I thought I had installed
Free Edition quite some time ago when trying to resolve a problem with
malware on the system. But when I looked for a BitDefender directory under
C:\Program Files and
C:\Program Files (x86), I did
not see one, nor did I see any directory associated with it under
From a command prompt for the user's account, I scanned the registry for any references to BitDefender under HKEY Current User (HKCU), but saw none.
C:\Users\Pamela>reg query HKCU /f BitDefender /s End of search: 0 match(es) found.
/s options to the
query command perform the following functions:
/f Specifies the data or pattern to search for. Use double quotes if a string contains spaces. Default is "*". /s Queries all subkeys and values recursively (like dir /s).
I also opened a command prompt with administrator privileges by right-clickng on Command Prompt and choosing "Run as administrator" and performed a similar check for HKEY Local Machine (HKLM), but found nothing.
C:\>reg query HKLM /f BitDefender /s End of search: 0 match(es) found. C:\>
I also opened the Control Panel and looked for BitDefender under
"Uninstall a program", but it was not listed there. Nor did I see any
scheduled tasks for it when I ran a
schtasks /query command.
C:\>schtasks /query | find /i "BitDefender" C:\>
I first ran the above command from a command prompt for the user's account
and then for a command prompt where I chose to open it with "Run as
administrator", but in neither case was anything found containing
"BitDefender". I did see the dump file was placed in
C:\Windows\Temp at 3:03 AM local time on Friday morning.
C:\Windows\Temp>dir Bit* Volume in drive C is OS Volume Serial Number is 4445-F6ED Directory of C:\Windows\Temp 01/15/2016 03:03 AM 52,927 BitDefender Threat Scanner.dmp 1 File(s) 52,927 bytes 0 Dir(s) 829,183,782,912 bytes free
Note: to see the file I had to issue the command from a command prompt opended with "run as administrator".
So I then tried the Windows Sysinternals Autoruns for Windows utility, which I've found very useful for locating the starting point for programs in the past.
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
The program, which was developed by Mark Russinovich, who founded Winternals Software LP with Bryce Cogswell, a company subsequently acquired by Microsoft, is free. There are many other very useful free Sysinternals utilities now available from Microsoft.
When I ran autoruns, I clicked on File then chose
Find and searched for
It found a "Trufos Mini-Filter Driver".
|trufos.sys||Size: 441 K|
|Trufos Mini-Filter Driver||Time: 10/11/2014 4:01 AM|
|BitDefender S.R.L.||Version: 2.4.851.21851|
When I checked the date on the
trufos.sys file, it had a
date of about a year ago, i.e., January 22, 2015.
C:\Windows\Temp>dir c:\windows\system32\drivers\trufos.sys Volume in drive C is OS Volume Serial Number is 4445-F6ED Directory of c:\windows\system32\drivers 01/22/2015 04:16 PM 452,040 Trufos.sys 1 File(s) 452,040 bytes 0 Dir(s) 833,732,030,464 bytes free
But the driver was apparently installed on the system on July 5, 2015,
since when I searched through the System event log for
saw a log entry with an Event ID of 7045 dated 7/5/2015 10:45:15 PM referencing
Trufos.sys. I did not find any other entries referencing "Trufos",
though log entries went back until March 5, 2015.
A service was installed in the system
Service Name: Trufos
Service File Name: system32\DRIVERS\Trufos.sys
Service Type: kernel mode driver
Service Start Type: demand start
Note: you can search the System event log by clicking on the Start
button, selecting Control Panel, System and Security, and
View event logs under Administrative Tools. Then under
Windows Logs click on System to select the System
event log. You can then click on Action and select Find. I
Trufos in the Find what field.
I also saw the driver when I issued a
command and piped the output into the
C:\>driverquery | findstr "Module === Trufos" Module Name Display Name Driver Type Link Date ============ ====================== ============= ====================== Trufos Trufos File System 10/11/2014 5:01:08 AM C:\>
Note: with the
findstr command, you can search
for multiple strings by separating them with a space. By searching on "Module",
"===", and "Trufos", I could get the two header lines and the line for Trufos,
but ignore all the other output from the
I attempted to uncheck the check box to the left of the Trufos entry in autoruns to keep the driver from being loaded when the system boots, but saw the message "Error changing item state: Access is denied."
But when I clicked on the Run as Administrator button and provided a userid and password for an administrator account for the system, the command appeared to complete successfully. When I searched again, "BitDefender" wasn't found, but when I clicked on the top entry in the autoruns window and then searched again, it was found again with the check box still checked. It likely wasn't found initially because autoruns was starting the new search from where it was previously; clicking on the top entry in its window caused it to search downwards from the top again. I was able to click on the check box this time and it changed to unchecked.
Since searching downwards from that point did not find any further references to BitDefender, I believe that the trufos.sys driver was the cause of the BitDefender Threat Scanner error message the user saw.
When I reissued the
driverquery command it showed the same
information as previously, even when I rebooted the system and ran it again
after the reboot, but I believe unchecking the entry in autoruns
will stop it from loading into memory when the system boots. The entry was
still unchecked in autoruns after I rebooted the system.
And by using the free InstalledDriversList utility from Nir Sofer at NirSoft, I was able to verify the driver is now disabled. The InstalledDriversList program showed a yellow icon to the left of Trufos, which indicates the driver is not running on the Widows kernel and the "Startup Type" was shown as disabled.
I had installed BitDefender Antivirus Free Edition along with many other
antimalware products while trying to rid the system of malware that the user's
real-time antivirus software was unable to detect and eradicate. I had removed
some of the antivirus/antispyware programs after I was eventually able to
eliminate the problem. I didn't remove BitDefender Antivirus Free Edition due
to being unhappy with the capabilities of the software;
I've often used the BitDefender Rescue CD to assist in eradicating
problems that haven't been eliminated by the antivirus software running
under the Windows operating system on systems. I suspect that the uninstall
routine didn't remove all elements of the BitDefender Antivirus Free Edtion
trufos.sys behind to be still loaded into memory when
the system boots, but the user should no longer see the error related to
BitDefender Threat Scaner now.
Created: Sunday January 17, 2016