Some antivirus companies provide "rescue system" software that you can download for free and used to create bootable DVDs or flash drives to boot a PC outside of windows and scan the system for viruses and other malware. The software can be used if a system won't boot because of the malware. Avira, a German antivirus company, provides Avira Rescue System antivirus software that can be used to scan a system running a Microsoft Windows operating system. The ISO file that you download to create a bootable DVD or flash drive contains the Ubuntu Linux operating system, but you don't need to be familiar with a Linux operating system to use the software.
When I scanned an HP PC running Microsoft Windows 11 with Avira Rescue System antivirus software installed on a USB flash drive, the antivirus software reported it found two infected files.
When I clicked on View details, I saw that both files were in Windows directories.
It wasn't possible to view the full directory path and file name for
a file reported as containing malware until I hovered the mouse pointer over
a file name, but then I could see that one file was
/media/sda3-58C8CC6BC8CC4948/Windows/SystemApps/MicrosoftWindows.Client.CBS_cw5n1h2txyewy/ActionFXRuntimeExe.exe and the other was
/media/sda3-58C8CC6BC8CC4948/Windows/WinSxS/amd64_userexperience-desktop_31bf3856ad364e35_10.0.26100.3323_none_c8245b8d1a47492a/CBS/ActionFXRuntimeExe.exe.
The /media/sda3-58C8CC6BC8CC4948/ part of the file path is
where Ubuntu mounted the
hard disk drive in the computer. Both files were under the
C:\Windows directory.
Though the files were in two different directories, the file names were
the same. I opened a terminal window, which you can do by clicking on the
table with 3 rows and 3 columns of squares at the lower, left-hand corner
of the screen and selecting Show Applications and then
Terminal. When I checked the
MD5
hashes for each using the
md5sum program that
is provided with Ubuntu, I found that the values matched, i.e.,
they were both 26ca46e89601b135155cbf8c3e5318c4, so the files are
identical.
avira@avira:~$ md5sum /media/sda3-58C8CC6BC8CC4948/Windows/SystemApps/MicrosoftWindows.Client.CBS_cw5n1h2txyewy/ActionFXRuntimeExe.exe
26ca46e89601b135155cbf8c3e5318c4 /media/sda3-58C8CC6BC8CC4948/Windows/SystemApps/MicrosoftWindows.Client.CBS_cw5n1h2txyewy/ActionFXRuntimeExe.exe
avira@avira:~$ md5sum /media/sda3-58C8CC6BC8CC4948/Windows/WinSxS/amd64_userexperience-desktop_31bf3856ad364e35_10.0.26100.3323_none_c8245b8d1a47492a/CBS/ActionFXRuntimeExe.exe
26ca46e89601b135155cbf8c3e5318c4 /media/sda3-58C8CC6BC8CC4948/Windows/WinSxS/amd64_userexperience-desktop_31bf3856ad364e35_10.0.26100.3323_none_c8245b8d1a47492a/CBS/ActionFXRuntimeExe.exe
avira@avira:~$
I suspected the identification of the files as infected represented false positives. I uploaded one of the files to VirusTotal, a Google-provided website which allows you to upload a file to be checked by multiple antivirus programs. None of the 73 antivirus programs that VirusTotal used to check the file reported any malware and the site also reported the file as being copyrighted by Microsoft Corporation. I didn't upload the second file since its MD5 hash matched the MD5 hash for the file I uploaded indicating the files are identical.
VirusTotal report: ActionFXRuntimeExe.dll
So rather than choosing "Rename malicious files" or "Delete malicious files" in the Avira Rescue System window, I chose "Cancel" and closed the Avira Rescue System window.