Smokey's Security Weblog

veritas odium parit

Severe problems with WinXP after AVG Antivirus marked “user32.dll” as “Trojan Horse PSW banker4”

Today reached me reports of Windows XP/AVG Antivirus users hitted by an AVG false positive. That FP marked the Windows XP system file user32.dll as Trojan Horse PSW banker4 and subsequent cleaned/removed the system file. After that AVG “cleaning” action they rebooted their PC with result that Windows couldn’t start anymore.

Fix

When AVG have performed the same action on your PC, cleaning/removing user32.dll, reboot your PC with the Windows XP CD, hit in the upcoming menu the “R” on your keyboard, hit “1”, hit “enter”, answer password question with “enter” on your keyboard, after that you get the command prompt c:\windows>
Type behind that prompt copy c:\windows\$NTuninstallKB925902$\user32.dll c:\windows\system32 and hit “enter” on your keyboard.

Remove the Windows XP CD, reboot, and Windows should function normal again.

According to AVG Technologies Support, the problem of the FP is solved with today’s update VDB 270.9.0/1778

Advertisements

November 9, 2008 - Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links | , , , , , , ,

32 Comments »

  1. Thank you for this comment.
    Would you have a suggestion for those PC that are delivered with Windows pre-installed, i.e. without the Windows XP CD?

    Comment by Pancho | November 10, 2008 | Reply

  2. Thx You,

    Comment by P.Beukelman | November 10, 2008 | Reply

  3. thats it!I have this problem…..yesterday my avg antivirus found a threat and after that… blue screen.Reboot and reboot and reboot….is the problem…after winlogo appears for 1 sec this message
    STOP 0x0000008E (0xC0000005, 0x8081A799, 0xF739A778, 0x00000000)
    Thanks for this article….i will try to fix the problem right now…

    Comment by Roussos Giorgos | November 10, 2008 | Reply

  4. didn´t solve. It says “access denied”..any other solution?
    thanks

    Comment by Miguel | November 10, 2008 | Reply

  5. This fix worked a treat thanks. It seems to be only happening with people still running AVG 7.5 & XP. So far no PCs running AVG V8 have been affected.

    Comment by Charlie Nott | November 10, 2008 | Reply

  6. Didn’t help me ; happened on two machines, on one of the I can’t even do a “dir”. Unrecoverable?

    Comment by feep | November 10, 2008 | Reply

  7. Hi,

    i tried the fix several times and it worked as advertised….

    Smokey

    Comment by Smokey | November 10, 2008 | Reply

  8. Worked!! remember… use CAPITALS if needed!!!
    i needed to type C:\WINDOWS\system32……..enz.

    Comment by vvm | November 10, 2008 | Reply

  9. Thanks dude, I was uncertain if this was a FP or not, I googled the virus and came to your blog, so I realized it was safe to ignore the threat. You saved my day

    Comment by João | November 10, 2008 | Reply

  10. Working Perfectly!!!Thats It!Thanks!!!

    Comment by Giorgos Roussos | November 10, 2008 | Reply

  11. thank you VERY MUCH!! it worked perfectly

    Comment by Alexandros | November 11, 2008 | Reply

  12. It worked for me too for 5 of 7 computers…

    I still have other issues with 2 of them…

    Comment by Sylvain | November 11, 2008 | Reply

  13. Got ‘jumped’ by this false positive this morning. Reacted too fast, hit ‘put it in the vault’ and ‘lost’ the user32.dll and the use of the computer when AVG moved it! So I did like aghostofasmile suggested. It’s a little bit more involved than it first appears:

    1 Make a BartPE CD (First challenge: Requires you have access to a Windows installation CD or to a machine with the reinstallation files residing on the HD – fortunately I had a Dell laptop with the latter)(BartPE looks for these files when you run it, so if you’re not sure let it look for you)

    2 Your PC needs to be able to start up on a CD – there’s a good chance yours is set up to go straight to the HD, and this will again (and again …) block everything. So, you’ll need to set the BIOS to look first for a CD-ROM to boot from. Start your ‘dead’ machine and boot it into the BIOS setup screen (hit delete button over and over again as the machine is booting up). You’ll probably need to look for ‘Advanced’ options- there you will find the option to change the order of where your computer looks first to boot up – move CD-ROM to #1

    3 Re-start with the BartPE CD-ROM in the DVD/CD drive. If you’ve done step 2 correctly it’ll boot. It may take a while to boot up on the CD-ROM but it’ll get there!

    4 Use the ‘Go’ menu (replacement of the ‘Start’ menu) to find – under ‘Programs’ – the file manager A43 File Management Utility (equiv. of Explorer)

    5 With the help of A43, on the ‘dead’ computer go to windows\system32\dllcache\and copy the file user32.dll

    6 Go back up a level to windows\system32 and past the copy of user32.dll

    7 Restart the ‘dead’ computer (via the ‘Go’ menu) and before it boots open the DVD/CD drive and remove the CD to prevent it from booting off the CD-ROM again.

    8 The ‘dead’ comnputer should now be ‘Alive’ again!

    Disclaimer: This worked for me so I hope it’ll work for you. If it doesn’t please don’t blame me.

    Comment by Andy WIlliams | November 11, 2008 | Reply

  14. The fact that computer makers ship computers without windows CDs is criminal. You are paying for windows in the price of the PC and should also have media for reinstall. I would complain to the manufacturer if you don’t get reinstall media (and, no, a partition is not sufficient if your drive dies or you delete it).

