(SOLVED) AVGxxxxx.SYS Leftover Drivers: Avast Rootkit False Postive

I’m a long time AVG user now switching all my PCs to Avast…two down more to go.
I really like Avast and have run scans on both machines…clean expect in full scan or on boot after windows comes up Avast shows a rootkit found for what looks like three legacy AVG files, AVGldx86.sys, AVGmfx86.sys, AVGtdix.sys in the Windows/systems32/drivers directory. Since i’m not trying to cause any BSOD I thought I’d ignore using the Avast popup…they still show/alert on a reboot…I also used full scanner with the rootkit in Avast windows and it asked to reboot…they still show back up. I’ve not done a boot time scan and this would be last resort. I assume others have run into this since I’m sure many folks are moving away from AVG.

Can you give guidance ?

Attached is pic of Avast popup.

Thx.

so a rootkit huh? try this:

Download aswMBR.exe ( 1.8MB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

have you uninstalled AVG before installing avast ?
have you run a removal tool to clear all leftovers ?

removal tools can be found here
http://thewebatom.net/uninstallers/security-software/

oh huh!!!i almost forgot to ask this.thanks,pondus…

I did uninstall AVG…even ran CCleaner afterwords…files and registry too.

I just ran the Avast boot scanner and here are results…puzzling since I am still getting this Avast popup at Windows boot…takes couple minutes to show up.

07/03/2011 16:51
Scan of all local drives

Scanning aborted
Number of searched folders: 445
Number of tested files: 2504
Number of infected files: 0


07/04/2011 22:55
Scan of all local drives

Number of searched folders: 11308
Number of tested files: 627504

Number of infected files: 0

I will try to run the cleanup uninstaller per the link above…was looking for it on AVG.

Is the MBR program OK to run for scan mode ?..non instrusive ?

Thx !!!

almost ?.. ::slight_smile:

Run the AVG removal tool and reboot

I ran the AVG removal tool and DOS window came up…alot of items scrolled past saying it was removing, etc…then exit. I then did a manual reboot. After 2-3 minutes into Windows the same Avast popup shows…in my first post of thread. As FYI, I was running AVG9…since AVG10-2011 has SOOOO many issues…this uninstaller looks to be 2011 by name…does that matter ?

Also, why when I choose from Avast’s popup to ignore does it still come up ?

Thx !

hmmmmm…not sure

you find the latest here http://www.avg.com/us-en/utilities

i would guess if you run latest it shold remove all versions…

if you browse to that location, are the files still there after running the tool ?

They are hidden files so even if I go into Explorer and uncheck the “see O/S files” and look in that directory they are not there…but Avast is either still seeing them or has some log/buffer that keeps this popup coming up.

Is there something in Avast to ignore these or clear this log/popup ?

I will send a PM to DavidR but it a may take some time before he enters the forum

not sure if this will make any difference but have you tried removing avast with the removal tool reboot and reinstall http://www.avast.com/en-no/uninstall-utility

This is exactly what I was about to do…but it’s ~2am,EDT in USA and need to hit the bed.
I’ll check late tommorow this thread for any suggestions prior to uninstall & re-install of Avast.

Af FYI…
When I look at the AVG remover log it says that avgldx86, avgmfx86, avgtdix are not present.
Some log examples/excerpts…(since log is too big to post)
2011-07-05 04:17:04,531 INFO Processing service AvgLdx86, it can take several minutes…
2011-07-05 04:17:04,562 INFO Service AvgLdx86 is not installed
2011-07-05 04:17:04,593 DEBUG Service AvgLdx86 RegCleanup
2011-07-05 04:17:04,625 DEBUG Registry keys for service AvgLdx86 are not present
2011-07-05 04:18:04,265 DEBUG Key SYSTEM\ControlSet001\services\avgldx86 not found

If I run a Avast boot scan it finds nothing as well.
However, on Windows boot I still get the Avast popup shown on first post.
Also, just ran Avast FULL SCAN…it finds them…see attached.

OK, another tool to check for other types of rootkit.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

have googled the file names and found this. also see under important

avgldx86.sys file information: http://www.file.net/process/avgldx86.sys.html

avgmfx86.sys file information: http://www.file.net/process/avgmfx86.sys.html

avgtdix.sys file information: http://www.file.net/process/avgtdix.sys.html

Ok…thanks…I’ve run MalwareBytes on the machine many times prior…plus this is happening on other PCs too.
I’ll try TDSSKiller and also run Malware Bytes but could these be false positives within Avast ?
How do you submit something that has no file ?

If they are real rootkit and Avast sees why does it not remove ?
Also, strange the Avast scanner can see but the boot scanner cannot.

Well, ran TDSSKiller as suggested above and it found nothing…see attached.
Also ran MBAM again and nothing there.
I read another thread and seems Avast is seeing rootkits that specialized programs are not ?
http://forum.avast.com/index.php?topic=80667.0
Let me know what you guys think ?..this just seems like false positive ?

@ com155
I have just been asked to check this topic and you are jumping in with both feet with zero analysis, you have to look at the information presented to you, the files in the inage all appear to be AVG drivers.

Pondus is correct in that these are AVG related files and had you checked this out first (google the file names) you would have been on to the right track.

So it looks like the OP is also running AVG (or remnants of it remain) with avast and it needs to be uninstalled or these conflicts are assured.

Even when this was pointed out to you you continued firing off rootkit tools for the OP to run, this is both counter productive and a waste of time and likely to cause undue worry to the OP. Not to mention shaking his confidence in avast, as these hidden drivers of AVG are apparently still running.

The anti-rootkit scan uses different methods to the regular scans so they wouldn’t find anything wrong with these files. It also compares what the windows API says is running against what is actually running.

Once it was identified that there appear to be remnants of AVG on the system then that should have been the first thing to resolve.

DavidR, thanks for your insights but I think when I posted the thread I suggested it was AVG.
However, the Google on these file does also say they have known to be Malware too.
Other posters have suggested the rootkit tools to try…not me.
I was happy to try the suggestions others posted.

I am open to any of your suggestions on what to try to remove.
As posted above I’ve used the AVG un-installer utility.
Also, reading your post it is your opinion this is a conflict, not a rootkit malware ?

I appreciate everyone’s help…please provide any guidance.

Thx.

You say you actually checked in the c:\windows\system32\drivers folder to see if these files are present and they aren’t, which is strange.

You could also try checking the registry for and reference to c:\windows\system32\drivers\avg*.sys entries as there might also be legacy keys remaining.

I don't know if the AVG removal tool you used was the correct one - there is a 32bit and 64 bit windows version, ensure you use the correct one for the version you installed. I think that version 8 of AVG will probably have been a 32bit version even though you may now have a 64bit OS.


####
From your last post:

1. My comments were directed @ com155 and not you (which is why I put the @ com155) at the top of the post.

2. In a way it is conflict as essentially they shouldn't be there and if they are then they are low level drivers (which hook files so they are scanned) and it is mainly these that conflict in normal use. The other problem being these are generally kernel mode drivers and hidden from the system and it is this method of hiding that is causing the issue with the anti-rootkit scan.

I would say keep ignoring them on the alert and keep reporting them as possible false positive.

No they are remnants from AVG but the fuction of the files/drivers has rootkit characteristics

try this if the AVG removal tool does not clear it all

Download AppRemover .

Uninstall AVG via Programmes and Features
Run the AVG removal tool

Run appremover
Click Next >>

http://www.hdrcgb.org.uk/g2g/appremover1.jpg

Ensure “Remove Security Application” is collected and click Next >>

http://www.hdrcgb.org.uk/g2g/appremover2.jpg

AppRemover will scan all the security applications on your PC

http://www.hdrcgb.org.uk/g2g/appremover3.jpg

Select Any AVG entries from the applications offered and click Next >> twice.

http://www.hdrcgb.org.uk/g2g/appremover4.jpg

Follow any further on-screen instructions. If asked to reboot,please do so.
[color=“#FF0000”][b]