Author Topic: Potential Malware? New Avast Browser processes and files installed on startup  (Read 2379 times)

0 Members and 1 Guest are viewing this topic.

Offline kravmagaclay

  • Newbie
  • *
  • Posts: 7
Today (6/4/2020) upon starting up my laptop I noticed two new processes in the task manager (Image 1). The processes are named Avast Browser (32bit) and Avast Browser Setup (32bit). I had Avast Secure Browser installed on my laptop and have had it installed for a while (although I never used it) however I had never seen those specific processes before. I had seen different Avast Browser Updater processes before, of course, but these specific ones were different (as in different process thumbnails, etc...). Upon checking the file locations of these new processes I had noticed they were in an entirely new folder which was created today, upon startup. The folder name is GUMFFAD.tmp, and its path is C:\Program Files (x86)\GUMFFAD.tmp. This made me suspicious as it is not even in the Avast folder. I scanned the files (and entire folder, which is 26.1MB) responsible for both processes and Avast showed they were clean. Upon checking the properties of the processes (Image 4) I noticed they were, as I stated, created today upon startup. I also noticed they were digitally signed files (AVAST Software - sha256 - Tuesday January 7 2020 7:39:36PM - Avast Software s.r.o.) (Image 3). Upon trying to kill the processes via Task Manager, they refused to cease running. Despite being digitally signed files which show clean upon scanning, I am still suspicious of these files/processes due to the fact that they were created upon startup without my permission or notifying me (as in the Avast program did not notify me of these files being created in an update or something). It is also worth noting that upon seeing these new processes in the task manager I uninstalled Avast Secure Browser via control panel to see if the processes would remain afterwards, and they did (meaning these processes which are supposedly for the Avast Secure Browser are still on the computer and still running despite Avast Secure Browser no longer being on the computer).

I would like to know if these are legitimate Avast files and processes or if they are malware, and if they are legitimate Avast files how to remove these processes from my laptop (after all, I do not have or use Avast Secure Browser anymore)

Images: https://imgur.com/a/jBCcVAr
Images also attached to post
« Last Edit: June 05, 2020, 03:32:03 AM by kravmagaclay »

Offline r@vast

  • Avast team
  • Massive Poster
  • *
  • Posts: 2761
Hi,

Based on your screenshots, these look like the normal files associated with Avast Secure Browser.
Concerning the ASB processes remaining after you uninstalled Avast Secure Browser,
did you restart your device?
If you still notice these ASB processes in Task Manager,
could you please try the uninstaller tool at https://support.avast.com/en-ww/article/Uninstall-Secure-Browser/

Offline kravmagaclay

  • Newbie
  • *
  • Posts: 7
Thank you, restarting my computer did the trick (although weirdly enough it had to be an actual restart, simply shutting off then turning back on the laptop didn't fix it). After restart the files remained however the processes did not start back up, so I deleted the folder (GUMFFAD.tmp) associated with the undesired processes. It seems to not have affected Avast at all, since those files were (as far as I can tell) part of the Avast Secure Browser and not core Avast processes. Something of note is that running the uninstaller seemed to do nothing (I ran it before the restart, while those processes were running in task manager). It started up and then the window simply closed and nothing happened (hence why I deleted the GUMFFAD.tmp folder manually while the processes were not running after the restart)
« Last Edit: June 06, 2020, 01:22:18 AM by kravmagaclay »

Offline rocksteady

  • Super Poster
  • ***
  • Posts: 1533
Thank you, restarting my computer did the trick (although weirdly enough it had to be an actual restart, simply shutting off then turning back on the laptop didn't fix it)....
@kravmagaclay,
People are still unaware that Shutdown followed by startup in later versions of Windows does not perform a proper reboot, more a hibernation/wakeup.
You have to do a "Restart" to perform a full reboot. It is a "Restart" that is generally asked for following software installation.
Glad that worked for you.