Okay so for the past few days now, whenever the Avast definition updater (instup.exe) runs to update the current virus definitions a process I’ve never seen running before runs and when I check my windows logs in the Event Viewer I constantly get this message.
"A service was installed in the system.
Service Name: qsdqcowy
Service File Name: C:\Windows\system32\drivers\ngiodriver_x64
Service Type: kernel mode driver
Service Start Type: demand start
Service Account:"
Is this normal? Cause I could have swore this didn’t run before. And it does this every time the setup runs now… even if I manually check for updates. The definition update process also seems to be taking longer when updating and eating up more resources than usual too. The program info above…also… the service name changes every time it happens, to a new randomly generated random set of letters.
I did a fresh reinstall of 11.2.2262 just a couple of hours ago and the same thing is happening.
Can someone shed some light on this?
EDIT: I’m on Avast! Free Antivirus. Windows 7 Home Premium SP1. I thought this ngiodriver file was for full versions of the product only? Also… I cannot even find the file in the folder the log specified… the ngiodriver file is in Avast! Antivirus/setup folder, not in the System 32 directory… no sign of it at all.
Hmmm… I didn’t know this. What exactly is NG? Why is it creating these seemingly temporary services that change every time the program updates?
Also… It was not doing this last week. I check my logs quite frequently. So why now? I can replicate this every time I try to manually update the definitions… I check Computer Management > Event Viewer > System Logs and I can see every instance of it.
Whenever an update happens, 2 instances of Instup.exe run, but according to the Avast! folder, there is only 1 .exe. There are also 2 instances of this every time:
A service was installed in the system.
Service Name: vrxstpjd (randomly generated every time though, 7 different letters… looks fishy)
Service File Name: C:\Windows\system32\drivers\ngiodriver_x64 (dunno why it’s referencing this path, the ngiodriver_x64 file isn’t even this folder… I’ve checked… it’s in Avast! Antivirus/setup.)
Service Type: kernel mode driver
Service Start Type: demand start
Service Account:
Sorry if I seem like a pain, but I don’t know much about these types of things and I get a little stressed out when I see things happening to programs I have installed that I’ve never seen before. And I’ve never seen this.
AVAST NG is a hardware based virtualization solution capable of running each Windows process in standalone safe virtualized environment (VM) and is fully integrated to your desktop.
Each process is executed in its own instance of VM, which means totally isolated from your other applications.
Ahhh… but does that have any basis on why my computer is acting the way it is? If what you say is true and NG has always been a part of Avast! Free, then why has this behaviour never happened before?
This is the first time I’ve seen this happen… is this a normal thing? Or was it added in a recent update or something?
No other news on this? Please? I need some help to figure out what’s going on here.
Whenever the Avast! Update Installer runs (instup.exe) it runs a process (according to my task manager) and then immediately runs a second process of itself a moment later which accesses the ngiodriver file which then immediately decides to create randomly generated services to my system. (according to my logs)
This behaviour doesn’t seem normal… and it’s worrying me a lot. I had this same version of the program installed about a week ago and it wasn’t acting like this… instead just activating one single instup.exe process when activating the update installer… and I’ve done a fresh install since then and it’s acting the exact same way.
I have had these randomly generated driver for certain time, appearing in device manager as non-existent driver.
Just my speculation: I feel this randomly generated driver is a part of Avast Self Defense Module, to protect Avast installer from malware.
The reason why the name is random is to prevent malware from blocking Avast Self Defense Module to load, as fixed name could be easily recognized and blocked by malware.
These driver seems to be generated early stage of installation from installer, and deleted when finished.
Why the behavior is changed recently is beyond for me, Avast might changed its behavior for some reason.
Or, I just didn’t try and see what happens when manual update is initiated.
Personally, I don’t think there is anything to worry about.
So is something trying to attack Avast! then? I’ve done malware/virus scans today and for the past few days, with no luck.
And yeah, these drivers don’t seem to stick around for very long, I never see them anywhere in Device Manager when they load but I’m still worried that 2 instances of instup.exe are loading when a manual update is checked for… according to my resource monitor… when the instup.exe runs… it will run the normal installer, the one that always runs, but then this installer shuts down for some reason and another starts in it’s place which activates the ngiodriver part… and this second process eats up some RAM, even when an update is not found but also has many hard faults…
EDIT: This happens whether or not it’s a manual or auto-update. Even when it auto-updates many processes of the instup.exe run at once and these ngiodriver based services are created. Pretty much every time the installer runs, according to my Computer Management logs.
2 instances of instup run.
2 instances of the randomly generated services created by ngiodriver_64 run.
I’m at a loss as to what is going on here. This is a fresh install… I used AvastClear about a few hours ago and did a fresh reinstall and the behaviour persists.
