Dec 232008

AVG Free appears to be falsely detecting soundcard drivers, sysaudio.sys, as being infected with the Trojan Dowloader.Delf.BUY


If you delete or move these files to the virus vault, you will disable the sound on your system.

This is the third time in two months Grisoft have done this and they are losing credibility. There are plenty of free and paid for alternatives such as Avast! and AntiVir and it’s difficult to continue recommending AVG.

If you are receiving the message sysaudio.sys is infected with Dowloader.Delf and are concerned then download and run Malwarebytes or follow the Removing a Trojan instructions on the IT Queries webpage to check you aren’t infected with anything nasty.

  2 Responses to “Another AVG false alarm”

  1. […] the time of writing, this appears to be a mistake by AVG which is the third time in recent months. You should not delete or put sysaudio.sys in the virus vault as you will disable your […]

  2. Wrong, wrong, wrong…

    The legitimate sysaudio.sys lives in Windows\System32\drivers. The version in Windows\System32 IS most likely a virus (actually, a trojan that manipulates Google search results to forward you to scam sites), and there’s a big giveaway.

    The app that installs the trojan creates a registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2

    And sets it to “sysaudio.sys”.

    There’s also a variant floating around that calls itself “wdmaud.sys”. Again, the legitimate driver lives in System32\Drivers, the fake drops itself in System32.

    Apparently this is related to the “yahoo counter” Javascript hack; this exploits security vulnerabilities in (IIRC) Flash, Java and various web browsers, and uses exploit code to install the trojan. The trojan then manipulates Google search results, apparently with the intention of selling the victim scamware (namely, fake antivirus software).

    I’ve been picking apart this little pain-in-the-neck since it appeared on one of my machines last month. I’ve yet to get conclusive proof of the installation method, but the trojan itself is a nasty piece of work.

    Feed the file to and watch the scan results come in… Microsoft, AVG and a few others (notably Sophos, AIUI they were one of the first, after Microsoft interestingly enough) detect it. It’s still quite rare in AV detection checklists, and nothing recognises the new “wdmaud.sys” variant at all.

    Just a small FYI.

Leave a Reply

%d bloggers like this: