2008 November 09 « Smokey's Security Weblog

Severe problems with WinXP after AVG Antivirus marked “user32.dll” as “Trojan Horse PSW banker4″

Today reached me reports of Windows XP/AVG Antivirus users hitted by an AVG false positive. That FP marked the Windows XP system file user32.dll as Trojan Horse PSW banker4 and subsequent cleaned/removed the system file. After that AVG “cleaning” action they rebooted their PC with result that Windows couldn’t start anymore.

Fix

When AVG have performed the same action on your PC, cleaning/removing user32.dll, reboot your PC with the Windows XP CD, hit in the upcoming menu the “R” on your keyboard, hit “1″, hit “enter”, answer password question with “enter” on your keyboard, after that you get the command prompt c:\windows>
Type behind that prompt copy c:\windows\$NTuninstallKB925902$\user32.dll c:\windows\system32 and hit “enter” on your keyboard.

Remove the Windows XP CD, reboot, and Windows should function normal again.

According to AVG Technologies Support, the problem of the FP is solved with today’s update VDB 270.9.0/1778

>>> Addition 2008-11-16: comment of Grisoft/AVG regarding this false positive and FPs in common in this post on my blog. Smokey

November 9, 2008 Posted by Smokey | Advisories, Alerts, Friends, Malware, News, Security | AVG Antivirus false positive, fix/solution, Grisoft, Trojan Horse PSW banker4, windows xp, Windows XP system file, Windows XP system file user32.dll | 29 Comments

Introduction

.
Welcome to Smokey’s Security Weblog!

Let’s introduce myself: my (nick)name is Smokey aka Smokey Bear.

Like my board Smokey’s Security Forums, this blog is mainly devoted to Security and all related issues. However, other issues like e.g. major occurances on my forum and social topics will be blogged too.

My board offer free security and malware related Support, Help, Advice and Education forums, however is not limited to such issues. Smokey’s have also forums with comprehensive Microsoft Windows related issues like Microsoft and Windows OS Based Products News, MS Download Center, MSDN Developer Information, software reviews, browser and tools forums, Webware, Social Networks info, Hardware- and Gadgets forums and last but not least a dedicated Windows Drivers, Linux Drivers, Firmware and BIOS Survey & Updates section containing (recently) released Drivers, Firmware and BIOSses, Windows 7 releases included. Note: most info on Smokey’s is real-time and therefore always up-to-date.

As extra service we have a OTL (formerly OTListIt2) Log Analyzing and Malware Removal/Cleaning Help Forum, full qualified OTL Log Analysers/Malware Hunters will be pleased to help you for free to clean your malware infected PC.

We are hosting and maintaining the Official Jetico Inc. Support Forums, including the following products:

- Jetico Personal Firewall V1
- Jetico Personal Firewall V2
- Jetico BestCrypt for Windows
- Jetico BestCrypt for Linux
- Jetico BestCrypt Volume Encryption
- Jetico BCArchive
- Jetico BCWipe for Windows
- Jetico BCWipe for UNIX

Disclaimer: information in this blog can be based on (not confirmed) statements of (anonymous) sources, Smokey’s Security Weblog don’t take any responsabilty for the credibility of these sources and their statements.

The posts/articles in this blog can be supplemented with so called “Possibly related posts” links. Because these links are automatically generated by WordPress.com, Smokey’s Security Weblog have no influence on the links itself and/or content of them. Therefore this Weblog don’t take any responsability for these links and all related issues.

About Copyright and this Blog: it is allowed to reproduce (parts of) posts in this blog if this reproduction is provided with a direct link to the original blog post. It is NOT allowed to copy, use and/or reproduce any image or blog banner.

Blog comments policy: to restrain indecent and off-topic comments and spam, comments are reviewed before publishing. Therefore, delay in comment publishing is unavoidable. Obligatory language of comments is English.
.