Avira Support Forum

I updated to V10 of Avira the other day and since upgrading I get the following prompt when Windows (XP SP3) boots:

"Open File - Security Warning"
Name: avgnt.exe
Publisher: Avira GmbH

I unchecked the box "Always ask before opening this file" and click "Run" but the next time I start the computer the prompt appears again with that box checked.



This was not happening with the previous version of Avira.

I see there are at least two others that are experiencing the same problem.

Here is the pertinent section of the Hijack this log file (I trimmed out the protocol section due to the length of the log file):

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:21:05 PM, on 06/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Q-Type\Versato.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Q-Type\OSD.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Enable Q-Type Driver.lnk = C:\Program Files\Q-Type\Versato.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.3.3.38/backgammon/backgammon-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.6.4.21/jigsaw/jigsaw-en_US.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.0.30/paigow/paigow-ob-assets.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262198429750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262198420859
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://robertmckenzie.dyndns.org:44000/activex/AxisCamControl.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://J:\SuperCD\IntraLaunch.CAB
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} (CamRegCleanControl Object) - http://www.amustsoft.com/onlineregistryscan/onlineRegCleaner.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://gamerival.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA54791-4249-4EA1-A50F-32861D6ADE34}: Domain = flfrd.phub.net.cable.rogers.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA54791-4249-4EA1-A50F-32861D6ADE34}: NameServer = 4.2.2.1,4.2.2.2,64.71.255.198
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9fd0318d3872) (gupdate1c9fd0318d3872) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 21803 bytes

Hi,

You HJT log looks clean and I cant answer as to why you are getting this unknown security warning, but if you are a competent PC file user then you can try this, you are running XP and it is years since I used this OS. But if I remember correctly XP does not have a group policy editor, therefor there is no way to disable it for internet explorer.
You must right-click the downloaded file and choose Properties. Click Unblock and
then OK. The Zone Identifier attached to that file should now be reset.

Also for any Vista users finding this issue then the following should work.

Run gpedit.msc, and go to Local Computer Policy > User
Configuration > Administrative Templates > Windows
Components > Attachment Manager and enable "Default risk level for file
attachments", and then enable "Inclusion list for low risk file types"
and add to this list the file extensions that you want to open without
triggering this warring box.


Just for info, O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

This is a HKLM entry is a run key that is used to start a program automatically when a user, or all users, logs on to your PC.


Barrie

I tried the Unblock, but as soon as I make the change, "Unblock" re-appears again when I right-click and select Properties.

I have the corporate edition of XP and it does have a group policy editor.
I configured it as mentioned and the prompt went away.

For the record, XP Pro, which a lot of home users have, also has a Group Policy Editor. It can be configured as Barrie explained.

Hi,


Thanks Mele20 for the clarification and BlackRose

Quoted

I have the corporate edition of XP and it does have a group policy editor.
I configured it as mentioned and the prompt went away

Thanks for the feed back pleased all is OK now.



Barrie

Just to be clear, this procedure sounds like set a permission to run any '.exe', right?
That would be a generic solution and non-specific as well as being unsafe.

Hi marfabilis,


No as we said you select the respective problem download IE select on a specific files / files. So you have to have some file knowledge .


Barrie

Hi Barrie,
As far as I know this policy "Inclusion list for low risk file types" is generic to file extensions .exe. bmp .jpg etc... and not just for one file only. Read this and this

Quoted from "marfabilis"

Just to be clear, this procedure sounds like set a permission to run any '.exe', right?
That would be a generic solution and non-specific as well as being unsafe.

That's the way it appears, but I just went back and changed it from .exe to avgnt.exe and it accepted the change and stops the prompt when avgnt.exe is trying to run.

Just specifying .exe would be telling Windows that all .exe files are safe (bad idea).

It would be nice to know why this happened, as most of the .exe files delivered in the latest updates indicate that they came from another computer (Unblock), but only avgnt.exe is triggering the security warning.

Hi marfabilis


As I said to BlackRose it is years since I ran XP and in fact had to use this method once or twice, but found that it could be file specific not generic, I know over the years things change and I no longer use MS so am out of the loop working on what I remember. You and Mele20 have more knowledge than me so any input to the user can only help.

I would have expected there Avira Guard to pick up any Malware exe files trying to execute thus keeping there system safe.

Hi BlackRose,

Quoted

That's the way it appears, but I just went back and changed it from .exe to avgnt.exe and it accepted the change and stops the prompt when avgnt.exe is trying to run.

So it seems it is file specific. And I am pleased this worked for you.


Barrie

I was concerned with the following: if you have a standard machine, ok, XP Pro installed and you're using normally, then you try to open a txt file using Notepad (low risk), you will not receive any warning. A .exe file (high risk) you will. If you uncheck that box, you'll not prompted again to that specific file, which works in most cases. But I have seen users complaining that it doesn't apply to avgnt.exe. Windows always asks before opening that file. I really dunno why. The solution will work perfectly but for that file and all .exe files too. If I'm wrong correct me.

