I downloaded SUPERAntiSpyware
Free Edition version version 8.0.1048, an antivirus program,
from the developers website on January 27, 2020. When I attempted to install it
by right-clicking on the file and choosing "Run as administrator, a
window popped up with the message below:
Windows protected your PC
Windows Defender SmartScreen prevented an
unrecognized app from
starting. Running this app might put your PC at risk. More info
When I clicked on the "X" at the top-right, hand corner of the window,
the message went away, but the installation did not start.
After I upgraded ClamWin to version 0.99.1 on an
HP laptop running Microsoft Windows 7 Professional, I saw a window titled
"freshclam.exe - Ordinal Not Found" with the message "The ordinal 177
could not be located in the dynamic link library libclamav.dll."
When I right-clicked on the ClamWin icon in the
at the lower, right-hand corner of the screen and selected Open ClamWin,
I saw the prompt "You have not yet downloaded Virus Definitions Database.
Would you like to download it now?" I chose "Yes" and saw the
"Ordinal Not Found" message again.
A user of a Windows 7 Professional system (64-bit version) sent me a screen
shot she had taken of a BitDefender Threat Scanner window that had popped up on
her system Friday morning. She had been seeing the message periodically in
BitDefender Threat Scanner
A problem has occured in BitDefender Threat Scanner. A file containing
error information has been created at
Scanner.dmp. You are strongly encouraged to send the file
to the developers of the application for further investigation of the
After using the Sysinternals autoruns utility, I found that
a BitDefender driver Trufos.sys was being loaded. I disabled
it with autoruns.
On a system running Small Office Security 3 from
Lab International Ltd., I was notified that
the antivirus database was not up-to-date. When I had the software attempt
to update the virus definitions, I saw the message "Update Center: Task
failed. Proxy server is not found."
I then realized I had recently configured Internet Explorer on the system
to use a SOCKS proxy server - see
Configuring IE 10 to use an SSH SOCKS Proxy Server - so Kaspersky Small
Office Security 3 must automatically use the system proxy settings,
since I had not altered the configuration of the Kaspersky software,
but be unable to communicate with sites if the system proxy setting is
configured to use a SOCKS proxy rather than an HTTP proxy. I encountered
the same issue with Firefox when it was configured to use the system
I configured Internet Explorer not to use a proxy server and then clicked
on the update button within Kaspersky Small Office Security 3. It was then
able to update its databases.
A user reported that she saw a message on her system, which runs Windows 7
Professional, Friday morning December 19, 2014 indicating that malware had
been detected on her system by
The file, which Malwarebytes identified as
Trojan.Agent, was csrss.exe was located in her
%TEMP% directory, i.e.,
C:\Users\Pamela\AppData\Local\Temp. There is a legitimate
Microsoft Windows file named csrss.exe, but that file is located in
C:\Windows\System32. The legitimate file on her system is
7,680 bytes in size and has a time stamp of 0/7/13/2009 08:39 PM. When
I checked the one Malwarebytes Anti-Malware was identifying as malware,
I saw it had the same size and time stamp.
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\Users\Pamela\AppData\Local\Temp
07/13/2009 08:39 PM 7,680 csrss.exe
1 File(s) 7,680 bytes
0 Dir(s) 864,839,192,576 bytes free
I uploded the one Malwarebytes Anti-Malware flagged as malicious to
Google's VirusTotal site, which
analyzes uploaded files with many antivirus programs to determine if they
are safe or potentially dangerous. I had the site reanalyze the file, which
had been scanned previously. Zero of the fifty-four antivirus programs used
by the site to scan the file identified it as malware. The
listed for the file is
I ran a binary file comparison between the two files using the Microsoft
Windows fc utility. It found no differences between the two
copies of csrss.exe.
C:\Windows>fc /b %TEMP%\csrss.exe c:\windows\system32\csrss.exe
Comparing files C:\USERS\PAMELA\APPDATA\LOCAL\TEMP\csrss.exe and C:\WINDOWS\SYSTEM32\CSRSS.EXE
FC: no differences encountered
I had previously placed
md5deep, which can be downloaded from
md5deep and hashdeep, and its
associated utilities on the system. I used the 64-bit version, since
the system was running the 64-bit version of Microsoft Windows 7, of
sha256deep to check the SHA-256 hash for the version of the
csrss.exe file in C:\Windows\System32. It reported the same
SHA-256 hash as VirusTotal listed for the copy of the file I uploaded from
the users %TEMP% directory. I also checked the
hashes for both files. For both files the MD5 hash was
60c2862b4bf0fd9f582ef344c2b1ec72 The Tiger hash function yieled a
hash of 42e263a5861a1e3b8e411fec97994a32d2cdfc04cf54ab4b for both.
The Whirlpool hash was
def1e95668f22e06b605093df41d3bb635e7096860bb0adb6c405be49e723fb2497a8a2b64ca5d25519c4ba00c75facb0421bebc4df24f7c9918e0bb85f4c8f4 for both files.
So I've no reason to suspect that the file in the %TEMP%
directory is any different than the one in the C:\Windows\Temp
directory. I thought that perhaps the only reason Malwarebytes
Anti-Malware flagged it to be quarantined is that it was an exe file in
the user's AppData\Local\Temp directory. It is possible that
I copied the file there previously when I was checking on various files
on the system when trying to eliminate a source of malware infection
on the system and that an update to Malwarebytes Anti-Malware now
has it mark any file in that directory as malware. I had Malwarebytes
Anti-Malware quarantine the file and then copied another legitimate
Microsoft Windows exe file, write.exe and also the
csrss.exe file from \C:\Windows\System32
into that directory just to see if Malwarebytes Anti-Malware would
flag them as malicious. It again detected csrss.exe as
malicious, but did not report the write.exe file I copied
into that directory from C:\Windows\system32 as malicious,
so it doesn't seem to be judging all .exe files in that folder as
potential threats, just certain ones.
Sometimes you may wish to temporarily disable the antivirus software
on a system in order to scan the system with other antivirus/antispyware
software. If you are using McAfee Total Protection as the antivirus
software on a system, instructions for turning off its real-time scanning
feature are listed here.
F-Secure provides a free Rescue CD which allows you to boot a PC from a CD and
scan it for malware using F-Secure's antivirus software. The F-Secure Rescue
CD will attempt to disinfect any infected files and will rename any it can't
disinfect by putting a .virus extension at the end of the file name. By doing
that, when you reboot the system into Microsoft Windows, the infected file will
not be loaded into memory.
On a Windows 7 system
that came with avast! Free Antivirus
preinstalled, whenever I was browsing the web with Internet Explorer 9,
I would periodically see "Internet Explorer has stopped working" messages.
When I clicked on the "View problem details" link in the window that
appeared, I found the problem associated with the avast! antivirus program's
asWebRepIE.dll Dynamic Link Library (DLL) module.
PC Tools free
Alternate Operating System Scanner allows you to boot a Microsoft
Windows system with an alternate operating system on a CD. You can then
scan the system for viruses from the CD, though I've found the utilitity
of its anti-virus scanner to be very limited.
When I tried the virus scanning feature on a Dell Dimension 4550 PC that
had Windows XP Home installed on the hard drive, the scanner didn't seem to be
very effective, completing the scan in only 8 seconds and checking only
738 files out of the hundreds of thousands of files that existed on the
Windows partition of the hard drive I scanned.
Total malware files:
The CD comes with a file manager that will allow you to access directories
and files on your Microsoft Windows partitions on the hard drive.
It also has "Disk Detonator", which will allow you to destroy partitions
on the hard drive, if you wish.
You can get a
shell prompt by choosing "System Shell" from the main menu, which will
give you an ash shell
provided via BusyBox, but
the AOSS CD is lacking in standard Linux command line utilities.
There is no scp nor ftp for transferring files over the network to another
system. There is no links nor lynx one might use to access a web server to
download or upload files. Wget and curl are also missing as are the standard
network utilities such as ifconfig and netstat.
When I checked the contents of /proc/version, I saw that
AOSS uses Ubuntu GNU/Linux for the
Linux version 22.214.171.124 (www-data@steve-aoss-ubuntu) (gcc version 4.4.1 (Ubuntu 4
.4.1-4ubuntu9) ) #1 SMP PREEMPT Mon Oct 31 11:26:05 EST 2011
The antivirus vendor Avira offers a free rescue CD which allows you to boot
a system that runs Microsoft Windows from a Linux rescue CD that contains
Avira's antivirus software. The Avira AntiVir Rescue System can be used
in cases where a system is so badly infected it won't boot into Microsoft
Windows properly or when the system runs abysmally slowly due to malware
present on the system.
The Avira AntiVir Rescue System v3.7.16 uses
ISOLINUX to boot from
the CD. It appears to be based on
Debian GNU/Linux judging by
the contents of /etc/proc/version.
root@RescueSystem:/# cat /proc/version
Linux version 126.96.36.199 (cgossenberger@lx-i386-gc236) (gcc version 4.1.2 20061115
(prerelease) (Debian 4.1.1-21)) #1 SMP Thu Aug 12 13:33:53 CEST 2010
AntiVir Rescue System download page, you can download an iso file from
which you can burn a CD, if you already have CD burning software that can write
ISO files to CDs, or you can download an exe file from the Avira download page
and use it to create a bootable rescue CD containing the Avira antivirus
When I scanned a system with an Avira AntiVir Rescue System CD today, which
I had previously scanned with 5 other rescue CDs and 3 antivirus/antispyware
programs within Microsoft Windows, the Avira antivirus software still
found 2 remaining infected files.