Slyguy

Level 43
A friend of mine called and was having some CPU spiking issues. I created a remote session and logged in. She uses Norton, which is fine. But previously used AVG/AVAST. To my surprise, I found a program running called "OVERSEER", but it was running as a hidden process. Assuming it was malware I started to investigate and much to my surprise, I found this was a remnant of Avast/AVG. The person I was helping said they not only uninstalled AVG nearly 4 months prior, but they also followed up a normal uninstall with the AVG removal tool.

Investigating further, I found this program creates a persistence of itself, even after uninstalling via a Scheduled Task pointing to a file hidden in a non-AVG directory. It also reaches out to the Internet fairly regularly and traverses traffic.

Task: {67D89567-1909-4076-8115-4B8F80D19A72} - System32\Tasks\AVG\Overseer => C:\Program Files\Common Files\AVG\Overseer\overseer.exe [2018-01-12] (AVG Technologies CZ, s.r.o.)

To test this, I setup a test machine, installed AVG PAID. Then uninstalled it with Revo+Advanced, sure enough this program created persistence with itself. So then I ran the AVG removal tool from AVG themselves, and guess what - the file still remains and creates persistence with itself. I always had a problem with Avast/AVG, but now I feel like they exhibit malware-like behavior.

avast_sucks_oxkvwf_01.jpg
 

Sunshine-boy

Level 27
Verified
Avast left some files/folders even if you use the official installer but this is how every av works(because developers are lazy to create a good uninstaller)
I found the same with these AVS:
1-360(folders/files in AppData folder and 360sandbox(hidden) folder in C: )
2-Eset(some network settings but Eset have a guide to manually fix it)
3-dr.web(some undeletable hidden folders in every partition but they are empty)
4-McAfee(some process and services lol)
 

Slyguy

Level 43
Avast left some files/folders even if you use the official installer but this is how every av works(because developers are lazy to create a good uninstaller)
I found the same with these AVS:
1-360(folders/files in AppData folder and 360sandbox(hidden) folder in C: )
2-Eset(some network settings but Eset have a guide to manually fix it)
3-dr.web(some undeletable hidden folders in every partition but they are empty)
4-McAfee(some process and services lol)
Residuals are one thing. I used to make installers decades ago using WISE/UNWISE, my first IT Job actually - creating installers for a pretty big name software firm at the time. It's sloppy when residuals are left behind. Laziness. But it happens.

Nevertheless, these aren't residuals. This is an actively hidden process that re-establishes it's pertinence on a system long after the product is removed, and makes specific internet calls, and sends some data out. I'm happy to give a pass for residuals. I am not willing to give a pass for a persistent, self initiating process that remains forever, and is even ignored by their special uninstall tool.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
A friend of mine called and was having some CPU spiking issues. I created a remote session and logged in. She uses Norton, which is fine. But previously used AVG/AVAST. To my surprise, I found a program running called "OVERSEER", but it was running as a hidden process. Assuming it was malware I started to investigate and much to my surprise, I found this was a remnant of Avast/AVG. The person I was helping said they not only uninstalled AVG nearly 4 months prior, but they also followed up a normal uninstall with the AVG removal tool.

Investigating further, I found this program creates a persistence of itself, even after uninstalling via a Scheduled Task pointing to a file hidden in a non-AVG directory. It also reaches out to the Internet fairly regularly and traverses traffic.

Task: {67D89567-1909-4076-8115-4B8F80D19A72} - System32\Tasks\AVG\Overseer => C:\Program Files\Common Files\AVG\Overseer\overseer.exe [2018-01-12] (AVG Technologies CZ, s.r.o.)

To test this, I setup a test machine, installed AVG PAID. Then uninstalled it with Revo+Advanced, sure enough this program created persistence with itself. So then I ran the AVG removal tool from AVG themselves, and guess what - the file still remains and creates persistence with itself. I always had a problem with Avast/AVG, but now I feel like they exhibit malware-like behavior.

View attachment 197535
Thanks for the heads up, I appreciate that. Just curious, how did you discover this hidden process?
 
