Severe problems with WinXP after AVG Antivirus marked “user32.dll” as “Trojan Horse PSW banker4″
Today reached me reports of Windows XP/AVG Antivirus users hitted by an AVG false positive. That FP marked the Windows XP system file user32.dll as Trojan Horse PSW banker4 and subsequent cleaned/removed the system file. After that AVG “cleaning” action they rebooted their PC with result that Windows couldn’t start anymore.
Fix
When AVG have performed the same action on your PC, cleaning/removing user32.dll, reboot your PC with the Windows XP CD, hit in the upcoming menu the “R” on your keyboard, hit “1″, hit “enter”, answer password question with “enter” on your keyboard, after that you get the command prompt c:\windows>
Type behind that prompt copy c:\windows\$NTuninstallKB925902$\user32.dll c:\windows\system32 and hit “enter” on your keyboard.
Remove the Windows XP CD, reboot, and Windows should function normal again.
According to AVG Technologies Support, the problem of the FP is solved with today’s update VDB 270.9.0/1778
>>> Addition 2008-11-16: comment of Grisoft/AVG regarding this false positive and FPs in common in this post on my blog. Smokey
29 Comments »
Leave a comment
Introduction
.
Welcome to Smokey’s Security Weblog!
Like my board Smokey’s Security Forums, this blog is mainly devoted to Security and all related issues. However, other issues like e.g. major occurances on my forum and social topics will be blogged too.
My forum offer free security and malware related Support, Help, Advice and Education.
As extra service we have a HijackThis & OTL (formerly OTListIt2) Logs Analyzing and Malware Removal/Cleaning Help Forum, full qualified HJT/OTL Analysers/Malware Hunters will be pleased to help you for free to clean your malware infected PC.
We are hosting and maintaining the Official Jetico Inc. Support Forums, including the following products:
- Jetico Personal Firewall V1
- Jetico Personal Firewall V2
- Jetico BestCrypt for Windows
- Jetico BestCrypt for Linux
- Jetico BestCrypt Volume Encryption
- Jetico BCArchive
- Jetico BCWipe for Windows
- Jetico BCWipe for UNIX
Disclaimer: information in this blog can be based on (not confirmed) statements of (anonymous) sources, Smokey’s Security Weblog don’t take any responsabilty for the credibility of these sources and their statements.
The posts/articles in this blog can be supplemented with so called “Possibly related posts” links. Because these links are automatically generated by WordPress.com, Smokey’s Security Weblog have no influence on the links itself and/or content of them. Therefore this Weblog don’t take any responsability for these links and all related issues.
About Copyright and this Blog: it is allowed to reproduce (parts of) posts in this blog if this reproduction is provided with a direct link to the original blog post. It is NOT allowed to copy, use and/or reproduce any image or blog banner.
Blog comments policy: to restrain indecent and off-topic comments and spam, comments are reviewed before publishing. Therefore, delay in comment publishing is unavoidable. Obligatory language of comments is English.
.
Smokey’s Security Forums is Site Member ASAP
-
My main task
-
Smokey’s Weblog RSS Newsfeed
-
Smokey’s Weblog Google FeedBurner
-
Technorati
-
Recommended: Free network protection with OpenDNS
-
Recommended: Kaspersky Free Online Antivirus Scan
-
Recommended: Free Online Safe Password Generator
-
Advertisement: Buy the #1 ad blocker via Smokey’s
-
Your advertisement here?
-
Your IP and location
-
Blog Visitor Statistics
Thank you for this comment.
Would you have a suggestion for those PC that are delivered with Windows pre-installed, i.e. without the Windows XP CD?
Thx You,
thats it!I have this problem…..yesterday my avg antivirus found a threat and after that… blue screen.Reboot and reboot and reboot….is the problem…after winlogo appears for 1 sec this message
STOP 0×0000008E (0xC0000005, 0×8081A799, 0xF739A778, 0×00000000)
Thanks for this article….i will try to fix the problem right now…
didn´t solve. It says “access denied”..any other solution?
thanks
This fix worked a treat thanks. It seems to be only happening with people still running AVG 7.5 & XP. So far no PCs running AVG V8 have been affected.
Didn’t help me ; happened on two machines, on one of the I can’t even do a “dir”. Unrecoverable?
Hi,
i tried the fix several times and it worked as advertised….
Smokey
Worked!! remember… use CAPITALS if needed!!!
i needed to type C:\WINDOWS\system32……..enz.
Thanks dude, I was uncertain if this was a FP or not, I googled the virus and came to your blog, so I realized it was safe to ignore the threat. You saved my day
Working Perfectly!!!Thats It!Thanks!!!
thank you VERY MUCH!! it worked perfectly
It worked for me too for 5 of 7 computers…
I still have other issues with 2 of them…
Got ‘jumped’ by this false positive this morning. Reacted too fast, hit ‘put it in the vault’ and ‘lost’ the user32.dll and the use of the computer when AVG moved it! So I did like aghostofasmile suggested. It’s a little bit more involved than it first appears:
1 Make a BartPE CD (First challenge: Requires you have access to a Windows installation CD or to a machine with the reinstallation files residing on the HD – fortunately I had a Dell laptop with the latter)(BartPE looks for these files when you run it, so if you’re not sure let it look for you)
2 Your PC needs to be able to start up on a CD – there’s a good chance yours is set up to go straight to the HD, and this will again (and again …) block everything. So, you’ll need to set the BIOS to look first for a CD-ROM to boot from. Start your ‘dead’ machine and boot it into the BIOS setup screen (hit delete button over and over again as the machine is booting up). You’ll probably need to look for ‘Advanced’ options- there you will find the option to change the order of where your computer looks first to boot up – move CD-ROM to #1
3 Re-start with the BartPE CD-ROM in the DVD/CD drive. If you’ve done step 2 correctly it’ll boot. It may take a while to boot up on the CD-ROM but it’ll get there!
4 Use the ‘Go’ menu (replacement of the ‘Start’ menu) to find – under ‘Programs’ – the file manager A43 File Management Utility (equiv. of Explorer)
5 With the help of A43, on the ‘dead’ computer go to windows\system32\dllcache\and copy the file user32.dll
6 Go back up a level to windows\system32 and past the copy of user32.dll
7 Restart the ‘dead’ computer (via the ‘Go’ menu) and before it boots open the DVD/CD drive and remove the CD to prevent it from booting off the CD-ROM again.
8 The ‘dead’ comnputer should now be ‘Alive’ again!
Disclaimer: This worked for me so I hope it’ll work for you. If it doesn’t please don’t blame me.
The fact that computer makers ship computers without windows CDs is criminal. You are paying for windows in the price of the PC and should also have media for reinstall. I would complain to the manufacturer if you don’t get reinstall media (and, no, a partition is not sufficient if your drive dies or you delete it).
I work fixing PCs and today received a customer somehow angry by the problem. It has the lattest version installed (8.0.175) so it’s affected too…
Update:
It seems to be related with the dat files because the 1780 update fixes the false positive. In order to prove it, I searched manually the USER32.DLL file, right click and asked AVG to search for viruses… nothing found, so it was fixed !
=) =)
Regards.
Macufendo.
Still problems after correcting the problem. Any other suggestions?
In case AVG has managed to clean away all copies of user32.dll on your PC and you have received an XP install/repair CD with your computer, the procedure to recover user32.dll from that CD without completely reinstalling Windows is described at http://www.commentcamarche.net/forum/affich-2247732-xp-bloque-au-demarrage (in French I’m afraid)(it’s “méthode 1″). Worked on mine !
Thank you!!
Start XP in safe mode. Remove AVG 7.5. Restart computer in normal mode. Install AVG 8.
Hi
I have now noticed that the only PC’s I have with this problem are HP/Compaq PCs
Is this the same for other???
Thanks buddy you really saved my a** today with this fix. I did exactly as you said. I had to borrow an XP cd as mine is a DELL and didn’t have one. Used the R,1,enter sequence and enter command copy with path. Bingo. I have never been so thankful. Going to tweet your solution. I have to say that I had lost user32.dll from vault. In case you have it follow the safe mode solution above. Just in case mine was AVG 8.0 so those were affected too as suggested above too.
It happened in both my computers with AVG8, it came with the last upgrade, With the windows cd we first went to intall windows and the repair, quite long but worked perfect.
I trid several different solutions but this was the only one that worked, PERFECT thanks a lot. Henrik
That’s why comunity is such a great idea. When the amount of possible implications is too big for one person or small group, all users help to straighten things out.
I prefer the AVG User32.dll Fix – Boot CD and successfully used it in a couple of systems.
http://www.winhelponline.com/blog/avg-false-positive-user32-dll-restore-tool/
Thank you very much. It worked perfect!!!
For those using this method with a Spanish keyboard, use “Alt Gr + A” to insert the $ symbol.
Thanks again.
Nuria
Otra solución:
Tome el disco duro afectado e instálelo en un PC con Windows XP (vía adaptador USB o colocándolo esclavo).
Copie el archivo c:\windows\system32\user32.dll del PC anfitrión a la dirección equivalente, en el disco esclavo.
Retire el disco esclavo, regréselo al PC afectado y listo.
[...] Alarm, you categorised it as a Trojan. The second blooper concerned Windows system file user32.dll, I already blogged about it. You was the opinion that this file was a Trojan too. Your recent false postive have labeled Adobe [...]
Pingback by AVG, what the heck are you doing lately? Shame on you! « Smokey’s Security Weblog | November 15, 2008 |