Windows Files Flagged as Malware by Avira Rescue System Scan

Learning that lasts. Online courses from $14.99

Some antivirus companies provide "rescue system" software that you can download for free and used to create bootable DVDs or flash drives to boot a PC outside of windows and scan the system for viruses and other malware. The software can be used if a system won't boot because of the malware. Avira, a German antivirus company, provides Avira Rescue System antivirus software that can be used to scan a system running a Microsoft Windows operating system. The ISO file that you download to create a bootable DVD or flash drive contains the Ubuntu Linux operating system, but you don't need to be familiar with a Linux operating system to use the software.

When I scanned an HP PC running Microsoft Windows 11 with Avira Rescue System antivirus software installed on a USB flash drive, the antivirus software reported it found two infected files.

2 Infected Files Found

When I clicked on View details, I saw that both files were in Windows directories.

2 Infected Files Details

It wasn't possible to view the full directory path and file name for a file reported as containing malware until I hovered the mouse pointer over a file name, but then I could see that one file was /media/sda3-58C8CC6BC8CC4948/Windows/SystemApps/MicrosoftWindows.Client.CBS_cw5n1h2txyewy/ActionFXRuntimeExe.exe and the other was /media/sda3-58C8CC6BC8CC4948/Windows/WinSxS/amd64_userexperience-desktop_31bf3856ad364e35_10.0.26100.3323_none_c8245b8d1a47492a/CBS/ActionFXRuntimeExe.exe. The /media/sda3-58C8CC6BC8CC4948/ part of the file path is where Ubuntu mounted the hard disk drive in the computer. Both files were under the C:\Windows directory.

exe

Full File Path

Though the files were in two different directories, the file names were the same. I opened a terminal window, which you can do by clicking on the table with 3 rows and 3 columns of squares at the lower, left-hand corner of the screen and selecting Show Applications and then Terminal. When I checked the MD5 hashes for each using the md5sum program that is provided with Ubuntu, I found that the values matched, i.e., they were both 26ca46e89601b135155cbf8c3e5318c4, so the files are identical.

avira@avira:~$ md5sum /media/sda3-58C8CC6BC8CC4948/Windows/SystemApps/MicrosoftWindows.Client.CBS_cw5n1h2txyewy/ActionFXRuntimeExe.exe
26ca46e89601b135155cbf8c3e5318c4 /media/sda3-58C8CC6BC8CC4948/Windows/SystemApps/MicrosoftWindows.Client.CBS_cw5n1h2txyewy/ActionFXRuntimeExe.exe
avira@avira:~$ md5sum /media/sda3-58C8CC6BC8CC4948/Windows/WinSxS/amd64_userexperience-desktop_31bf3856ad364e35_10.0.26100.3323_none_c8245b8d1a47492a/CBS/ActionFXRuntimeExe.exe
26ca46e89601b135155cbf8c3e5318c4 /media/sda3-58C8CC6BC8CC4948/Windows/WinSxS/amd64_userexperience-desktop_31bf3856ad364e35_10.0.26100.3323_none_c8245b8d1a47492a/CBS/ActionFXRuntimeExe.exe
avira@avira:~$

I suspected the identification of the files as infected represented false positives. I uploaded one of the files to VirusTotal, a Google-provided website which allows you to upload a file to be checked by multiple antivirus programs. None of the 73 antivirus programs that VirusTotal used to check the file reported any malware and the site also reported the file as being copyrighted by Microsoft Corporation. I didn't upload the second file since its MD5 hash matched the MD5 hash for the file I uploaded indicating the files are identical.

VirusTotal report: ActionFXRuntimeExe.dll

So rather than choosing "Rename malicious files" or "Delete malicious files" in the Avira Rescue System window, I chose "Cancel" and closed the Avira Rescue System window.