D

Deleted Member 3a5v73x

Omg people, some really try to defend Avast/AVG for their actions and route they have gone in recent years, don't you learn anything? I understand global market and Avast will continue this force and claims that they protect users data, this and that, but facts speak for themselves. What needs to happen for you to open your eyes? I understand regular and innocent home people around globe being defenseless against Avast/AVG marketing, thinking they all cool and dandy, and possibly, protection wise, one of the best free AV security product around, I am not denying that, but man.. question is more towards MT users who still use it and recommend around, and then work-arounds how to disable ads.. yeah, just block AvastUI.exe in firewall, all cool. Seriously? I install security program, and then I literally have to block it? What is this.. :cautious:
 
D

Deleted Member 3a5v73x

I don't think this is the case! Such files, folders and even processes are left for a reason. That's why I perform a clean install of Windows.
What that would be? Install silently Avast again in background without user knowing it's there, just like some malware push Avast to system, brilliant idea, that's what they meant by leaving Overseer service running after user uninstalls Avast, uninstall might have been a mistake so we will fix it for them by installing Avast again, no worries. Imagine if that was true..
it checks to see Avast antivirus service is running, if it is not, initiates the repair, Overseer even fixes the broken Avast installations.
 

Al-Faqir

Level 8
Verified
What that would be? Install silently Avast again in background without user knowing it's there, just like some malware push Avast to system, brilliant idea, that's what they meant by leaving Overseer service running after user uninstalls Avast, uninstall might have been a mistake so we will fix it for them by installing Avast again, no worries. Imagine if that was true..
Users should be warned that some files were not deleted and showed how they can delete them. Nothing should be left behind. I don't know what the remaining files do and I don't care I just don't want to see any remaining files. Security products worry me that I don't know why they exist—to protect me, or to collect data.
 

Slyguy

Level 43
@Slyguy What can you say about Morphisec files? Are they the same company who notified Piriform about the CCleaner (v5.33) malware in 2017?

Located in Program Files\AVAST Software\Avast\Morphisec
View attachment 197557

Morphisec Ltd - How it works - Morphisec
Morphisec is part of the military/intelligence complex. I'd be pretty confident in having great suspicions about their services gathering intelligence. Morphisec was founded by Ronen Yehoshua and Dudu Mimran, both from Israeli Defense Force Cyber Intelligence. Lockheed Martin and Ben Gurion University helped 'startup' Morphisec in the secretive Be'er Sheva R&D facility.

I'd keep that crap far away from my systems and network. But that's just me.. YMMV.

It's pretty obvious to me that Avast/AVG are fiends for intelligence/telemetry/datamining. They've given us no indication otherwise and I feel bad for people duped into running their stuff, and a LOT of people run it.
 

AriDfoix

Level 3
Slyguy catched another one (y)

Pretty sure they will release an update soon where that thing will magically diseappear, or not? :unsure:

Would be nice to replicate what that process transmitted for 4 months, after your friend uninstalled, surely nothing good :eek:
 
5

509322

It's pretty obvious to me that Avast/AVG are fiends for intelligence/telemetry/datamining. They've given us no indication otherwise and I feel bad for people duped into running their stuff, and a LOT of people run it.
People don't want to pay... they want free, so they install Avast Free. And why is that ? Because Avast Free has been promoted to death on the web for decades because it is free.

The average person could care less... as long as it is free.

The reality of today's digital world = "If I give you something for free, I'm definitely getting something from you... because I don't do anything for free." Not to mention that people do not own their own, personal data. Sorry. You don't. If people owned their data, then they could interfere with the entire digital system in such as way and to the extent that it would be harmful to that system. And no government in its right mind is going to allow that to happen. Research it. A person has the right to restrict data, but generally the system is given the rights to harvest data at many levels - most notably operational.

Data = money.

The free-loading has a lot to do with how this evolved over the years. And more importantly the fact that people don't think about the consequences of what they do.
 
Last edited by a moderator:
Top