Slashdot Mirror

← Back to Stories (view on slashdot.org)

AVG Virus Scanner Removes Critical Windows File

Posted by kdawson on from the it-just-acts-like-one dept.

secmartin writes "The popular virus scanner AVG released an update yesterday that caused their software to mark user32.dll as a virus. Since this is a rather critical file, AVG's suggestion to remove it caused problems for users around the world who are now advised to restore the file through the Windows Recovery Console. AVG just posted an update about this (FAQ item 1574) in the support section of their site. Their forums are full of complaints."

25 of 440 comments (clear)

  1. Re:It's sad... by fuzzyfuzzyfungus · · Score: 4, Informative

    I'm not sure that there would be. Antivirus is one of those things that(at least until actual heuristic scanning that seriously works comes out) leans heavily on having a whole bunch of security guys and worker drones hammering out signature updates all day every day. That isn't something that falls under "The Open Source is strong with this one". In particular, antivirus is basically a bandaid designed to let clueless users use critically flawed systems without understanding them. If OSS coders were more common on Windows, they would probably just read and write to any of the various guides for running Windows with minimal privileges, and ignore the problem.

  2. Re:It's sad... by maxume · · Score: 5, Informative

    Go to the install directory and rename "avgresf.dll" and "afgmwdef_us.mht" (adding a .bak or whatever should work fine). I did this a few days ago and the notification bar is no more, with no apparent problems.

    Also, don't tell anyone, to prevent AVG from changing it.

    --
    Nerd rage is the funniest rage.
  3. Re:I haven't been hit yet... by Animaether · · Score: 4, Informative

    If you haven't been hit yet, then you probably won't be either; your AVG quite likely already has the fixed definitions file.

    If you -are- hit... guess what? it pops up a warning that it believes it found some sort of trojan in user32.dll . Laymen might just tell it to remove the thing, but I do hope -you- would know better and tell it to stfu and ignore, then fetch the latest update (it will warn you a few more times if you've got the resident shield runnning, as user32.dll gets accessed a lot).

    If you -are- hit and it has already removed it... quickly restore it, carry on.

    If you are hit, it has removed it, and your machine has already crashed... reboot to a command prompt (safe mode MAY work, but it didn't when I fixed a machine on sunday), restore user32.dll from a cache / restore point. If you can't get it from a cache, get it from the installation CD (if you have one), but keep in mind that it will be missing updates and windows update might not realize that (as everything else on the system tells it hotfixes N-M have been installed - maybe MS will make the update check the MD5 or something of user32.dll, after this problem, just in case).

    This was extremely stupid on the end of AVG, but then I'm still baffled why such files can be removed at all; same with ntldr. If you accidentally wipe your root dir, you're all kinds of f'ed.

  4. Re:Should have gone for the gold... by negRo_slim · · Score: 2, Informative

    Oh my...

    --
    On the Oregon Cost born and raised, On the beach is where I spent most of my days
  5. Re:doh by thetrick · · Score: 5, Informative

    McAfee had a similar issue:

    http://it.slashdot.org/it/06/03/13/1322215.shtml

  6. Re:Arrr! by Anonymous Coward · · Score: 5, Informative

    No, Avast ye scurvy viruses, dammit! Not everything that looks vaguely latin should be pluralized with an i, and most certainly nothing should be pluralized by changing the word-final "us" to "ii"! You're just a dumbass trying to look educated, and failing miserably. http://dictionary.reference.com/browse/virus

  7. Re:It's sad... by e+r+i+k+0 · · Score: 5, Informative

    I'm thinking that's a server-side error, so it should actually be 563 No More Kitten if you're following RFC 2616 correctly.

  8. Re:I'm not surprised... by Donniedarkness · · Score: 2, Informative

    It's by no means low cost, but I do have to say that I love NOD32. It's worth the extra money to not have to worry.

    --
    Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
  9. Re:It's sad... by RobertM1968 · · Score: 3, Informative

    You do realize that any account that can execute arbitrary code can end up virus infected right?

    On any operating system?

    You do realize there is a major difference between an OS's ability to run a virus - and an OS's prevalence to being able to be infected through numerous, never-quite-patched-correctly holes, buffer over/underrun exploits, back doors, open sockets on a TCP/IP stack (that based on it's origin should have been decent) that has been horrendously mangled into a security threat?

    There is a big difference between the two. If all Operating Systems had equal market share, Windows would in all probability still have the lion's share of infections simply because there have been tons of flaws/holes in the OS to allow it to be easily infected.

    Yes, there are lists that show the numbers often being equal - in quantity... but a true in depth study of the list will show that many of the windows vulnerabilities turned out to be very very simple to exploit - so easy any script kiddie could do it... and that many of those vulnerabilities were never completely fixed and resurfaced utilizing a slightly different access vector.

    Add to that, every other OS out there has a better track record at fixing such holes - while Microsoft has often either (a) went out of their way to downplay the issues or (b) outright denied the issues until there was a big enough public outcry. That too adds to the number of infected machines on each platform (again, assuming each had equal market penetration) and once again would lead to Windows still being waaaaay at the top of the mountain.

    Of course, by your scenario, you seem to equate "people installing viruses on their own machine via the computer's I/O devices" or "allowing others to do it directly at the machine" the equivalent of a machine that is far easier to infect via external, networked methods. Sadly (for your argument) that is preposterous.

    --
    StarTrekPhase2 - The Five Year Mission Continues!
  10. Re:Well... by ChameleonDave · · Score: 4, Informative

    viruses (virii?)

    No.

