active Virus Control. Also go to Firewall -> Settings, click Advanced settings and uncheck Enable Intrusion Detection.

Afterwards, open RKU. If anything (maybe a malware) tries to inject into RKU, it will give you an alert and ask you if it should remove the injection. Allow it to clean itself. After it opens up, click on the Report tab and then click Scan.

When it reaches to the File scanning step, it will ask you what partitions to scan. At that step please select only your system partition (C:\).

At the end, click on File -> Save Report and save the report as a TXT file somewhere. Then attach that report here.

Hopefully, this will work. Please post back the result.

Cris.

Share this post


Link to post
Share on other sites

I managed to download and run that RKUnhooker file.

It is currently "Getting List of files and directories"

Its been running for over half an hour now. Is this normal. Should I just wait for it to Finnish!!

Do you want me to post the file in my next post or send it to up via PM as before.

Share this post


Link to post
Share on other sites

Yes, it's normal to take a longer time at that step. Exactly how long depends on the size of the selected partition and on the number of files on it. At that point, it's searching for hidden/rootkit items on your HDD and this operation is slow. Normally, I'd suggest that step to be skipped. But the log you already sent me shows 2 hidden processes, so there might also be hidden files. And that is why I asked for it.

Send it by PM.

Cris.

Share this post


Link to post
Share on other sites
Yes, it's normal to take a longer time at that step. Exactly how long depends on the size of the selected partition and on the number of files on it. At that point, it's searching for hidden/rootkit items on your HDD and this operation is slow. Normally, I'd suggest that step to be skipped. But the log you already sent me shows 2 hidden processes, so there might also be hidden files. And that is why I asked for it.

Send it by PM.

Cris.

OK, I'll leave it running (its been going 1 hour now)

If this is getting a real deep look at my system then it can't be a bad thing. Once its finished I will PM the file to you.

I have left the system alone while this is being done, so all resources are being used to complete this task.

Share this post


Link to post
Share on other sites

It has taken all day to complete the scan and when it did it just closed the window and I can't see a report anywhere.

I have take all day to run this scan and now I have no report to send to you.

I have missed a days work and can't afford to make the system inaccessible for a second time.

I will have to try get it to scan overnight and try get the report to you in the morning.

Share this post


Link to post
Share on other sites

I have finally managed to get a full scan of the system.

I will email you the link to the file in a PM

Share this post


Link to post
Share on other sites

Hello,

Sorry for the late response. The problem is that, apart from the 1 (or 2) iexplore.exe hidden processes, absolutely nothing else suspicious or weird appears in either of the submitted logs. I've checked and double checked them again and again.

iexplore.exe is Internet Explorer. It doesn't appear to be a changed file (it's hash, which appears in one of the logs, is consistent with a valid iexplore.exe version). However, nothing in the logs indicate who hides those processes, or who started them. The only thing that was logged is that one of them is listening for UDP connections on port 2916.

Please try this:

  • open BitDefender Security Center (in Expert Mode)
  • Go to Firewall -> Settings and set the Protection Level to Report
  • then go to Firewall -> Rules
  • search for the rules for iexplore.exe, select each one of them and delete them
  • then restart your system
After the system restarts, make sure you don't open Internet Explorer (I noticed that you're using Google chrome as browser, so this shouldn't be a problem, but make sure that you don't open IE for some other reason).

Sometime, iexplore.exe should start (the hidden one) and attempt to connect to the network. At that point, BitDefender Firewall should show you a firewall alert. Please take a screenshot of that alert (also, click on the parent process, shown in that alert, and take a screenshot of the properties window which appears). Then deny that attempt (this will cause Internet Explorer to not be able to connect to the Internet anymore).

After that, make another scan with BDSI. Attach the 2 screenshots here and send me the BDSI report by PM (as you've done with the prvious reports).

Cris.

Share this post


Link to post
Share on other sites

OK,

I won't be back in work until Tuesday so I will try it then.

In the firewall rules I did disallow iexplorer from accessing the web. I will undo this, make the changes you want and report back.

On the up side, at least nothing to bad has got into my system.

Share this post


Link to post
Share on other sites

I have now sent you that scan.

I did not get all the information with relation to parent because they closed down before I could complete my screen print of the programs.

I will try get them again. If I do I will PM them to you.

Share this post


Link to post
Share on other sites

I got the logs. I didn't take a look at them, but the screenshots probably offer a very good clue. Specifically, the AVC alert about svchost.exe

Could you please tell me what action you took on that alert?

Also, please go to Antivirus -> Shield click on Advanced and post here what applications are in the Active Virus Control whitelist (especially the ones from C:\Windows, System32, Temp folders, of any other suspicious location).

Cris.

Share this post


Link to post
Share on other sites

For the svhost.exe alert I blocked it from accessing the web. You can see this in the exclusions box

When I click on Antivirus>Shield>Advanced Settings under exclusions is

C:/windows/system32/svhost.exe. This is the only listing in the "exclusions" box

I have checked the whitelist and it is empty.

There is nothing listed in the "Websites" section at all.

Share this post


Link to post
Share on other sites

I just had another BD pop up box from internet explorer.

the Path listed the following location.

