Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

BitDefender 2011 Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

This scareware uses the name of a legitimate security application to ply its trade upon unwary users. BitDefender 2011 scareware copies the logo and design elements of the well known bitdefender range of security products. Once installed, this rogue software blocks execution of legitimate programs with fake security alerts. These fake warning messages are very frequent making the desktop unusable.

BitDefender 2011 scareware adds a column to the Windows Task Manager, fraudulently marking legitimate processes as “Infected”. This rogue security software also hijacks the major browsers like Internet Explorer, Firefox, Chrome, Opera and Safari so that they are allowed to open in a fraudulent Internet Explorer Emergency Mode. It also blocks installation of security software to protect itself.


Scareware like BitDefender 2011 are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

BitDefender 2011 Removal (How to remove BitDefender 2011)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as BitDefender 2011. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

BitDefender 2011 Analysis

A rogue security software such as BitDefender 2011 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

BitDefender 2011 severely restricts browsing. Major browsers like Firefox, Chrome, Opera and Safari are allowed to open only in a fraudulent internet explorer emergency mode. This is done by tampering with the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Many Websites are blocked and a fake security alert as below is displayed with a forged URL

This web site refused your connection as it was reported as malicious request. This can be caused by Viruses, Trojans or Malware found on your computer.

The trojan dropper file was about 1242632 bytes in size. This scareware is detected by 19/ 41 (46.3%) of the antivirus engines available at VirusTotal. It is identified as:

  • Trojan/Win32.FraudPack
  • Trojan.FakeAV.LNN
  • Trojan.Fakealert.20653
  • Trojan.Win32.FraudPack.cshp
  • Rogue:Win32/FakeXPA

Typical BitDefender 2011 Scare Messages

About Internet Explorer Emergency Mode
Your PC is infected with malicious software and browse couldn’t be launched.
You may use Internet Explorer in Emergency Mode – internal service browser of Microsoft Windows system with limited usability.
Notice: some sites refuse connection with Internet Explorer in Emergency Mode. In such case system warning page will be showed to you.

Attention! Your web page request has been cancelled.
This web site refused your connection as it was reported as a malicious request.
This can be caused by Viruses, Trojans or Malware found on your computer.
In ordr to resend your request to the website, press Resend request (please note, this action may cause a permanent block of your computer by the requested website)
In order to activate your security software, please press Fix Now ( recommended)

Google Redirect Virus activity detected
Google Redirect Virus is an application which was designed to have harmful functionality and is utilized to ensure a PC user’s entire network is compromised and possibly endangered. This term Trojan refers to the fact this particular malware, Google Redirect virus is installed under deceptive pretences, infiltrating the
user’s PC without their approval or knowledge.

NetPumper Send Reports Blocked
Once installed on your machine, Netpumper may start monitoring your web browsing habits, such as what pages you usually load and what search terms you usually type in the search page. NetPumper may also deliver excessive pop-up advertisements even when you are not browsing the Internet. NetPumper has also an ability to slow down your computer performance by using yur hard drive recources in order to deliver advertisements on your computer screen.

Security Center Alert
To help protect your computer, Security Center has blocked some features of this program
Sft.dez.Wien is a virus attempts to spread itself by attaching to a host program and can damage hardware, software or data in the process. This worm can be blocked from firewall and antivirus software.

VirtuMonde activity tracked
Virtumonde is an adware program that tends to monitor your Internet browsing habits and may display targeted advertisements onto your computer screen. Virtumonde may also create a malicious DLL file in order to log your keystrokes and send the recorded information to a third party website. Virtumonde is an unwanted application and recommended to be removed.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

BitDefender 2011 Associated Files and Folders

  • C:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
  • C:\Documents and Settings\All Users\Start Menu\BitDefender 2011\Uninstall.lnk
  • C:\Documents and Settings\\Desktop\BitDefender 2011.lnk
  • C:\WINDOWS\system32\iesafemode.exe
  • C:\WINDOWS\Prefetch\
  • C:\WINDOWS\Prefetch\
  • C:\WINDOWS\Prefetch\

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

BitDefender 2011 Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger=iesafemode.exe -sb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger=iesafemode.exe -sb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger=iesafemode.exe -sb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger=iesafemode.exe -sb
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe\Debugger=iesafemode.exe -sb
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BitDefender 2011=C:\Program Files\BitDefender 2011\bitdefender.exe
  • HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout=0
  • HKEY_CURRENT_USER\Software\Mon86D
  • HKEY_CURRENT_USER\Software\Mon86D\ebggddkhod=AGT
  • HKEY_CURRENT_USER\Software\Mon86D\ebggeddf=EVA
  • HKEY_CURRENT_USER\Software\Mon86D\ebgglcofkc=ABCEVA
  • HKEY_CURRENT_USER\Software\Mon86D\ebggbc={EA520B3F-F2F1-41E0-AD9F-C818F032C581}
  • HKEY_CURRENT_USER\Software\Mon86D\ebggddnf=0
  • HKEY_CURRENT_USER\Software\Mon86D\ebgglceeac=C:\Program Files\BitDefender 2011\bitdefender.exe
  • HKEY_CURRENT_USER\Software\Mon86D\ebggfdlh=BitDefender 2011

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

BitDefender 2011 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://secure.supersoftstore. com
  • http://windows-networks. com/
  • http://secure.ordersunsprotection. com/

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

BitDefender 2011 Scareware — Screenshots

Note: The BitDefender 2011 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: