MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
November
Sun Mon Tue Wed Thu Fri Sat
         
25 26 27 28 29 30
2024
Months
NovDec


Mon, Mar 04, 2024 9:46 pm

Accessing ClamWin scan results when the option to save a report is grayed out

I ran a scan with ClamWin, a free and open-source antivirus program for Microsoft Windows systems, on a user's system recently when she thought the system might be infected with malware. I ran the ClamWin scan after I scanned the system with McAfee AntiVirus, the active antivirus program on the system providing real-time protection, which did not find any malware. The scan, which ran for many hours, flagged many files as containing malware. It was difficult to note the names and locations of files flagged as containing malware when they were flagged as the results would scroll quickly by as the program went on to scan other files. As I assumed I would be able to save the results to a file when the scan completed, that did not concern me. However, when the scan completed I was unable to save the results to a file because the button that would allow me to save the results was grayed out.

You can still access the results of a scan in such cases, though, because when you exit from viewing the scan results, the program automatically appends the results to C:\ProgramData\.clamwin\log\ClamScanLog.txt. The ProgamData directory is a hidden directory that you won't see in the Windows File Explorer unless you have configured it to display hidden files and folders. You can see the directory is present if you open a command prompt window and issue the command dir /ah — the "/ah" tells the dir command to display files and folders with the attribute "hidden." E.g.:

C:\>dir /ah
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\

08/21/2022  07:38 PM    <DIR>          $Recycle.Bin
07/08/2017  03:45 PM    <DIR>          $Windows.~WS
02/14/2024  10:43 AM    <DIR>          $WinREAgent
10/30/2015  02:18 AM                 1 BOOTNXT
08/21/2022  01:01 PM               112 bootTel.dat
02/28/2024  03:54 PM    <DIR>          Config.Msi
11/04/2011  01:20 AM            30,425 dell.sdr
07/14/2009  12:08 AM    <JUNCTION>     Documents and Settings [C:\Users]
03/03/2024  11:51 PM             8,192 DumpStack.log.tmp
03/04/2024  03:51 PM     6,373,736,448 hiberfil.sys
01/30/2012  09:36 PM    <DIR>          MSOCache
03/03/2024  11:51 PM     8,589,934,592 pagefile.sys
03/03/2024  09:48 AM    <DIR>          ProgramData
10/11/2023  09:00 AM    <DIR>          Recovery
03/03/2024  11:51 PM       268,435,456 swapfile.sys
01/28/2012  08:26 PM    <DIR>          System Recovery
03/04/2024  08:00 PM    <DIR>          System Volume Information
               7 File(s) 15,232,145,226 bytes
              10 Dir(s)  795,701,448,704 bytes free

C:\>>

Though the log file containing scan results is beneath a hidden directory, you can access it from a text editor such as Windows Notepad by typing in the directory path and file name, i.e., C:\ProgramData\.clamwin\log\ClamScanLog.txt when you choose Open to open a file, or you could open it from a command prompt window as shown below.

C:\&>notepad C:\ProgramData\.clamwin\log\ClamScanLog.txt

C:\&>

The ClamScanLog.txt file will contain the results of all scans run on the system, unless it was edited to remove prior results, with the results of the latest scan at the bottom of the file.

[/security/antivirus/clamav] permanent link

Thu, Aug 27, 2020 9:30 pm

Turning off McAfee AntiVirus Plus realtime protection temporarily

To temporarily turn off the realtime antivirus protection in McAfee AntiVirus Plus, e.g., so you could move a file to another system for analysis that it might deem malware or to scan the system with other antivirus software, you can take the following steps:
  1. Open the program and click on the gear (cog) icon at the upper, right-hand corner of the window.
  2. Under the PC Security section of the Settings, you will see "Real-Time Scanning." When you click on "Real-Time Scanning" you will have the option of turning off the real-time monitoring for 15 minute intervals from 15 to 60 minutes or you can select "When I restart my PC" or "Never."

If you select a timed option, the protection will automatically turn back on after that period of time. You can also turn on protection again prior to that time by modifying the "Real-Time Scanning" setting again.

If you wish to view or restore items McAfee AntiVirus Plus has quarantined, you can click on "Quarantined items" under Settings, which will show you all files in the quarantine area, if any.

Note: these steps were tested on McAfee® AntiVirus Plus version 16.0

[/security/antivirus/mcafee] permanent link

Mon, Jan 27, 2020 10:10 pm

SUPERAntiSpyware Installation Blocked by Windows Defender

I downloaded SUPERAntiSpyware Free Edition version version 8.0.1048, an antivirus program, from the developers website on January 27, 2020. When I attempted to install it by right-clicking on the file and choosing "Run as administrator, a Windows Defender window popped up with the message below:

Windows protected your PC

Windows Defender SmartScreen prevented an unrecognized app from
starting. Running this app might put your PC at risk.
More info

When I clicked on the "X" at the top-right, hand corner of the window, the message went away, but the installation did not start.

[ More Info ]

[/security/antivirus/SUPERAntiSpyware] permanent link

Sun, Oct 23, 2016 10:27 pm

freshclam.exe - Ordinal Not Found

After I upgraded ClamWin to version 0.99.1 on an HP laptop running Microsoft Windows 7 Professional, I saw a window titled "freshclam.exe - Ordinal Not Found" with the message "The ordinal 177 could not be located in the dynamic link library libclamav.dll."

freshclam.exe - Ordinal Not Found

When I right-clicked on the ClamWin icon in the notification area at the lower, right-hand corner of the screen and selected Open ClamWin, I saw the prompt "You have not yet downloaded Virus Definitions Database. Would you like to download it now?" I chose "Yes" and saw the "Ordinal Not Found" message again.

[ More Info ]

[/security/antivirus/clamav] permanent link

Mon, Jan 18, 2016 10:12 pm

BitDefender Threat Scanner File Containing Error Information

A user of a Windows 7 Professional system (64-bit version) sent me a screen shot she had taken of a BitDefender Threat Scanner window that had popped up on her system Friday morning. She had been seeing the message periodically in the past.

BitDefender Threat Scanner

White X in a red circle A problem has occured in BitDefender Threat Scanner. A file containing error information has been created at C:\Windows\TEMP\c44f5eb-94e1-4222-b781-15e2ddadac3b\BitDefender Threat Scanner.dmp. You are strongly encouraged to send the file to the developers of the application for further investigation of the error.

After using the Sysinternals autoruns utility, I found that a BitDefender driver Trufos.sys was being loaded. I disabled it with autoruns.

[ More Info ]

[/security/antivirus/bitdefender] permanent link

Tue, Feb 17, 2015 8:20 pm

Kaspersky Small Office Security 3 Proxy server is not found

On a system running Small Office Security 3 from Kaspersky Lab International Ltd.1x1 px, I was notified that the antivirus database was not up-to-date. When I had the software attempt to update the virus definitions, I saw the message "Update Center: Task failed. Proxy server is not found."

Kaspersky - proxy server not found

When I viewed the details, the "Detailed report" showed " Update Center: failure (65)"

I then realized I had recently configured Internet Explorer on the system to use a SOCKS proxy server - see Configuring IE 10 to use an SSH SOCKS Proxy Server - so Kaspersky Small Office Security 3 must automatically use the system proxy settings, since I had not altered the configuration of the Kaspersky software, but be unable to communicate with sites if the system proxy setting is configured to use a SOCKS proxy rather than an HTTP proxy. I encountered the same issue with Firefox when it was configured to use the system proxy settings.

I configured Internet Explorer not to use a proxy server and then clicked on the update button within Kaspersky Small Office Security 3. It was then able to update its databases.

[/security/antivirus/Kaspersky] permanent link

Sat, Dec 20, 2014 10:46 pm

Malwarebytes Anti-Malware detection for csrss.exe

A user reported that she saw a message on her system, which runs Windows 7 Professional, Friday morning December 19, 2014 indicating that malware had been detected on her system by Malwarebytes Anti-Malware 1px x 1px.

Malwarebytes detected csrss.exe

The file, which Malwarebytes identified as Trojan.Agent, was csrss.exe was located in her %TEMP% directory, i.e., C:\Users\Pamela\AppData\Local\Temp. There is a legitimate Microsoft Windows file named csrss.exe, but that file is located in C:\Windows\System32. The legitimate file on her system is 7,680 bytes in size and has a time stamp of 0/7/13/2009 08:39 PM. When I checked the one Malwarebytes Anti-Malware was identifying as malware, I saw it had the same size and time stamp.

C:\Windows>dir %TEMP%\csrss.exe
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\Users\Pamela\AppData\Local\Temp

07/13/2009  08:39 PM             7,680 csrss.exe
               1 File(s)          7,680 bytes
               0 Dir(s)  864,839,192,576 bytes free

I uploded the one Malwarebytes Anti-Malware flagged as malicious to Google's VirusTotal site, which analyzes uploaded files with many antivirus programs to determine if they are safe or potentially dangerous. I had the site reanalyze the file, which had been scanned previously. Zero of the fifty-four antivirus programs used by the site to scan the file identified it as malware. The SHA256 hash listed for the file is cb1c6018fc5c15483ac5bb96e5c2e2e115bb0c0e1314837d77201bab37e8c03a - see the report.

I ran a binary file comparison between the two files using the Microsoft Windows fc utility. It found no differences between the two copies of csrss.exe.

C:\Windows>fc /b %TEMP%\csrss.exe c:\windows\system32\csrss.exe
Comparing files C:\USERS\PAMELA\APPDATA\LOCAL\TEMP\csrss.exe and C:\WINDOWS\SYSTEM32\CSRSS.EXE
FC: no differences encountered

I had previously placed md5deep, which can be downloaded from md5deep and hashdeep, and its associated utilities on the system. I used the 64-bit version, since the system was running the 64-bit version of Microsoft Windows 7, of sha256deep to check the SHA-256 hash for the version of the csrss.exe file in C:\Windows\System32. It reported the same SHA-256 hash as VirusTotal listed for the copy of the file I uploaded from the users %TEMP% directory. I also checked the MD5, Tiger, and Whirlpool hashes for both files. For both files the MD5 hash was 60c2862b4bf0fd9f582ef344c2b1ec72 The Tiger hash function yieled a hash of 42e263a5861a1e3b8e411fec97994a32d2cdfc04cf54ab4b for both. The Whirlpool hash was def1e95668f22e06b605093df41d3bb635e7096860bb0adb6c405be49e723fb2497a8a2b64ca5d25519c4ba00c75facb0421bebc4df24f7c9918e0bb85f4c8f4 for both files.

C:\Program Files\Utilities\File\md5deep>sha256deep64 c:\windows\system32\csrss.exe
cb1c6018fc5c15483ac5bb96e5c2e2e115bb0c0e1314837d77201bab37e8c03a c:\windows\system32\csrss.exe

C:\Program Files\Utilities\File\md5deep>sha256deep64 %TEMP%\csrss.exe
cb1c6018fc5c15483ac5bb96e5c2e2e115bb0c0e1314837d77201bab37e8c03a C:\Users\Pamela\AppData\Local\Temp\csrss.exe

C:\Program Files\Utilities\File\md5deep>md5deep64 c:\windows\system32\csrss.exe
60c2862b4bf0fd9f582ef344c2b1ec72 c:\windows\system32\csrss.exe

C:\Program Files\Utilities\File\md5deep>md5deep64 %TEMP%\csrss.exe
60c2862b4bf0fd9f582ef344c2b1ec72 C:\Users\Pamela\AppData\Local\Temp\csrss.exe

C:\Program Files\Utilities\File\md5deep>tigerdeep64 c:\windows\system32\csrss.exe
42e263a5861a1e3b8e411fec97994a32d2cdfc04cf54ab4b c:\windows\system32\csrss.exe

C:\Program Files\Utilities\File\md5deep>tigerdeep64 %TEMP%\csrss.exe
42e263a5861a1e3b8e411fec97994a32d2cdfc04cf54ab4b C:\Users\Pamela\AppData\Local\Temp\csrss.exe

C:\Program Files\Utilities\File\md5deep>whirlpooldeep64 c:\windows\system32\csrss.exe
def1e95668f22e06b605093df41d3bb635e7096860bb0adb6c405be49e723fb2497a8a2b64ca5d25519c4ba00c75facb0421bebc4df24f7c9918e0bb85f4c8f4 c:\windows\system32\csrss.exe

C:\Program Files\Utilities\File\md5deep>whirlpooldeep64 %TEMP%\csrss.exe
def1e95668f22e06b605093df41d3bb635e7096860bb0adb6c405be49e723fb2497a8a2b64ca5d25519c4ba00c75facb0421bebc4df24f7c9918e0bb85f4c8f4 C:\Users\Pamela\AppData\Local\
Temp\csrss.exe

So I've no reason to suspect that the file in the %TEMP% directory is any different than the one in the C:\Windows\Temp directory. I thought that perhaps the only reason Malwarebytes Anti-Malware flagged it to be quarantined is that it was an exe file in the user's AppData\Local\Temp directory. It is possible that I copied the file there previously when I was checking on various files on the system when trying to eliminate a source of malware infection on the system and that an update to Malwarebytes Anti-Malware now has it mark any file in that directory as malware. I had Malwarebytes Anti-Malware quarantine the file and then copied another legitimate Microsoft Windows exe file, write.exe and also the csrss.exe file from \C:\Windows\System32 into that directory just to see if Malwarebytes Anti-Malware would flag them as malicious. It again detected csrss.exe as malicious, but did not report the write.exe file I copied into that directory from C:\Windows\system32 as malicious, so it doesn't seem to be judging all .exe files in that folder as potential threats, just certain ones.

[/security/antivirus/Malwarebytes] permanent link

Wed, Nov 26, 2014 6:58 pm

Turning McAfee Total Protection Real-time protection off

Sometimes you may wish to temporarily disable the antivirus software on a system in order to scan the system with other antivirus/antispyware software. If you are using McAfee Total Protection as the antivirus software on a system, instructions for turning off its real-time scanning feature are listed here.

[/security/antivirus/mcafee] permanent link

Sun, Mar 02, 2014 10:40 pm

F-Secure Rescue CD 3.16

F-Secure provides a free Rescue CD which allows you to boot a PC from a CD and scan it for malware using F-Secure's antivirus software. The F-Secure Rescue CD will attempt to disinfect any infected files and will rename any it can't disinfect by putting a .virus extension at the end of the file name. By doing that, when you reboot the system into Microsoft Windows, the infected file will not be loaded into memory.

[ More Info ]

[/security/antivirus/f-secure] permanent link

Sat, Aug 11, 2012 5:18 pm

avast! IE 9 Stopped Working

On a Windows 7 system that came with avast! Free Antivirus preinstalled, whenever I was browsing the web with Internet Explorer 9, I would periodically see "Internet Explorer has stopped working" messages. When I clicked on the "View problem details" link in the window that appeared, I found the problem associated with the avast! antivirus program's asWebRepIE.dll Dynamic Link Library (DLL) module.

[ More Info ]

[/security/antivirus/avast] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo