BitDefender Threat Scanner File Containing Error Information

A user of a Windows 7 Professional system (64-bit version) sent me a screen shot she had taken of a BitDefender Threat Scanner window that had popped up on her system Friday morning. She had been seeing the message periodically in the past. She had also informed me on January 4, 2016, i.e., eleven days prior to the most recent incident, that she had received a similar message.

BitDefender Threat Scanner

White X in a red circle A problem has occured in BitDefender Threat Scanner. A file containing error information has been created at C:\Windows\TEMP\c44f5eb-94e1-4222-b781-15e2ddadac3b\BitDefender Threat Scanner.dmp. You are strongly encouraged to send the file to the developers of the application for further investigation of the error.

I thought I had installed BitDefender Antivirus Free Edition quite some time ago when trying to resolve a problem with malware on the system. But when I looked for a BitDefender directory under C:\Program Files and C:\Program Files (x86), I did not see one, nor did I see any directory associated with it under C:\.

From a command prompt for the user's account, I scanned the registry for any references to BitDefender under HKEY Current User (HKCU), but saw none.

C:\Users\Pamela>reg query HKCU /f BitDefender /s

End of search: 0 match(es) found.

Note: The /f and /s options to the reg query command perform the following functions:

  /f       Specifies the data or pattern to search for.
           Use double quotes if a string contains spaces. Default is "*".

  /s       Queries all subkeys and values recursively (like dir /s).

I also opened a command prompt with administrator privileges by right-clickng on Command Prompt and choosing "Run as administrator" and performed a similar check for HKEY Local Machine (HKLM), but found nothing.

C:\>reg query HKLM /f BitDefender /s

End of search: 0 match(es) found.


I also opened the Control Panel and looked for BitDefender under "Uninstall a program", but it was not listed there. Nor did I see any scheduled tasks for it when I ran a schtasks /query command.

C:\>schtasks /query | find /i "BitDefender"


I first ran the above command from a command prompt for the user's account and then for a command prompt where I chose to open it with "Run as administrator", but in neither case was anything found containing "BitDefender". I did see the dump file was placed in C:\Windows\Temp at 3:03 AM local time on Friday morning.

C:\Windows\Temp>dir Bit*
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\Windows\Temp

01/15/2016  03:03 AM            52,927 BitDefender Threat Scanner.dmp
               1 File(s)         52,927 bytes
	       0 Dir(s)  829,183,782,912 bytes free

Note: to see the file I had to issue the command from a command prompt opended with "run as administrator".

So I then tried the Windows Sysinternals Autoruns for Windows utility, which I've found very useful for locating the starting point for programs in the past.

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.

The program, which was developed by Mark Russinovich, who founded Winternals Software LP with Bryce Cogswell, a company subsequently acquired by Microsoft, is free. There are many other very useful free Sysinternals utilities now available from Microsoft.

When I ran autoruns, I clicked on File then chose Find and searched for BitDefender.

Autoruns find BitDefender

It found a "Trufos Mini-Filter Driver".

Autoruns found Trufos Mini-Filter Driver

trufos.sysSize: 441 K
Trufos Mini-Filter DriverTime: 10/11/2014 4:01 AM
BitDefender S.R.L.Version: 2.4.851.21851

When I checked the date on the trufos.sys file, it had a date of about a year ago, i.e., January 22, 2015.

C:\Windows\Temp>dir c:\windows\system32\drivers\trufos.sys
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of c:\windows\system32\drivers

01/22/2015  04:16 PM           452,040 Trufos.sys
               1 File(s)        452,040 bytes
	       0 Dir(s)  833,732,030,464 bytes free

But the driver was apparently installed on the system on July 5, 2015, since when I searched through the System event log for Trufos, I saw a log entry with an Event ID of 7045 dated 7/5/2015 10:45:15 PM referencing Trufos.sys. I did not find any other entries referencing "Trufos", though log entries went back until March 5, 2015.

A service was installed in the system

Service Name: Trufos
Service File Name: system32\DRIVERS\Trufos.sys
Service Type: kernel mode driver
Service Start Type: demand start
Service Account:

Event 7045 - Trufos.sys

Note: you can search the System event log by clicking on the Start button, selecting Control Panel, System and Security, and View event logs under Administrative Tools. Then under Windows Logs click on System to select the System event log. You can then click on Action and select Find. I put Trufos in the Find what field.

I also saw the driver when I issued a driverquery command and piped the output into the findstr command.

C:\>driverquery | findstr "Module === Trufos"
Module Name  Display Name           Driver Type   Link Date
============ ====================== ============= ======================
Trufos       Trufos                 File System   10/11/2014 5:01:08 AM


Note: with the findstr command, you can search for multiple strings by separating them with a space. By searching on "Module", "===", and "Trufos", I could get the two header lines and the line for Trufos, but ignore all the other output from the driverquery command.

I attempted to uncheck the check box to the left of the Trufos entry in autoruns to keep the driver from being loaded when the system boots, but saw the message "Error changing item state: Access is denied."

Autoruns Error Changing Item

But when I clicked on the Run as Administrator button and provided a userid and password for an administrator account for the system, the command appeared to complete successfully. When I searched again, "BitDefender" wasn't found, but when I clicked on the top entry in the autoruns window and then searched again, it was found again with the check box still checked. It likely wasn't found initially because autoruns was starting the new search from where it was previously; clicking on the top entry in its window caused it to search downwards from the top again. I was able to click on the check box this time and it changed to unchecked.

Autoruns found Trufos Mini-Filter Driver

Since searching downwards from that point did not find any further references to BitDefender, I believe that the trufos.sys driver was the cause of the BitDefender Threat Scanner error message the user saw.

When I reissued the driverquery command it showed the same information as previously, even when I rebooted the system and ran it again after the reboot, but I believe unchecking the entry in autoruns will stop it from loading into memory when the system boots. The entry was still unchecked in autoruns after I rebooted the system.

And by using the free InstalledDriversList utility from Nir Sofer at NirSoft, I was able to verify the driver is now disabled. The InstalledDriversList program showed a yellow icon to the left of Trufos, which indicates the driver is not running on the Widows kernel and the "Startup Type" was shown as disabled.

InstalledDriversList - Trufos

I had installed BitDefender Antivirus Free Edition along with many other antimalware products while trying to rid the system of malware that the user's real-time antivirus software was unable to detect and eradicate. I had removed some of the antivirus/antispyware programs after I was eventually able to eliminate the problem. I didn't remove BitDefender Antivirus Free Edition due to being unhappy with the capabilities of the software; I've often used the BitDefender Rescue CD to assist in eradicating problems that haven't been eliminated by the antivirus software running under the Windows operating system on systems. I suspect that the uninstall routine didn't remove all elements of the BitDefender Antivirus Free Edtion leaving trufos.sys behind to be still loaded into memory when the system boots, but the user should no longer see the error related to BitDefender Threat Scaner now.


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Sunday January 17, 2016