I ran a scan with
ClamWin,
a free and open-source antivirus program for Microsoft Windows systems,
on a user's system recently when she thought the system
might be infected with malware. I ran the ClamWin scan after I scanned the
system with McAfee AntiVirus, the active antivirus program on the system
providing real-time protection, which did not find any malware. The scan,
which ran for many hours, flagged many files as containing malware. It was
difficult to note the names and locations of files flagged as containing
malware when they were flagged as the results would scroll quickly by as the
program went on to scan other files. As I assumed I would be able to save
the results to a file when the scan completed, that did not concern me. However,
when the scan completed I was unable to save the results to a file because
the button that would allow me to save the results was grayed out.
You can still access the results of a scan in such cases, though, because when
you exit from viewing the scan results, the program automatically appends the
results to C:\ProgramData\.clamwin\log\ClamScanLog.txt. The
ProgamData directory is a hidden directory that you won't see in the
Windows File Explorer
unless you have configured it to display hidden files and folders. You
can see the directory is present if you
open a command prompt window
and issue the command dir /ah — the "/ah" tells the
dir command to display files and folders with the attribute "hidden."
E.g.:
C:\>dir /ah
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\
08/21/2022 07:38 PM <DIR> $Recycle.Bin
07/08/2017 03:45 PM <DIR> $Windows.~WS
02/14/2024 10:43 AM <DIR> $WinREAgent
10/30/2015 02:18 AM 1 BOOTNXT
08/21/2022 01:01 PM 112 bootTel.dat
02/28/2024 03:54 PM <DIR> Config.Msi
11/04/2011 01:20 AM 30,425 dell.sdr
07/14/2009 12:08 AM <JUNCTION> Documents and Settings [C:\Users]
03/03/2024 11:51 PM 8,192 DumpStack.log.tmp
03/04/2024 03:51 PM 6,373,736,448 hiberfil.sys
01/30/2012 09:36 PM <DIR> MSOCache
03/03/2024 11:51 PM 8,589,934,592 pagefile.sys
03/03/2024 09:48 AM <DIR> ProgramData
10/11/2023 09:00 AM <DIR> Recovery
03/03/2024 11:51 PM 268,435,456 swapfile.sys
01/28/2012 08:26 PM <DIR> System Recovery
03/04/2024 08:00 PM <DIR> System Volume Information
7 File(s) 15,232,145,226 bytes
10 Dir(s) 795,701,448,704 bytes free
C:\>>
Though the log file containing scan results is beneath a hidden directory,
you can access it from a text editor such as
Windows Notepad
by typing in the directory path and file name, i.e.,
C:\ProgramData\.clamwin\log\ClamScanLog.txt when you choose
Open to open a file, or you could open it from a command prompt
window as shown below.
The ClamScanLog.txt file will contain the results of all scans run on the
system, unless it was edited to remove prior results, with the results of
the latest scan at the bottom of the file.
To temporarily turn off the realtime antivirus protection in McAfee
AntiVirus Plus, e.g., so you could move a file to another system for analysis
that it might deem malware or to scan the system with other antivirus
software, you can take the following steps:
Open the program and click on the gear (cog) icon at the upper, right-hand
corner of the window.
Under the PC Security section of the Settings, you will
see "Real-Time Scanning." When you click on "Real-Time Scanning" you will
have the option of turning off the real-time monitoring for 15 minute intervals
from 15 to 60 minutes or you can select "When I restart my PC" or "Never."
If you select a timed option, the protection will automatically turn back
on after that period of time. You can also turn on protection again
prior to that time by modifying the "Real-Time Scanning" setting again.
If you wish to view or restore items McAfee AntiVirus Plus has quarantined,
you can click on "Quarantined items" under Settings, which will show
you all files in the quarantine area, if any.
Note: these steps were tested on McAfee® AntiVirus Plus version 16.0
I downloaded SUPERAntiSpyware
Free Edition version version 8.0.1048, an antivirus program,
from the developers website on January 27, 2020. When I attempted to install it
by right-clicking on the file and choosing "Run as administrator, a
Windows Defender
window popped up with the message below:
Windows protected your PC
Windows Defender SmartScreen prevented an
unrecognized app from
starting. Running this app might put your PC at risk. More info
When I clicked on the "X" at the top-right, hand corner of the window,
the message went away, but the installation did not start.
After I upgraded ClamWin to version 0.99.1 on an
HP laptop running Microsoft Windows 7 Professional, I saw a window titled
"freshclam.exe - Ordinal Not Found" with the message "The ordinal 177
could not be located in the dynamic link library libclamav.dll."
When I right-clicked on the ClamWin icon in the
notification area
at the lower, right-hand corner of the screen and selected Open ClamWin,
I saw the prompt "You have not yet downloaded Virus Definitions Database.
Would you like to download it now?" I chose "Yes" and saw the
"Ordinal Not Found" message again.
A user of a Windows 7 Professional system (64-bit version) sent me a screen
shot she had taken of a BitDefender Threat Scanner window that had popped up on
her system Friday morning. She had been seeing the message periodically in
the past.
BitDefender Threat Scanner
A problem has occured in BitDefender Threat Scanner. A file containing
error information has been created at
C:\Windows\TEMP\c44f5eb-94e1-4222-b781-15e2ddadac3b\BitDefender Threat
Scanner.dmp. You are strongly encouraged to send the file
to the developers of the application for further investigation of the
error.
After using the Sysinternals autoruns utility, I found that
a BitDefender driver Trufos.sys was being loaded. I disabled
it with autoruns.
On a system running Small Office Security 3 from
Kaspersky
Lab International Ltd., I was notified that
the antivirus database was not up-to-date. When I had the software attempt
to update the virus definitions, I saw the message "Update Center: Task
failed. Proxy server is not found."
I then realized I had recently configured Internet Explorer on the system
to use a SOCKS proxy server - see
Configuring IE 10 to use an SSH SOCKS Proxy Server - so Kaspersky Small
Office Security 3 must automatically use the system proxy settings,
since I had not altered the configuration of the Kaspersky software,
but be unable to communicate with sites if the system proxy setting is
configured to use a SOCKS proxy rather than an HTTP proxy. I encountered
the same issue with Firefox when it was configured to use the system
proxy settings.
I configured Internet Explorer not to use a proxy server and then clicked
on the update button within Kaspersky Small Office Security 3. It was then
able to update its databases.
A user reported that she saw a message on her system, which runs Windows 7
Professional, Friday morning December 19, 2014 indicating that malware had
been detected on her system by
Malwarebytes Anti-Malware.
The file, which Malwarebytes identified as
Trojan.Agent, was csrss.exe was located in her
%TEMP% directory, i.e.,
C:\Users\Pamela\AppData\Local\Temp. There is a legitimate
Microsoft Windows file named csrss.exe, but that file is located in
C:\Windows\System32. The legitimate file on her system is
7,680 bytes in size and has a time stamp of 0/7/13/2009 08:39 PM. When
I checked the one Malwarebytes Anti-Malware was identifying as malware,
I saw it had the same size and time stamp.
C:\Windows>dir %TEMP%\csrss.exe
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\Users\Pamela\AppData\Local\Temp
07/13/2009 08:39 PM 7,680 csrss.exe
1 File(s) 7,680 bytes
0 Dir(s) 864,839,192,576 bytes free
I uploded the one Malwarebytes Anti-Malware flagged as malicious to
Google's VirusTotal site, which
analyzes uploaded files with many antivirus programs to determine if they
are safe or potentially dangerous. I had the site reanalyze the file, which
had been scanned previously. Zero of the fifty-four antivirus programs used
by the site to scan the file identified it as malware. The
SHA256 hash
listed for the file is
cb1c6018fc5c15483ac5bb96e5c2e2e115bb0c0e1314837d77201bab37e8c03a -
see the
report.
I ran a binary file comparison between the two files using the Microsoft
Windows fc utility. It found no differences between the two
copies of csrss.exe.
C:\Windows>fc /b %TEMP%\csrss.exe c:\windows\system32\csrss.exe
Comparing files C:\USERS\PAMELA\APPDATA\LOCAL\TEMP\csrss.exe and C:\WINDOWS\SYSTEM32\CSRSS.EXE
FC: no differences encountered
I had previously placed
md5deep, which can be downloaded from
md5deep and hashdeep, and its
associated utilities on the system. I used the 64-bit version, since
the system was running the 64-bit version of Microsoft Windows 7, of
sha256deep to check the SHA-256 hash for the version of the
csrss.exe file in C:\Windows\System32. It reported the same
SHA-256 hash as VirusTotal listed for the copy of the file I uploaded from
the users %TEMP% directory. I also checked the
MD5,
Tiger, and
Whirlpool
hashes for both files. For both files the MD5 hash was
60c2862b4bf0fd9f582ef344c2b1ec72 The Tiger hash function yieled a
hash of 42e263a5861a1e3b8e411fec97994a32d2cdfc04cf54ab4b for both.
The Whirlpool hash was
def1e95668f22e06b605093df41d3bb635e7096860bb0adb6c405be49e723fb2497a8a2b64ca5d25519c4ba00c75facb0421bebc4df24f7c9918e0bb85f4c8f4 for both files.
So I've no reason to suspect that the file in the %TEMP%
directory is any different than the one in the C:\Windows\Temp
directory. I thought that perhaps the only reason Malwarebytes
Anti-Malware flagged it to be quarantined is that it was an exe file in
the user's AppData\Local\Temp directory. It is possible that
I copied the file there previously when I was checking on various files
on the system when trying to eliminate a source of malware infection
on the system and that an update to Malwarebytes Anti-Malware now
has it mark any file in that directory as malware. I had Malwarebytes
Anti-Malware quarantine the file and then copied another legitimate
Microsoft Windows exe file, write.exe and also the
csrss.exe file from \C:\Windows\System32
into that directory just to see if Malwarebytes Anti-Malware would
flag them as malicious. It again detected csrss.exe as
malicious, but did not report the write.exe file I copied
into that directory from C:\Windows\system32 as malicious,
so it doesn't seem to be judging all .exe files in that folder as
potential threats, just certain ones.
Sometimes you may wish to temporarily disable the antivirus software
on a system in order to scan the system with other antivirus/antispyware
software. If you are using McAfee Total Protection as the antivirus
software on a system, instructions for turning off its real-time scanning
feature are listed here.
F-Secure provides a free Rescue CD which allows you to boot a PC from a CD and
scan it for malware using F-Secure's antivirus software. The F-Secure Rescue
CD will attempt to disinfect any infected files and will rename any it can't
disinfect by putting a .virus extension at the end of the file name. By doing
that, when you reboot the system into Microsoft Windows, the infected file will
not be loaded into memory.
On a Windows 7 system
that came with avast! Free Antivirus
preinstalled, whenever I was browsing the web with Internet Explorer 9,
I would periodically see "Internet Explorer has stopped working" messages.
When I clicked on the "View problem details" link in the window that
appeared, I found the problem associated with the avast! antivirus program's
asWebRepIE.dll Dynamic Link Library (DLL) module.
