Jump to content


Photo

Bitdefender Update Fails-virus Takes Over


  • Please log in to reply
12 replies to this topic

#1 Lorangerboy

Lorangerboy

    Newbie

  • Members
  • 2 posts

Posted 28 December 2008 - 05:43 AM

Bitdefender 2009 failed to update virus definitions. Has not updated since Dec 14. Some type of malware virus has taken over. It will highjack all searches in IE, Firefox and Opera. It disabled System Restore. Spybot is disabled and will not run. It will seem like it is starting, but never loads. Cannot manually update Bitdefender either. It will not let you browse to any virus, spyware or other software sites of this type. I am running Bitdefender on 2 other computers (laptops) and they have been updating noramally and I can navigate to any website on them.
I read elsewhere in these forums to ping Bitdefender update site and run nslookup and tracert on this site. The results are below.

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>ping upgrade.bitdefender.com

Pinging localhost [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Owner>nslookup upgrade.bitdefender.com
Server: dslrouter
Address: 192.168.1.254

Non-authoritative answer:
Name: a1937.g.akamai.net
Addresses: 96.6.123.40, 96.6.123.88
Aliases: upgrade.bitdefender.com, upgrade.bitdefender.com.edgesuite.net


C:\Documents and Settings\Owner>tracert upgrade.bitdefender.com

Tracing route to localhost [127.0.0.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms localhost [127.0.0.1]

Trace complete.


CAN ANYONE GIVE ME A SUGGESTION TO TRY? THANK YOU>

#2 Cris

Cris

    BitDefender Evangelist

  • Regular Bitdefender Poster
  • PipPipPipPipPipPip
  • 3,360 posts
  • Gender:Male
  • Location:Galați/Iași, România
  • Interests:- Programming and scripting (C/C++, ASM, Java, Haskell, a little PHP, JS and XSL for the moment...hope for more)<br />- Biking trips

Posted 28 December 2008 - 02:10 PM

Hello,

Please download Avis, unzip it in a new (empty) folder and make a complete system log with it (System Info tab). Attach the log to your next post. Leave the option "Compress log" enabled, and attach the archive (which will be created on your desktop).

Cris.

Edited by Cris, 30 December 2008 - 12:48 PM.


#3 AtlantaEng

AtlantaEng

    Newbie

  • Members
  • 4 posts

Posted 30 December 2008 - 07:52 AM

I have noticed 4 posts in the General and Malware forums within the last 48 hrs on failures to update signatures, which I too am experiencing since buying and installing BDIS 2009 on 28 Dec 08. I have run nslookup, tracert and browser lookup on upgrade.bitdefender.com and upgrade1.bitdefender.com. Upgrade1 was suggested in another General Forum posting as an alternate.

Upgrade.bitdefender.com is simply not available on the internet at the DNS resolved addresses of 85.255.116.150 or 85.255.112.24.

I was just successful at updating via the upgrade1.bitdefender.com server by changing to that address in the settings pane of the update window in the advance view.

Thanks to the guy who posted that in General - I am going there now.

But, what is the problem with the default settings? Is BD being attacked?

thanks, AtlantaEng

#4 Cris

Cris

    BitDefender Evangelist

  • Regular Bitdefender Poster
  • PipPipPipPipPipPip
  • 3,360 posts
  • Gender:Male
  • Location:Galați/Iași, România
  • Interests:- Programming and scripting (C/C++, ASM, Java, Haskell, a little PHP, JS and XSL for the moment...hope for more)<br />- Biking trips

Posted 30 December 2008 - 09:23 AM

QUOTE (AtlantaEng @ Dec 30 2008, 07:52 AM) <{POST_SNAPBACK}>
But, what is the problem with the default settings? Is BD being attacked?

And here we go again with the "BD is under attack" assumption. sleep.gif

No, BitDefender is not under attack. The reason why you cannot connect to a certain server is most of the times not caused by BitDefender. Maybe it's filtered by your ISP, maybe the DNS resolves the addresses to the wrong IPs, maybe, maybe, maybe... That's why you have alternative servers.

The problem in this particular topic is another: access blocked by an infection. My best guess in this case is a hosts modification, but without the log I asked I cannot confirm it, nor I can offer a solution. So please keep it on-topic.

Cris.