Is it though? I don’t know because I’m just a user… I have no knowledge of how Avast! works, technologically. And this behaviour just started all of a sudden.
And yes, I know I do worry a lot… it’s just how I am. But how am I to know if this is normal and not suspicious behaviour? Infact… in all honesty… I’ve never seen this ngiodriver thing at all until now. I’ve been using Avast!'s software for years… from all the way back in version 2012 to now and I’ve never seen the program act this way before. And it also wasn’t running like this last week either and I was running the same exact program version then. (11.2.2262)
So why has this changed now? That’s all I want the answer to. There’s no need to be so callus toward someone who is just genuinely worried. :-[
Thanks. I’m just trying to see if this is a normal thing or not. Kinda seems that it isn’t though, cause if it were people would probably just say that it’s a thing because it happens on their system too…
Hope I hear something soon. Even if it is just confirmation that what I’m experiencing is a normal thing it should be doing. It would put my mind at more ease.
Hmm… It can’t be a remnant, because, as I’ve mentioned a few times in this thread… this is a FRESH install of 11.2.2262. I did it today and this weird behaviour began around a couple of days ago. But even after a fresh install… it is still persisting.
And if NG is disabled… then why are some of the files associated with it still around? This ngiodriver_x64_ais.8d6.vpx and ngiodriver_x86_ais.8d6.vpx are still around and they seem to be associated with NG.
I also noticed something else odd when I read the Avast Update Log in Persistent Data… in the log, during a check for updates it keeps mentioning that it did not install software protection for my browsers?
“Checking for updates has started.
[2016-06-06 21:39:36] [info ] [chromesp ] [ 2748: 3888] Delayed Chrome SP installation
[2016-06-06 21:39:36] [info ] [chromesp ] [ 2748: 3888] Waiting for 5 days from Avast installation (install time: 1465249176, current time: 1465217774)
[2016-06-06 21:39:36] [info ] [firefoxsp ] [ 2748: 3888] Delayed Firefox SP installation
[2016-06-06 21:39:36] [info ] [firefoxsp ] [ 2748: 3888] Waiting for 5 days from Avast installation (install time: 1465249176, current time: 1465217774)
[2016-06-06 21:39:36] [warning] [chromeaos ] [ 2748: 3888] Chrome was not installed by Avast.”
Why is it doing this? I unticked everything but the Shield Protection when I installed Avast! Including Browser protection… and told Avast! that I didn’t want chrome installed either.
How do you do that? I’m on Windows 7 and when I try to “change” it just lists the features I had the option to install when I first installed it… and at this point… I’m stumped.
I even tried another fresh install moments ago, but this time, removing all traces of avast in any folder or registry entry… reinstalled, it did nothing. Still getting the weird ngiodriver thing happening.
Sometimes, when the instup runs, AvastBugReport runs as well. Probably meaning the installer crashed, which is why the second instup process runs.
Does anyone know what windows services Avast relies on to update it’s virus definitions? Cause I’ve been having problems with my computer lately… some svchost processes are sluggish to start… does Avast!'s installer rely on anything to do with the Background Intelligent Transfer Service or Windows Update by any chance?
Seems to me something on my system may be corrupt… though it’s weird because these other problems have been going on for about a week or more and these ngiodriver problems with avast only started a couple days ago.
I would uninstall, reboot and then run avastclear. This will advise you, and intitiate, a boot to safemode
with networking. Allow this and avastclear will do it’s thing and then you can reboot back to normal mode.
Have the offline installer ready. start the new install, and choose custom install. Select only the items you want.
I ran avastclear many many times already. And fresh installed the Antivirus but the problem doesn’t go away.
When I install the antivirus, I only choose the base shields and untick everything else. But for some odd reason I’m seeing things in the log that says the antivirus is still trying to install something…
Here’s an example:
[2016-06-07 02:14:32] [info ] [instupcore ] [ 1824: 1828] Checking for updates has started.
[2016-06-07 02:14:32] [info ] [chromesp ] [ 1824: 1828] Delayed Chrome SP installation
[2016-06-07 02:14:32] [info ] [chromesp ] [ 1824: 1828] Waiting for 5 days from Avast installation (install time: 1465265672, current time: 1465257513)
[2016-06-07 02:14:32] [info ] [firefoxsp ] [ 1824: 1828] Delayed Firefox SP installation
[2016-06-07 02:14:32] [info ] [firefoxsp ] [ 1824: 1828] Waiting for 5 days from Avast installation (install time: 1465265672, current time: 1465257513)
[2016-06-07 02:14:32] [warning] [chromeaos ] [ 1824: 1828] Chrome was not installed by Avast.
Have no clue why this is appearing since I refused to install the Chrome browser on the setup and I also unticked everything else but the main shields as well.
It can’t be a remnant, because, as I’ve mentioned a few times in this thread… this is a