Hi BlackRose,

Quoted

It would be nice to know why this happened, as most of the .exe files delivered in the latest updates indicate that they came from another computer (Unblock), but only avgnt.exe is triggering the security warning.

It is very odd that Windows would block an exe being run when it is already on your computer. I could understand this if the file was on the internet.

It could be a leftover from a previously installed AV or other security application, also as a test try shutting down MSC but you would first have to revert back to the original file options so that you would get the security warning box appear.


Barrie

I switched from AVG to Avira about a year ago.

I made sure that AVG was fully removed from my system (file system and registry) before I installed Avira.

This is the first issue I've had with Avira since switching.

What's MSC?

MSC is Microsoft Management Console snapin ...such as gpedit.msc which can be opened via the Run command on the Start menu. You can have many snapins. I have a snapin I made to monitor page file usage so that my custom page file size is correct (not way too large like XP wants to make it or too small so that Windows decides to override my custom size and halts the computer while it resizes the paging file). XP Pro has some neat stuff not available in the Home version.

Did you download Avira using either IE or Firefox? I think the problem may be the zone identifier information. Fx is married to IE in this regard. If you used Opera for downloading you shouldn't have this problem. If you used IE or Firefox (I suspect Chrome will also be a problem in this regard) for downloading Avira, do you have the Avira download site in your IE Trusted Zone? If it is in the Internet Zone then that may be why you are getting this security prompt. I have a little program from Ryan Means, who is an Internet Storm Center handler, which integrates into the Windows Shell and I can very easily delete any zone information from the file's Alternate Data Streams which, with this little program, appears as a tab on file Properties. I routinely delete all ADS from any newly downloaded file. If you did use IE or Fx to download, and did not have Avira in the Trusted Zone on IE, then putting Avira download site there now might fix it. I'm just making a guess here and may be completely off base, but I do know Windows, as of XP SP2, pays attention to zone identification and I think what Barrie told you to do changes the zone ID for avgnt.exe to Trusted but I am not sure about it. No problem would arise in the first place (if I am right) if Avira download site was in IE's trusted zone or if Opera was used as Opera never married itself to IE in regards to Zones when downloading as did Mozilla for Firefox several years ago.

Hi,

Microsoft Security Centre if you are unsure then look here.

http://www.winxptutor.com/sp2/wscsvc.htm


Barrie

It's just "Security Center" and the ".msc" on the end of "Services.msc" stands for Microsoft Common Console Document type file.

Hi Mele20

Quoted

I think the problem may be the zone identifier information.Fx is married to IE in this regard.

Thank you for this info as you know I always used Opera now coupled with Safari.
Safari still only gives me limited board reply options no URL links or quote marks etc.

Barrie

I did use Firefox to download Avira 10.

I used IE 7 to download Avira 9 and never had any of these issues.

Maybe I'll try IE7, but I doubt that's the issue - I have never had this particular issue in the 5+ years that I've been running XP Pro on this PC.

I don't have any trusted sites defined in Firefox, and only have my financial institution defined in IE7.

EDIT: I disabled the group policy change and added avira.com to my trusted site list. The warning still appears

Hmmm...sorry my idea wasn't helpful. What you describe is very strange. I'll think more about it as I'd like to understand what could cause this (as well as be of some help).

It is a zone identifier issue though. I just read a Microsoft article confirming this. Instead of just putting the download site (avira.com) in IE's trusted zone, I think you would need to uninstall the current Avira and DOWNLOAD AGAIN USING IE with the download site in the trusted zone. That will make the file "trusted" and XP should not pop that warning. That is in theory what will happen if you uninstall and then download again, etc. but it is very odd that XP would pop that alert on just that one .exe file from Avira and only from Avira 10 not other versions you have used on that computer. So, theoretically, what I have told you to do would fix it but in reality it might not.

The other thing you could try would be installing software that will find ADS on your files and can identify the ADS (the zone ID) on the file and delete it. Without a zone identifier at all you shouldn't get the warning (nor should you get if the zone identifier is the Trusted Zone and you said you downloaded using Fx which means the identifier is the Internet Zone which can produce that warning.

There could be some security patch for XP SP 3 recently that affected how that popup occurs but that is unlikely as others have not been posting about the same issue.

It's not a network file is it? Because that will produce the warning. I've gotten the warning on a network file from Avira but only when it was a network file.

Yes, it's definitely strange. I think there are only 3 people reporting this particular issue, so it's difficult to nail down.

No, it's not a network file, everything is local on this install.

I'll uninstall it, disable the group policy change, put avira.com in the trusted site list, and download it with IE7 and see what happens.