So I posted my original problem in the normal Avast! Free/Premier thread and I didn’t really get anywhere with it… and was recommended by bob to come here…

Basically… I’ve seen some very suspicious behaviour coming from Avast the last week or so… whenever I try to do a manual scan for new virus definitions on my system or the system automatically detects new definitions to install… it will act completely differently to how it used to install them previously to this behaviour…

It runs 2 instances of the instup.exe process… but the first process appears to exit very quickly… after the first process shuts down, the second will activate and according to logs I have read in the Persistent Data/Update.log it activates a file called ngiodriver_64.vpx and auto-creates 2 temporary services with randomly generated service names every time… I don’t know if this is a sign of malware or a virus trying to stop the first installer from installing an update and then the Antivirus Self-Defence Module intervenes or not…

This is a vague log of what the second process does:

[2016-06-09 18:54:24] [info ] [instcont ] [ 2036: 4624] 2016/06/09 18:54:24 START: Avast installer/updater
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Command: ‘“C:\Program Files\AVAST Software\Avast\setup\instup.exe” /instop:change’
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] CPU: Intel(R) Core™ i7-2600 CPU @ 3.40GHz,8
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] OS: Windows 7 SP1 x64
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Memory: 25% load. Phys:4194303/4194303K free, Page:4194303/4194303K free, Virt:4123120/4194176K free
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] DISKs: C:\ - 655GB free / 698GB total
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Running module version: instup.exe - ‘11.2.2738.0’
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Running module version: Instup.dll - ‘11.2.2738.0’
[2016-06-09 18:54:24] [info ] [simutex ] [ 2036: 4624] Checking for the mutex ownership.
[2016-06-09 18:54:24] [info ] [simutex ] [ 2036: 4624] The mutex is signaled. We are owners of the mutex.
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Loading product state
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Guid = 07cd9ca6-4558-4625-abb0-c6fb948d546e, Created = 13:11:03 07.06.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Persistent Guid = 1f4fcb05-35c0-45a6-bc4f-dee1e07c0a70, Created = 13:11:03 07.06.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] ProductId = ais
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Edition = 1
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Installed Part info:
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘iex’ = ‘iex’, 6 (0x00000006), 19:21:04 09.06.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘jrog2’ = ‘jrog2’, 4353 (0x00001101), 19:21:04 09.06.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘program’ = ‘prg_ais’, 184682710 (0x0B0208D6), 12:22:11 27.04.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘setup’ = ‘setup_ais’, 184682710 (0x0B0208D6), 12:22:12 27.04.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘vps’ = ‘vps_win32’, 369494273 (0x16060901), 19:21:07 09.06.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Latest Part info:
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘iex’ = ‘iex’, 6 (0x00000006), 19:21:04 09.06.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘jrog2’ = ‘jrog2’, 4353 (0x00001101), 19:21:04 09.06.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘program’ = ‘prg_ais’, 184682710 (0x0B0208D6), 12:22:11 27.04.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘setup’ = ‘setup_ais’, 184682710 (0x0B0208D6), 12:22:12 27.04.2016
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Part ‘vps’ = ‘vps_win32’, 369494273 (0x16060901), 19:21:07 09.06.2016
[2016-06-09 18:54:24] [info ] [registry ] [ 2036: 4624] BackupFileToRegistry: file ‘C:\Program Files\AVAST Software\Avast\setup\setup.ini’ was successfully backed up to value ‘SetupIniBackup’.
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Loading Proxy settings
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Proxy-Type: ‘no proxy’
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Proxy-Authorization: ‘no authentication’
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Proxy-Port: ‘8080’
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Proxy-Name: ‘’
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Proxy-User: ‘’
[2016-06-09 18:54:24] [info ] [instup ] [ 2036: 4624] Proxy-Pass: ‘???’
[2016-06-09 18:54:24] [info ] [partinfo ] [ 2036: 4624] SetInstalled: Part package part-iex-6.vpx is installed.
[2016-06-09 18:54:24] [info ] [partinfo ] [ 2036: 4624] SetInstalled: Part package part-jrog2-1101.vpx is installed.
[2016-06-09 18:54:24] [info ] [partinfo ] [ 2036: 4624] SetInstalled: Part package part-prg_ais-b0208d6.vpx is installed.
[2016-06-09 18:54:24] [info ] [partinfo ] [ 2036: 4624] SetInstalled: Part package part-setup_ais-b0208d6.vpx is installed.
[2016-06-09 18:54:24] [info ] [partinfo ] [ 2036: 4624] SetInstalled: Part package part-vps_win32-16060901.vpx is installed.
[2016-06-09 18:54:25] [info ] [instupcore ] [ 2036: 4624] PkgLoadProductInfo: product GPB was successfully loaded.
[2016-06-09 18:54:25] [info ] [instupcore ] [ 2036: 4624] Product pre-change has started.
[2016-06-09 18:54:25] [info ] [productcond ] [ 2036: 4624] IsNgSupported: IsAswVmmVirtualizationActive returned 0 (0x00000000) [The operation completed successfully.] and false
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceInstall: Service ewkkumkm successfully installed.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceStart: Starting the service ‘ewkkumkm’.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceStart: The service ‘ewkkumkm’ started successfully.
[2016-06-09 18:54:25] [info ] [productcond ] [ 2036: 4624] IsNgSupported: CPU type Intel
[2016-06-09 18:54:25] [info ] [productcond ] [ 2036: 4624] IsNgSupported: virtualization technology is probably disabled in BIOS
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceStop: The service ‘ewkkumkm’ stopped successfully.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceUninstall: Attempting to uninstall the service ‘ewkkumkm’.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceUninstall: The service ‘ewkkumkm’ successfully uninstalled.
[2016-06-09 18:54:25] [info ] [productcond ] [ 2036: 4624] IsNgSupported: IsAswVmmVirtualizationActive returned 0 (0x00000000) [The operation completed successfully.] and false
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceInstall: Service gxrvpisv successfully installed.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceStart: Starting the service ‘gxrvpisv’.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceStart: The service ‘gxrvpisv’ started successfully.
[2016-06-09 18:54:25] [info ] [productcond ] [ 2036: 4624] IsNgSupported: CPU type Intel
[2016-06-09 18:54:25] [info ] [productcond ] [ 2036: 4624] IsNgSupported: virtualization technology is probably disabled in BIOS
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceStop: The service ‘gxrvpisv’ stopped successfully.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceUninstall: Attempting to uninstall the service ‘gxrvpisv’.
[2016-06-09 18:54:25] [info ] [system ] [ 2036: 4624] ServiceUninstall: The service ‘gxrvpisv’ successfully uninstalled.