    Comment by jim | November 11, 2008 | Reply

  15. I work fixing PCs and today received a customer somehow angry by the problem. It has the lattest version installed (8.0.175) so it’s affected too…

    Comment by Macufendo | November 11, 2008 | Reply

  16. Update:

    It seems to be related with the dat files because the 1780 update fixes the false positive. In order to prove it, I searched manually the USER32.DLL file, right click and asked AVG to search for viruses… nothing found, so it was fixed ! 🙂 =) =)

    Regards.

    Macufendo.

    Comment by Macufendo | November 11, 2008 | Reply

  17. Still problems after correcting the problem. Any other suggestions?

    Comment by Remco | November 11, 2008 | Reply

  18. In case AVG has managed to clean away all copies of user32.dll on your PC and you have received an XP install/repair CD with your computer, the procedure to recover user32.dll from that CD without completely reinstalling Windows is described at http://www.commentcamarche.net/forum/affich-2247732-xp-bloque-au-demarrage (in French I’m afraid)(it’s “méthode 1”). Worked on mine !

    Comment by didier | November 11, 2008 | Reply

  19. Thank you!!

    Comment by ferrancanet | November 11, 2008 | Reply

  20. Start XP in safe mode. Remove AVG 7.5. Restart computer in normal mode. Install AVG 8.

    Comment by Ben Mol | November 11, 2008 | Reply

  21. Hi

    I have now noticed that the only PC’s I have with this problem are HP/Compaq PCs

    Is this the same for other???

    Comment by Charlie Nott | November 11, 2008 | Reply

  22. Thanks buddy you really saved my a** today with this fix. I did exactly as you said. I had to borrow an XP cd as mine is a DELL and didn’t have one. Used the R,1,enter sequence and enter command copy with path. Bingo. I have never been so thankful. Going to tweet your solution. I have to say that I had lost user32.dll from vault. In case you have it follow the safe mode solution above. Just in case mine was AVG 8.0 so those were affected too as suggested above too.

    Comment by Carlos Lorenzo | November 11, 2008 | Reply

  23. It happened in both my computers with AVG8, it came with the last upgrade, With the windows cd we first went to intall windows and the repair, quite long but worked perfect.

    Comment by Dennis | November 12, 2008 | Reply

  24. I trid several different solutions but this was the only one that worked, PERFECT thanks a lot. Henrik

    Comment by Henrik | November 12, 2008 | Reply

  25. That’s why comunity is such a great idea. When the amount of possible implications is too big for one person or small group, all users help to straighten things out.

    Comment by Reiner | November 12, 2008 | Reply

  26. I prefer the AVG User32.dll Fix – Boot CD and successfully used it in a couple of systems.
    http://www.winhelponline.com/blog/avg-false-positive-user32-dll-restore-tool/

    Comment by rameshsrinivasan | November 12, 2008 | Reply

  27. Thank you very much. It worked perfect!!!
    For those using this method with a Spanish keyboard, use “Alt Gr + A” to insert the $ symbol.
    Thanks again.
    Nuria

    Comment by Nuria Garcia | November 13, 2008 | Reply

  28. Otra solución:
    Tome el disco duro afectado e instálelo en un PC con Windows XP (vía adaptador USB o colocándolo esclavo).
    Copie el archivo c:\windows\system32\user32.dll del PC anfitrión a la dirección equivalente, en el disco esclavo.
    Retire el disco esclavo, regréselo al PC afectado y listo.

    Comment by Jaime | November 14, 2008 | Reply

  29. […] Alarm, you categorised it as a Trojan. The second blooper concerned Windows system file user32.dll, I already blogged about it. You was the opinion that this file was a Trojan too. Your recent false postive have labeled Adobe […]

    Pingback by AVG, what the heck are you doing lately? Shame on you! « Smokey’s Security Weblog | November 15, 2008 | Reply

  30. Tried fix, did not work, any suggestions??

    Comment by Dan | November 30, 2010 | Reply

    • Hi,

      I assume you are talking about recently occured AVG related problems, it regard Windows 7 Operating Systems that cannot be started after an update.

      Here’s what AVG write about:

      2.12.2010

      we regret to inform you that latest virus database 271.1.1/3292 (432/3292) released 12:53 AM CET requested computer restart with inability to start the system again with error:

      STOP: c0000135 The program can’t start because %hs is missing from your computer. Try reinstalling the program to fix this problem.

      We have immediately downgraded published failing version to fully functional 271.1.1/3291 (432/3291).

      Fixes:

      A) If you did not restart yet (due to AVG after-update request)
      – delete all .prepare files from AVG program directory:

      For 64bit operating system:
      C:\Program files (x86)\AVG\AVG10

      – open AVG -> menu Tools -> Advanced Settings -> Update -> Manage and use the button to remove temporary update files
      – reboot computer
      – run AVG 2011 repair installation to restore AVG to previous functional state – this may actually not be necessary in most cases
      – everything should be working fine.

      B) If you did restart and have the unpleasant issue
      – use AVG Rescue CD
      – open menu Utilities -> Midnight Commander
      – navigate and rename these files:

      For 64bit operating system:
      /mnt/sda1/program files (x86)/avg/avg10/avgrsa.exe
      /mnt/sda1/program files (x86)/avg/avg10/avgchsva.exe

      – use F6 key to rename them to some other name
      – reboot computer
      – run AVG 2011 repair installation to restore AVG to previous functional state.

      AVG article source: http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=132999#post_132999

      Comment by Smokey | December 4, 2010 | Reply

    • FWIW, please read also this post on Smokey’s Security Forums: http://www.smokey-services.eu/forums/index.php/topic,90442.0.html

      In mentioned post are downloadlinks to the AVG Rescue CD available.

      Comment by Smokey | December 4, 2010 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: