AVG Virus Scanner Accidentally Removes Critical Windows Component

[Wildside]

Source

The world of computer security can be a scary place for friends and foes alike. This weekend users' found their AVG software updated with a new virus definition file. Then they quickly found their computers crashing.

What was discovered was that the new virus definition file mistook user32.dll, a critical Windows component, for a container for the Trojan Horses PSW.Banker4.APSA or Generic9TBN. When the scanner went active, it deleted this critical file, thinking it contained a virus, causing the system to crash. AVG recommended users whose definitions auto-updated delete their virus definition file and cancel any scans they have running.

If your computer is affected, it will either stop booting or go into an endless reboot loop. Vista users can breathe a sigh of relief -- so far that OS has remained relatively unaffected. Windows XP users, however must now exercise extreme caution, or risk having to carry out a bothersome repair process.

Both AVG 7.5 and AVG 8.0 were affected by the erroneous definition file. The file has since been update to remove the error.

For affected users, you can either reinstall Windows or repair it with a Windows disk. A third option is to use a boot disc, such as the Ultimate Boot CD (ISO) and then grab the files you need from the "C:\Windows\System32\dllcache" directory.

With 80 million total users worldwide, thanks in part to AVG's free version, this error is obviously significant to many. So far AVG has not issued a formal statement about the problem, although there are posts on their discussion board about it, to which they have responded informally.

For those disheartened by AVG's offense and still hoping for a free antivirus fix, ClamWin is one alternative. Its another free software, a Windows port from the Linux scanner ClamAV. Some users also wrote in to suggest Free-AV as an alternative.

And of course there's the many professional security suites on the market as well.

Update: Some of our readers are reporting that Vista may be having similar problems to Windows XP (see following comments). The scope of this problem is unclear, as some Vista users reported being unaffected.

dang, who has AVG here on tech-forums? SPREAD THE NEWS!

 

[eyeCpc]

I would suggest rather then simply removing either version of AVG to simply disable it in the msconfig utility for the time being until Grisoft sees that corrected. For the 8.0 only one item is seen in the startup tab while the two email scanner and Watchdog items are found in the services tab on both XP and Vista alike.

First check off the "hide all microsoft services" box to avoid inadvertently disabling any necessary MS background services by accident if you are new to the utility included in Windows as a diagnostics tool.

 

[KSoD]

http://www.techist.com/forums/f51/avg-slaps-trojan-label-core-windows-file-190425/

Already posted.

 

[Puddle Jumper]

I guess it's a good thing I kept Avast on my XP laptop.

 

[KSoD]

You know now that i think about it. This could be why Win7 keeps giving me hardware failure BSOD. I have AVG on there...

 

[eyeCpc]

The problem the article posted on the other thread goes into is the latest automatic update that goes onto both the 7.5 and latest 8.0 versions. This also includes both retail and free editions and simply goes after the one particular user32.dll file. Look to see if that is seen in the early stages you are working with now. Mak

Since 7 is still prebeta it will likely have it. The user32.dll is found in XP as well as Vista. For both XP and Vista that is in the "C:\Windows\system32" sub folder. It looks like the main file for admin/user accounts simply by name alone.

 

[KSoD]

If it is in Vista then it is in Win7. It is still very heavily Vista right now.

Just like i said. I updated AVG and i have not had a crash yet today. Lets see if i was right.

 

[eyeCpc]

It would be interesting to find out anyways. I had a beef with a friend when relaying the information about AVG since he was asking about the latest version with him blabbering that Vista was the problem? He is simply too lazy!

The user32.dll file has been a common system file in different versions to start with. Like I was starting to describe before it looks like a file you think would be something for user accounts when it's actual purpose is to allow various programs to have a gui to work with for text as well as user input and Windows management.

Hey Mak the article there points mostly at XP not so much with Vista as being the version this supposedly hammers the most. Grisoft moved fast to see that corrected so I wouldn't expect much. I only temporarily disabled AVG earlier today and haven't seen one iota of trouble since the update was out over the weekend and today is... wednesday!

 

[KSoD]

My crashes came pretty quick after loading Win7. As you see from my shot there that is the Win7 Windows folder with the file highlighted. Only after reading this article did i make it mandatory to update AVG first thing.

Since then i have not had a issue. Gotta also remember this is mainly be tested on XP/Vista. I am on a pre-beta so there is no telling what a wrong defination could do.

 

[eyeCpc]

By the time you load up XP on any older pc you have lying around and go for an update you probably would be wasting your time at this point. By now Grisoft has been informed well before the article came out with complaints. "Hey what's going on?" Grrr...

I can imagine they pulled that off the server fast once they heard about it. But for anyone worried since this seems to effect XP more then Vista simply copy the user32.dll file onto a floppy if you have on or another drive in case the original is removed where you can use a live distro to see the replacement copied back if you are not already dual booting with another OS(Vista, Linux).