Avast! file ngiodriver running during definition updates.

[REDACTED]

Okay so for the past few days now, whenever the Avast definition updater (instup.exe) runs to update the current virus definitions a process I've never seen running before runs and when I check my windows logs in the Event Viewer I constantly get this message.

"A service was installed in the system.

Service Name:  qsdqcowy
Service File Name:  C:\Windows\system32\drivers\ngiodriver_x64
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account:"

Is this normal? Cause I could have swore this didn't run before. And it does this every time the setup runs now... even if I manually check for updates. The definition update process also seems to be taking longer when updating and eating up more resources than usual too. The program info above...also... the service name changes every time it happens, to a new randomly generated random set of letters.

I did a fresh reinstall of 11.2.2262 just a couple of hours ago and the same thing is happening.

Can someone shed some light on this? 

EDIT: I'm on Avast! Free Antivirus. Windows 7 Home Premium SP1. I thought this ngiodriver file was for full versions of the product only? Also... I cannot even find the file in the folder the log specified... the ngiodriver file is in Avast! Antivirus/setup folder, not in the System 32 directory... no sign of it at all.

[Eddy]

Looks to me like part of NG, that is changed/replaced in the beta versions already.

[REDACTED]

Looks to me like part of NG, that is changed/replaced in the beta versions already.

This is NOT a full version of the program. It's Avast! Free 11.2.2262. NG doesn't come with the free version, does it?

[Eddy]

It is in the free version also.
Nothing to worry about as I see it.

[REDACTED]

It is in the free version also.
Nothing to worry about as I see it.

Hmmm... I didn't know this. What exactly is NG? Why is it creating these seemingly temporary services that change every time the program updates?

Also... It was not doing this last week. I check my logs quite frequently. So why now? I can replicate this every time I try to manually update the definitions... I check Computer Management > Event Viewer > System Logs and I can see every instance of it.

Whenever an update happens, 2 instances of Instup.exe run, but according to the Avast! folder, there is only 1 .exe. There are also 2 instances of this every time:

A service was installed in the system.

Service Name:  vrxstpjd (randomly generated every time though, 7 different letters... looks fishy)
Service File Name:  C:\Windows\system32\drivers\ngiodriver_x64 (dunno why it's referencing this path, the ngiodriver_x64 file isn't even this folder... I've checked... it's in Avast! Antivirus/setup.)
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account: 

Sorry if I seem like a pain, but I don't know much about these types of things and I get a little stressed out when I see things happening to programs I have installed that I've never seen before. And I've never seen this.

[Eddy]

AVAST NG is a hardware based virtualization solution capable of running each Windows process in standalone safe virtualized environment (VM) and is fully integrated to your desktop.
Each process is executed in its own instance of VM, which means totally isolated from your other applications.

[REDACTED]

AVAST NG is a hardware based virtualization solution capable of running each Windows process in standalone safe virtualized environment (VM) and is fully integrated to your desktop.
Each process is executed in its own instance of VM, which means totally isolated from your other applications.

Ahhh... but does that have any basis on why my computer is acting the way it is? If what you say is true and NG has always been a part of Avast! Free, then why has this behaviour never happened before?

This is the first time I've seen this happen... is this a normal thing? Or was it added in a recent update or something?

[REDACTED]

No other news on this? Please? I need some help to figure out what's going on here.

Whenever the Avast! Update Installer runs (instup.exe) it runs a process (according to my task manager) and then immediately runs a second process of itself a moment later which accesses the ngiodriver file which then immediately decides to create randomly generated services to my system. (according to my logs)

This behaviour doesn't seem normal... and it's worrying me a lot. I had this same version of the program installed about a week ago and it wasn't acting like this.. instead just activating one single instup.exe process when activating the update installer... and I've done a fresh install since then and it's acting the exact same way.

[NON]

I have had these randomly generated driver for certain time, appearing in device manager as non-existent driver.

Just my speculation: I feel this randomly generated driver is a part of Avast Self Defense Module, to protect Avast installer from malware.
The reason why the name is random is to prevent malware from blocking Avast Self Defense Module to load, as fixed name could be easily recognized and blocked by malware.
These driver seems to be generated early stage of installation from installer, and deleted when finished.

Why the behavior is changed recently is beyond for me, Avast might changed its behavior for some reason.
Or, I just didn't try and see what happens when manual update is initiated.

Personally, I don't think there is anything to worry about.

[REDACTED]

I have had these randomly generated driver for certain time, appearing in device manager as non-existent driver.

Just my speculation: I feel this randomly generated driver is a part of Avast Self Defense Module, to protect Avast installer from malware.
The reason why the name is random is to prevent malware from blocking Avast Self Defense Module to load, as fixed name could be easily recognized and blocked by malware.
These driver seems to be generated early stage of installation from installer, and deleted when finished.

Why the behavior is changed recently is beyond for me, Avast might changed its behavior for some reason.
Or, I just didn't try and see what happens when manual update is initiated.

Personally, I don't think there is anything to worry about.

EDIT: It also creates these services when it auto-updates too, the same problem occurs whether it's a manual or auto update.

So is something trying to attack Avast! then? I've done malware/virus scans today and for the past few days, with no luck.

And yeah, these drivers don't seem to stick around for very long, I never see them anywhere in Device Manager when they load but I'm still worried that 2 instances of instup.exe are loading when a manual update is checked for... according to my resource monitor... when the instup.exe runs... it will run the normal installer, the one that always runs, but then this installer shuts down for some reason and another starts in it's place which activates the ngiodriver part... and this second process eats up some RAM, even when an update is not found but also has many hard faults...

EDIT: This happens whether or not it's a manual or auto-update. Even when it auto-updates many processes of the instup.exe run at once and these ngiodriver based services are created. Pretty much every time the installer runs, according to my Computer Management logs.

2 instances of instup run.
2 instances of the randomly generated services created by ngiodriver_64 run.

I'm at a loss as to what is going on here. This is a fresh install... I used AvastClear about a few hours ago and did a fresh reinstall and the behaviour persists.

[Eddy]

Stop worrying.
It is perfectly normal behavior and there is nothing wrong.

[REDACTED]

Stop worrying.
It is perfectly normal behavior and there is nothing wrong.

Is it though? I don't know because I'm just a user... I have no knowledge of how Avast! works, technologically. And this behaviour just started all of a sudden.

And yes, I know I do worry a lot... it's just how I am. But how am I to know if this is normal and not suspicious behaviour? Infact... in all honesty... I've never seen this ngiodriver thing at all until now. I've been using Avast!'s software for years... from all the way back in version 2012 to now and I've never seen the program act this way before. And it also wasn't running like this last week either and I was running the same exact program version then. (11.2.2262)

So why has this changed now? That's all I want the answer to. There's no need to be so callus toward someone who is just genuinely worried. 

[mchain]

Reported your issue to avast team member.

[REDACTED]

Reported your issue to avast team member.

Thanks. I'm just trying to see if this is a normal thing or not. Kinda seems that it isn't though, cause if it were people would probably just say that it's a thing because it happens on their system too...

Hope I hear something soon. Even if it is just confirmation that what I'm experiencing is a normal thing it should be doing. It would put my mind at more ease. 

[RejZoR]

NG has been removed/disabled. Probably just a remnant.