(SOLVED) AVGxxxxx.SYS Leftover Drivers: Avast Rootkit False Postive

[thekochs]

Well, ran TDSSKiller as suggested above and it found nothing.....see attached.
Also ran MBAM again and nothing there.
I read another thread and seems Avast is seeing rootkits that specialized programs are not ?
http://forum.avast.com/index.php?topic=80667.0
Let me know what you guys think ?.....this just seems like false positive ?

[DavidR]

@ com155
I have just been asked to check this topic and you are jumping in with both feet with zero analysis, you have to look at the information presented to you, the files in the inage all appear to be AVG drivers.

Pondus is correct in that these are AVG related files and had you checked this out first (google the file names) you would have been on to the right track.

So it looks like the OP is also running AVG (or remnants of it remain) with avast and it needs to be uninstalled or these conflicts are assured.

Even when this was pointed out to you you continued firing off rootkit tools for the OP to run, this is both counter productive and a waste of time and likely to cause undue worry to the OP. Not to mention shaking his confidence in avast, as these hidden drivers of AVG are apparently still running.

The anti-rootkit scan uses different methods to the regular scans so they wouldn't find anything wrong with these files. It also compares what the windows API says is running against what is actually running.

Once it was identified that there appear to be remnants of AVG on the system then that should have been the first thing to resolve.

[thekochs]

DavidR, thanks for your insights but I think when I posted the thread I suggested it was AVG.
However, the Google on these file does also say they have known to be Malware too.
Other posters have suggested the rootkit tools to try....not me.
I was happy to try the suggestions others posted.

I am open to any of your suggestions on what to try to remove.
As posted above I've used the AVG un-installer utility.
Also, reading your post it is your opinion this is a conflict, not a rootkit malware ?

I appreciate everyone's help...please provide any guidance.

Thx.

[DavidR]

Well, ran TDSSKiller as suggested above and it found nothing.....see attached.
Also ran MBAM again and nothing there.
I read another thread and seems Avast is seeing rootkits that specialized programs are not ?
http://forum.avast.com/index.php?topic=80667.0
Let me know what you guys think ?.....this just seems like false positive ?

You say you actually checked in the c:\windows\system32\drivers folder to see if these files are present and they aren't, which is strange.