#5 sebduc

sebduc

    Newbie

  • Members
  • 2 posts

Posted 30 December 2008 - 11:00 AM

Hello sorry i don't speak english very well...
I have the same problem, when you try to ping bitdefender you answer is 127.0.0.1
Try to ping [AV site].com , or [AV site].com you may have the same problems.
My host file is clean i have test the flushdns, i dowload A-square and the problem is already here.
If you find the solution i want it smile.gif

Edited by crysty2k5, 30 December 2008 - 06:30 PM.
removed other AV


#6 Cris

Cris

    BitDefender Evangelist

  • Regular Bitdefender Poster
  • PipPipPipPipPipPip
  • 3,360 posts
  • Gender:Male
  • Location:Galați/Iași, România
  • Interests:- Programming and scripting (C/C++, ASM, Java, Haskell, a little PHP, JS and XSL for the moment...hope for more)<br />- Biking trips

Posted 30 December 2008 - 12:49 PM

sebduc, please follow the advice from the second post. Post an AVIS log.

Cris.

#7 Lorangerboy

Lorangerboy

    Newbie

  • Members
  • 2 posts

Posted 01 January 2009 - 05:25 PM

I apologize fro the delay in posting this log file. Cris would you please look at it? Thank you.

Attached Files



#8 sebduc

sebduc

    Newbie

  • Members
  • 2 posts

Posted 03 January 2009 - 04:02 PM

HI,
i find the solution download malrawrebytes here http://www.malwarebytes.org/
after you have download rename the file ex : ggg.fre.exe
After rename the exe file program and lauch it.
It find trojan after reboot it's ok.
bye

#9 Catalin Salgau

Catalin Salgau

    Virus Researcher

  • Bitdefender Labs
  • PipPipPip
  • 700 posts
  • Gender:Male
  • Location:Iasi, Romania

Posted 03 January 2009 - 06:52 PM

If you have been able to remove problems using another product, please send us the data collected in the quarantine.

#10 bootsie

bootsie

    Newbie

  • Regular Bitdefender Poster
  • 24 posts

Posted 03 January 2009 - 08:05 PM

QUOTE (Catalin Salgau @ Jan 3 2009, 05:52 PM) <{POST_SNAPBACK}>
If you have been able to remove problems using another product, please send us the data collected in the quarantine.


Here is my solution to the problems I had with BD Antivirus 2009.

After many attempts and support not answering me, I thought I`d give it one more try - - on previous attempts the 'update' area was completely grayed out and nothing would work.

Using the BD 'removal tool' HERE I removed the previous attempt.

I disabled everything to do with antivirus and spyware on my comp, then disabled the firewall.

I downloaded BD Antivirus 2009 from the BD actual website and installed again, this time everything worked, the updates worked and the scan worked.

Then I needed to reboot and was hoping this wouldn`t mess it all up again, the only thing wrong was that the icons(shortcuts) on my desktop wouldn`t work, so went into "Documents & Settings" and 'Start Menu" and sent the BD icon to my desktop, this worked fine and everything is still working...........................

Remember to renable your firewall after install.


#11 HoCo

HoCo

    Newbie

  • Members
  • 2 posts

Posted 04 January 2009 - 04:58 PM

Hello to you!

I registered for this forum while researching the same problems like 'lorangerboy', but with the product 'BD Internet Sceurity v10'.

I'm running two pc's and for heavens sake only one of them is 'attacked' resp. 'infiltrateted' resp. 'pested' (?) and I can use the second one to connect to this forum.

History of research and results:

While updating automatically every two hours BD is showing up its trial-to-connect in the tool bar and I always felt ensured that the program will fetch its updates. This was wrong! By doing my end-of-the-year cleanup-of the-pc-system I had to recognize that the last automatically fetched updated was dated of 25th of november 2008!

Now after this long time, there is no way to remember or to clearly lineout the way of getting infiltrated - maybe while strolling along on 'meat street' or by one of those freakish spam- or junk-mails bombarding my mail-account from all over the world... I don't know and its not this important to know by now!

The results of 'nslookup' / 'tracert upgrade.bitdefender.com' are identically with those of 'lorangerboy'.

I also looked up the 'hosts'-file resp. 'lmhosts.sam'. These are looking sober.

@'Sebduc': Your idea of installing MBAM by renaming the install file is nice but didn't work out. My pested system did allow the installation from a renamed file, but there is no way to get the program started. By double-clicking, the sandglass is shown for maybe one second then there is limbo. Filemanager shows 'nothing in process', so does BDs 'action window'.

This pest is very repressive ...

In addition, the pested system will contact each and any website except all of those handling with antivirus-/malware-/etc.-protection (this includes www.bitdefender. ... with any suffix). One thing is worth to quote: This pest affects any research done with Google! Normally by clicking on the underlined first line you will be led directly to the quoted site. Not any longer ... !

One example:

-> google -> research 'bitdefender' leads to 'http://search.live.com/results.aspx?FORM=DNSAS&q=www.bitdefender.com'
-> clicking on the underlined first line belonging to the shown in green 'www.bitdefender.com' results in being warped to
-> 'http://websecurityexamine.com/scan/index.php?affid=06300' that shows up some faked system scan and a popup window where you are asked to 'return to system security and download it secure to your pc'.
Denying this shows up another popup window with even more 'pressure' (because now using the 'windows update symbol')
Denying this too you will see again the 'live.search.com'-results-window an now in front the 'normal gui-requester' that asks again to download following file -> 'install.exe' / '61,5 kb' / distributed by 'websecurityexamine.com'

Now this was getting to look pretty interesting and I was motivated to do a little more research (one of the eldest questions in police work is 'qui bono?', or : who will get the benefit?) that had in result the following:

-> Registrant of 'www.websecurityexamine.com' is a private person with an american name, residing in Nashville, Tennessee, USA
-> Registar (that means this is the company from which the registrant Mr Brooks has 'bought/lend/whatsoever' the domain 'websecurityexamine.com') is a company which belonging WHOIS-Server has the referral URL
-> http://www.webnames.ru

(If interested in names, you can look them up easily by yourselves using for example 'www.nic.com' resp. 'whois.com'. My interest is NOT to point on the bad guys - this has to be interest and work of official sites - but to help BD to know at least even one 'counterpart')

Maybe this helps BD to imagine the well of the pest that is hindering my antivirus-software to work properly and to name a helpful weapon to clean up my system.

@catalin salgau -> would you please be so kind to led my informations mentioned above to your advisors and maybe you have an idea to help me and others with the same problem?

Thx for your time ...

#12 HoCo

HoCo

    Newbie

  • Members
  • 2 posts

Posted 05 January 2009 - 02:54 PM

Hello to all,

sorry for those two postings above, I already wrote to the admin to delete them.

I wanted to post my solution as following:

@lorangerboy,

I don’t know if you could solve your problem by the posting of ‘sebduc’ but it was helpful for me.

The steps I went trough maybe could help you, too, so here they are:

- Downloading Antimalwarebytes MBAM was successful, installing by letting it unrenamed was not

- Renamed MBAM-Setup.exe into ggg.fre.exe as told by ‘sebduc’. Installation was successful.

- Starting the program didn’t work, equal by double-clicking the icon on desktop or the file itself.

- Renamed mbam.exe into ggg.exe but starting the program didn’t work either.

- Installed and de-installed MBAM several times under different renamings but I couldn’t get the program started.

- With this information I searched the web again and found a hint, that maybe the infection could be caused by a Trojan called ‘Trojan.TDSS’

- I opened Explorer and used the ‘search’-option for both my harddrives asking for ‘*TDSS*’

- Explorer found those files:

In library C:\document and settings\’name’\local settings\temp:
(‘name’ will be name, your pc has been given by installing windows)

TDSS710f.tmp
TDSS711e.tmp

In library C:\Avenger:

TDSShrsr.dll
TDSSkkdu.log
TDSSlxwp.dll
TDSSmqlt.sys
TDSSoiqn.dll
TDSSrtqp.dll
TDSSxfum.dll

In library C:\WINDOWS\system32:

TDSSorvd.dat

- The files with endings .dll/.log/.sys and .dat could be easily deleted by hand. Both the *.tmp-files are not deleteable by hand, but …

- NOW it was possible to start MBAM and run the quick scan, delete leftover files, let the machine reboot and afterwards run the full scan.

- My BD IS v10 is now up-to-date again, any URLs as for example www.bitdefender.com etc. are visitable again and Google doesn’t any longer warp the researcher towards freaky sites. Even starting in ‘secure mode’ doesn’t show black screen any longer.

My system seems sober so far and I hope, this last post is helpful to you (and others) too.

@catalin salgau

If BD labs is interested in those files: I tried to pack them in a .zip-file. The *.tmps couldn't get zipped, but the others. If you are interested in those files, let me know where to send the *.zip-archive to.


#13 kingbeard

kingbeard

    Newbie

  • Members
  • 2 posts

Posted 19 January 2009 - 03:43 PM

Reading this thread, I have been through a similar experience.

Has it not occured to anyone that BitDefender
a) doesn't prevent this infection in the first place
cool.gif seems to have no solution to it
c) we rely upon other products our own efforts to fix things.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users