Event Viewer logging Error Event 7000 from Service Control Manager

This was a Windows Server 2019 that would log the following error every hour:

The atc service failed to start due to the following error:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Inspecting the registry, the following was found:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atc

which had an ImagePath with file C:\Windows\System32\drivers\atc.sys

Under the Properties-Details menu of atc.sys, its description indicated it to be associated with BitDefender Active Threat Control Filesystem Minifilter (AntiVirus), however this was not currently installed on the server.

The service was uninstalled using the command prompt:

sc delete atc

To find other Bitdefender leftovers, add Product Name to the Windows  file explorer columns then sort and look for Bitdefender. I found several others:

Trufos.sys (Bitdefender Antivirus Kernel Module)
bddci.sys (Bitdefender BDDCI filter driver)
gzflt.sys (Bitdefender Gonzales File System Driver)
ignis.sys (Bitdefender IGNIS Firewall)

sc delete trufos
sc delete bddci
sc delete gzflt
sc delete ignis

Then reboot to flush the deleted services.

This entry was posted in Uncategorized. Bookmark the permalink.