C:\program files\internet explorer

Destanation: 127.0.0.1

Share this post


Link to post
Share on other sites

Did you manage to find anything in the files I sent.

Share this post


Link to post
Share on other sites

Hi,

We have another very similar case to yours. One of the Support members got another case with exactly the same symptoms to yours. Last night we (me and him) made a very long remote assistance session on that system and, comparing your logs with the state of the other system, we managed to partially find the cause. However, we haven't been able to find the exact infection yet, but we will continue searching for it later today.

There are some steps that you could take in order to prevent the audio ads (and those 2 hidden iexplore.exe processes) from appearing. But these steps are a little complicated, and have to be taken at each system startup. If by later today we don't find the exact cause to fully stop this infection (and add detection for it. to prevent future infections), I will explain these steps to you, so you can apply them and at east have a workaround until we find the exact cause.

If you wish, I can give you the details now. But they are based on using Active Virus Control to block the infection, so I'm not really sure how much it will impact the system performance (or if BD2010's AVC is fully capable of it, because last night we tried it with a beta of BD2011).

I'm sorry this takes so long and we apologize for any inconveniences. I assure you that we are doing everything in our power to solve this as fast as possible. But even with remote access to an infected system and personally using multiple tools to find it, this infection managed to hide itself very well. It's using perfectly legitimate (and critical) system components, such as iexplore.exe, svchost.exe and services.exe (all untouched and unchanged files, digitally signed by Microsoft with valid signatures) to achieve it's goal. As soon as we have a solution, we'll let you know.

Thank you for your patience.

Cris.

Share this post


Link to post
Share on other sites

Thanks Cris,

I have blocked IE from all access to the internet so the ad's are not playing anymore. This should tide me over till we find a solution or at least find out what is causing it.

Whatever it is, its very good because my system is pretty much locked down.

Just let me know when you have a solution and we will work on it then.

Edited by Cris
Removed quote

Share this post


Link to post
Share on other sites

Hello again,

It seems that the infection is started by a MBR (Master Boot Record) malware. This means that one (or more) drive(s) in your system is infected with a so called bootkit. For us to be able to provide a safe cleaning method, we will need from you a MBR dump from all your dumps. This procedure is fairly simple and I will describe it below.

  1. Download the tool into a new, empty folder (the download link be provided to you by PM, shortly)
  2. Make sure you login on an account with Administrator (non-limited) rights
  3. go to Start -> Run and type cmd then press Enter
  4. When cmd starts, navigate with it to the folder where you saved the tool
  5. Then type the following command:
    dd.exe if="\\.\PhysicalDriveX" of=dumpX bs=32k count=1

    • NOTE: in the above command replace X (in both PhysicalDriveX and dumpX) with a number, starting from 0, which represents the number of your drive
    • run the same command for each of your fixed local drives; don't run this command for removable, mapped or other types of drives (nothing wrong happens, but the command will fail)

    • the X number increases by 1

    • for instance, if you have 3 drives (C: D: and E:), then you will have to run these 3 commands (press Enter after each one):
      dd.exe if="\\.\PhysicalDrive0" of=dump0 bs=32k count=1
      dd.exe if="\\.\PhysicalDrive1" of=dump1 bs=32k count=1
      dd.exe if="\\.\PhysicalDrive2" of=dump2 bs=32k count=1

  6. after each run, the files dumpX (X being the numbers you typed) will be created in the same folder where you saved the tool
  7. Please archive all dump files, upload them on a file sharing server and send me the download link by PM
  8. should any errors appear while running these commands, please take a screenshot and attach it here. The valid (successful) output should look something like this:
    1+0 records in
    1+0 records out

After these dumps will be analyzed, I will come back with further instructions.

Cris.

Share this post


Link to post
Share on other sites

I can only get this to work on the c drive. When I run the same command for dd.exe if="\\.\PhysicalDrive1" of=dump1 bs=32k count=1 it tells me no such directory.

I have 2 drives on the system.

I did manage to get the file for the C: drive which is the main drive. I will send that to you now.

Share this post


Link to post
Share on other sites

It should be good enough. Thank you for the dump. It was forwarded for analysis. As soon as I get a response, I will come back with details.

Cris.

Share this post


Link to post
Share on other sites

Hello,

Apparently, the infection extends outside the MBR section. I will send you by PM another tool that will dump another section of about 10K. So:

  1. Again, make sure you login using an account with Administrator right
  2. save the tool to an empty folder (download will be provided by PM)
  3. run cmd (Start -> Run -> cmd)
  4. navigate to the folder where you saved the dumping tool
  5. run the tool. The valid output should be like this:
    Dumping..
    Done.
    Please send sectors.bin

  6. The output file will be created in the same folder as the tool and will be named sectors.bin
  7. Please archive the output file, upload it somewhere and send me by PM the download link
If any errors appear, please make a screenshot and post it here.

Cris.

Share this post


Link to post
Share on other sites

Thats done now.

I have sent you the link to the sector file via PM

Share this post


Link to post
Share on other sites
Thats done now.

I have sent you the link to the sector file via PM

Have you managed to find anything yet?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now