About a week or more ago, Avast! would just activate a single installer which would update the definitions quickly without any sign of large amounts of resources being used… but the way it updates now… takes around double the amount of RAM it used before to update itself… probably due to there being 2 processes of it running now.

I was also told in the other thread that this could be the work of NG, as ngiodriver_64.vpx is supposedly associated with it… but according to my logs above… the NGAssistedVirtualization status is false.

I don’t wanna get paranoid here and say that this is a virus or malware immediately but I’ve never seen Avast! Updater act like this before and my system has slowed down on startup lately (more notably the svchost processes are delaying a lot longer than they should be.)

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

Bob also did told you what to do:

follow instructions here https://forum.avast.com/index.php?topic=53253.0 we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

I've seen some very suspicious behaviour coming from Avast the last week or so

Stop trying to understand things for which you don’t even have close to enough knowledge for to understand.
You are only making it worse for yourself and that is not what I like to see you doing.
Focus on something you can/now and enjoy it.

Here are the logs you requested:

BTW, can I get rid of FRST when I’m done with it? I don’t like to keep programs I don’t recognize around for too long once I’ve used it. If so, how? And how do I remove all trace of it?

Essexboy will remove tools when done

Huh? You mean he’ll tell me how to remove them? I don’t need to remove MalwareBytes, as I already had it installed anyway.

he use a tool that will remove the tools includig itselfe when run … gone without a trace > Malwarebytes will not be removed

The only problem I see is that avast, Commodo and Windows Defender are installed and running at the same time.

You need to choose which one you want to use.

http://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

Hmmm… I’ve been running them all together for a long time though… never seen any conflicts or issues… I don’t have any other Firewall installed so why is Comodo a bad idea? (I don’t own Avast premium so I have no firewall from that)

I don’t actually run Windows Defender directly either… it just runs automatically as it is set to in Windows 7 by default as svchost (secsvcs)… it was set to run as “Automatic (delayed start)” and has been since I installed Windows 7… which was years ago,

I’d like to post another thing here as well… as I know looking at these logs will take a while.

I am pretty stressed out at the moment… I have some anxiety problems and have been trying many different maintenance steps myself to try and improve my system and this Avast! problem over the past week… (Disk Check, Disk Defrag, clean installing Avast! etc) and I am very worried when it comes to installing programs I’ve never seen before.

I’m also a little concerned about this FRST program I had to install to get these logs to you, it seems like a dangerous program since you can use fix files to change things on your system and even COMODO gave me warnings that it was changing all sorts of things in my registries etc… and to use it at my own risk… I would assume it it safe as you wouldn’t asks me to install a program that wasn’t…

I’m a pretty private guy, I don’t like to be vunerable on the internet by installing things that may compromise my security or may contain malicious things.

My main problems with my computer at the moment are just 2 really…

My svchost processes in Windows 7 have become rather sluggish lately. The main (LocalSystemNetworkRestricted) process before these problems started was very speedy to run on a new startup (like 3 seconds after a log in) and now it takes like… 15 seconds to run… a lot of the other ones are the same… taking much more time upon boot to load.

The second problem is that Avast! ngiodriver_64.vpx problem… unless someone who knows how the program works can tell me that it is how the program is supposed to update/run now…

I’m sorry to be such a pain… but please be patient with me…

All programs used here by this forums malware team are safe to use, just surf this forum section and see it in use

relax and check back tomorrow for essexboys reply

Comodo gave you false warnings.
Farbar (FRST) is not changing anything at all on your system when it creates the log files.

The second problem is that Avast! ngiodriver_64.vpx problem

Ofcourse things are taking “long” to start.
Everything is scanned 3(!) times.
If you want to keep using avast, delete Comodo completely and make sure Windows Defender is disabled.

Here is what is happening on your system:
A student has written down the answers to exam questions.
3(!) teachers want to check them.
Ofcourse it takes longer before the result is known than when 1 teacher is checking the answers.
And on your system the 3 teachers all are trying to be the first to check the answers so they are fighting over who gets the paper with answers first.

The simplest way to remove it would be to do a clean install of Avast

Download Avast Uninstall Utility to your Desktop.
Download the correct version of Avast
Avast Free
Avast Pro
Avast Internet Security
Avast Premier
Disconnect from the net
Uninstall Avast via control panel

[]Run the uninstall tool and accept the reboot to safe mode
[]Once complete reboot your system
[*]Reinstall Avast

I have done a clean install of Avast! about 4 times already, using AvastClear… the behaviour persists even after doing this.

I do notice though that whenever I install a new version of Avast! and AvastEmUpdate runs for the first time it will do a load of stuff… and a load of processes will stop and start but then a final process will start and will just stay active in the process list indefinitely. Not sure if this means the emergency updater is hanging or crashing or something… but this always happens.

So… did nothing look strange with all the logs I sent then? I would assume not because you would have told me to start doing more stuff…

If I don’t need FRST any more… can you tell me how to remove it and all traces of it? I’m funny about keeping programs I have no clue about on my computer.

No there is nothing strange in the logs

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Is the driver causing problems ?

Sorry but I can’t afford to run that program. I don’t want to reset any windows settings or anything and mess with the registry etc… since you said you found nothing strange in the logs… I dunno what’s going on…

I appreciate you are trying to help but programs like that… that change a massive amount of things on the system and that they have the power to do so is very scary to me…

I might just have to accept this is the way my computer will run now… thanks for the help… can you also tell me how to completely remove FRST please? I don’t want it on my system any more or any remnants of it.

Finally… do you have any idea how Avast! works as a whole, in terms of how the antivirus is programmed?

If so, does this behaviour I described seem normal to you? Is Avast! supposed to activate this ngiodriver_64.vpx file on every definition update? I’ve been told by many people on the normal forum that it seems to be normal behaviour but I dunno since it never did this before.

I also would like to mention something else that may give a clue…

Around the time this problem started with my computer also… a few services/tasks that I had scheduled in Windows 7 to update particular programs were beginning to fail also.

I had Google Chrome installed about 10 days ago, and it always ran a task called “Google Update” which was designed to install new versions of the browser if it was out of date… but at some point… this process was failing to pick up new updates and about the same time my computer started to slow down… every time the Google Update tasks ran, it seemed to crash immediately afterwards (judged by the fact the GoogleCrashHandler would run in my processes when it ran)…

You think this may be related? Has my Windows system become unable to update particular programs by itself?

Sorry but I can't afford to run that program. I don't want to reset any windows settings or anything and mess with the registry etc...

Oh, is this the tool to remove FRST? What other stuff does it remove? Avast! or MalwareByte? Or any windows related disinfection stuff?

Okay I just did remove disinfection tools and FRST is now gone. Thanks for the help.

Sorry I just got a little panicky when I saw the “Reset system settings” option on it, I thought it was gonna do some damage to my windows lol

What does that setting do anyway? Is it also normal for the delfix.exe to just disappear when you have finished with the process? I thought only stub applications did that.