You could also try checking the registry for and reference to c:\windows\system32\drivers\avg*.sys entries as there might also be legacy keys remaining.

~~~~
I don't know if the AVG removal tool you used was the correct one - there is a 32bit and 64 bit windows version, ensure you use the correct one for the version you installed. I think that version 8 of AVG will probably have been a 32bit version even though you may now have a 64bit OS.


####
From your last post:

1. My comments were directed @ com155 and not you (which is why I put the @ com155) at the top of the post.

2. In a way it is conflict as essentially they shouldn't be there and if they are then they are low level drivers (which hook files so they are scanned) and it is mainly these that conflict in normal use. The other problem being these are generally kernel mode drivers and hidden from the system and it is this method of hiding that is causing the issue with the anti-rootkit scan.

I would say keep ignoring them on the alert and keep reporting them as possible false positive.

[essexboy]

No they are remnants from AVG but the fuction of the files/drivers has rootkit characteristics

try this if the AVG removal tool does not clear it all

Download AppRemover .
 
Uninstall AVG via Programmes and Features
Run the AVG removal tool

Run appremover
Click Next >>

 
 
Ensure "Remove Security Application" is collected and click Next >>

 
 
AppRemover will scan all the security applications on your PC

 
Select Any AVG entries from the applications offered and click Next >> twice.

 
Follow any further on-screen instructions. If asked to reboot,please do so.
[color="#FF0000"]

[thekochs]

Well, no joy/luck with AppRemover.....see attached....all it found was Avast.

At this point I'm pretty convinced these are not Malware but conflict of some old AVG "drivers" that were not cleanly uninstalled.  The question becomes, can I find a way to get rid of or hope that Avast updates their softwre/DB to mark them as false positives.

My last/next efforts will be to boot into Safe Mode and turn off the "hide O/S files" and see if these three files are visible within Windows directory...perhaps I can move/rename.

If not luck there then last "brute force" method I can think of is to uninstall Avast with its complete uninstaller, run CCleaner (files/reg), install AVG10 (2011), run AVG complete uninstaller, run CCleaner, run AppRemover, install Avast, see if I get same error.

As FYI, I have one other XP machine doing exact same thing but not my 64bit brand new W7 HP Pavilion DM4 laptop....Avast runs fine...no rootkit popup.  I initially installed old AVG9 on it, then uninstall, then installed Avast.  Besides these laptops being different inherently the big diff I see is that the two XP machines had AVG10 (2011) installed....then removed when we saw how BAD it was.  AVG10/2011 never saw the new HP W7 machine....AVG10/2011 has alot more "security" in it than AVG9...perhaps the "root" of the issue...ha...ha.

Any other suggestions let me know ?

[essexboy]

Or you could run OTS and I will see if I can find the files then Kill them

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[thekochs]

Well, first thanks to all posters on this thread !!!

I spent the last three hours....clean uninstall Avast (thru util), CCleaner, AppRemover, install lastest AVG10/2011, clean uninstall AVG10/2011 (thru latest util), CCleaner, AppRemover, RE-install of Avast.....and bang....the rootkit saw these files again....ugh !!!!!

At this point I'll try OTS but I'm convinced this is a false positive from Avast Rootkit....not Avast fault because this is left over crud from AVG....one more reason of hundred I want away from their software.

So, I've spent few days on my vacation now trying to run this down and I really appreciate everyones help....really !!!  I'm open to any other suggesstions and I'll feedback the log when I run OTS (FYI, I have system restore turned off since I use RollBack RX so I'll not include that portion of instructions...let me know if any issue there).

Any chance Avast will post to this thread that they will log this/these as false positive in their rootkit and remove in next virus DB or program update ?  Long term I'm not sure I can have these popups and scans show these hits.

Regards.

[essexboy]

It just so happens that AVG is vulnerable to infection, a few days ago one of the AVG drivers was infected and I had to remove the entire programme manually.  Needless to say the user has now changed to Avast 

[thekochs]

essexboy,

I went ahead and ran OTS....attached is txt log.
Can you decipher ?.....not sure if it means anyhting.

Thx.

P.S.  I tried again to hit ignore on the popup and it
appears this no longer is coming up at boot...perhaps
the ignore finally took. However, if I run FULL scan that
has the rootkit it sees the three files....but can't delete
or move to Virus Chest. There is no "ignore" option in
the log files ?....wish Avast would add.

Last item I can think of while I await feedback on the
OTS log is to run CHKDSK /F on reboot to fix any file
Index problems. Not sure this would resolve but worth
a try.

[essexboy]

Intriguing I cannot see any AVG drivers there

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1708537768-261903793-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1708537768-261903793-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "AvgUninstallURL" -> C:\WINDOWS\System32\cmd.exe [cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0AMQA0ADEANQAzADYAOAA5ADkALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAEYAUAA5ACsANgAtAEIAQQBSADkARwArADEALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAyAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA"&"prod=90"&"ver=9.0.894]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\AVG\AVG10\avgmfapx.exe" -> [C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer]
YN -> "C:\Program Files\AVG\AVG8\avgnsx.exe" -> [C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe]
YN -> "C:\Program Files\AVG\AVG8\avgupd.exe" -> [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[thekochs]

essexboy,

Thanks for the suggestion but I'm very hesistant to spend time on a fix that may have other impacts to the system....basically intrusive.  Talking with others this clearly is a false positive by Avast....even though it is left over crud from AVG not one other rootkit I run sees the issue...I've now run six.  I think doing more to the system for a false positive runs the risk of being counter productive.  I'm only hoping that the Avast folks will agree and change their program or DB to reflect this...after all I assume others switching from AVG will have the same issue....since I have two PCs that are different machines showing the identical issue.

I did run the CHKDSK and while it did fix some index issues a FULL SCAN (includes their rootkit scan) from Avast still shows these three files as high risk but no way to delete, move to Virus Chest or "ignore" (no option for ignore).  I would at least like the "ignore" option like in the Avast rootkit popup warning....seems that it finally took my "ignore" effort there but guess this does not apply to a scan ?

Anyway, I may change my mind if there is more problems down the road but for now I think it should be left to Avast folks to fix.  As FYI, when you run OTS Avast pops up saying you are about to run an unsafe program and you should run in their "sandbox" and if you do anything it does will not be saved, etc....guess kinda a "shield"....again, I'm new to Avast.

Regards.

[thekochs]

I wanted to post the resolution.....found it.

It seems that even though I uninstalled "AVG" the AVG web searcher was still installed.
This is even though nothing showsi in the Windows Add/Remove.
So, I went ahead and installed Googles search add-in/toolbar as default.
I then went into Internet Explorer and within the add-ins console deleted the AVG add-in.

I re-ran Avast FULL scan with rootkit and no issues found.

Thx for all the help.....hope this thread helps someone else.