  11. Re:Well... by antdude · · Score: 1, Informative

    it's = it is

    Yep, I am being a Grammar Nazi.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  12. Re:doh by Machtyn · · Score: 4, Informative

    Interestingly, as a non-paying customer, I was affected by this bug. I now have three programs that I will not be able to uninstall. AVG detected their uninstaller file as a virus and deleted them.

    How many times will Grisoft pull this crap? First flooding teh intertubes now deleting my l33t filez.

    Some time ago I was recommending this and installing this program on all computers. Now, I'm just waiting for Comodo to get their act together and release an AV product I can trust.

  13. Re:doh by vux984 · · Score: 2, Informative

    I agree. As someone deals with viruses on an almost daily basis I suggest avast and spybot to detect (if not remove) viruses. These two don't catch them all, but they usually make the system usable enough to remove the rest (the pre-boot avast check is especially useful). Also from my own experience: beware kaspersky! While it is good at preventing infections, my experience with virus ridden systems is that it makes them unbootable. Various other anti-malware/virus tools are hit and miss, and while detection has improved in programs like mcafee, I have found they still require manual removal.

    Installing and performing multiple scans in multiple AV products takes longer than just reinstalling windows on MOST PCs. And reinstalling windows misses less and cleans out general windows rot too. If you're a large enough company that you have recovery images, it takes even less time.

    But it takes me maybe 3.5 hours to backup key data, then repartition, reformat, install XPSP3, drivers, configure the network identification, printers, and install Office, filemaker, citrix xenapp client, java runtime, flash, acrobat reader, firefox, our remote support software, configure email, and perform updates (including ie7), restore data, configure email, etc on one of our office PCs. On machines where we have a good restore image, we can wipe and image in an hour-ish, including data backup and restore.

    It easily takes 8+ hours to run an AVG scan, avast scan, spybot scans, and then manually troubleshoot and remove the stuff that's left, and takes a miniumum of 3-4 hours.

  14. Re:Well... by Opyros · · Score: 5, Informative

    Arguably, it should just be "viruses". Not all Latin words retain Latinate plurals in English (e.g. "circus/circuses"), and not all Latin words ending in -us had plurals ending in -i. See this excerpt from the alt.usage.english FAQ for more. </pedantry>

  15. Re:Sigh by Anonymous Coward · · Score: 2, Informative

    i do not think that a "small private school" running TWO HUNDRED copies (not that either item alone would be any different.. it wouldn't) fits within the limitations for using avg free:

    from http://free.avg.com/download-avg-anti-virus-free-edition#tba2

    # AVG Anti-Virus Free Edition is for private, non-commercial, single computer use only. The use of AVG Free within any organization or for commercial purposes is strictly prohibited.

  16. keygens, magical jelly bean etc... by Fallen+Andy · · Score: 3, Informative
    Several of the AV packages mark these as trojans. Just to be on the safe side, upload a sample to virustotal which checks with around 30 different products.

    It's always good to have a second opinion - see e.g.portable clamwin

    Andy

  17. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  18. Re:Arrr! by badfish99 · · Score: 2, Informative

    You obviously never learned Latin, or you would know the correct declension of the noun "bus", as given here

  19. Re:Well... by jez9999 · · Score: 2, Informative

    No, pendi.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  20. Re:Well... by Hooded+One · · Score: 4, Informative

    I doubt Unix would either.

    And you'd be wrong. It doesn't crash because deleting an open file in Unix only unlinks it from the filesystem tree, leaving the contents alone. Only when all programs release the file does the deletion complete.

  21. Re:Well... by chrish · · Score: 4, Informative

    This is often (usually?) filesystem stupidity. Specifically, that in Windows (and DOS before it for that matter), an open file is considered sacrosanct. You can't delete it until everybody closes their file handles. Everybody, no exceptions.

    This is very bad when Windows helpfully caches things for you, like DLLs and EXEs, even after you've exitted the program. That's why you often have to reboot after installing something innocuous like Acrobat.

    UNIX filesystem semantics are superior here; it's the DOS legacy that keeps Windows from changing its behaviour.

    --
    - chrish
  22. Re:Well... by Eunuchswear · · Score: 2, Informative

    Or because administrater doesn't have permission. Under windows it doesn't necessarily. It does have permission to change the permissions though.

    --
    Watch this Heartland Institute video
  23. Re:Well... by Otter+Popinski · · Score: 2, Informative

    Viri already has a Latin meaning, it means 'men'. So, even if the old rule about pluralising Latin words ending with '-us' to '-i' was not obsolete (and it is), 'viri' would still be wrong.

    The correct word is 'viruses'.

    That's because "virus" in Latin is neuter, while "vir" is masculine. The Latin plural for "virus" is "vira" (in the nominative, anyway).

  24. Re:Well... by The+MAZZTer · · Score: 2, Informative

    XP Explorer also likes to leak file handles every now and again, which has every so often prevented me from being able to delete something.

    Fortunately Sysinternals' Handles tool exists and is very useful and awesome.

  25. Re:Well... by ChameleonDave · · Score: 2, Informative

    That's because "virus" in Latin is neuter, while "vir" is masculine. The Latin plural for "virus" is "vira" (in the nominative, anyway).

    Wrong. "Virus" in Latin had no plural. It was a mass noun meaning "poison", "foulness". One can guess at what the plural form would have been ("vira", "virus", "virua"...) but you cannot state it as a fact.

    In English, its plural is "viruses". In Latin, it had no plural. I actually don't mind "viri" too much. It's naive, but a reasonable mistake to make, given precedents such as "cacti". What annoys me is "virii", which is just idiotic.

    I wish I'd linked my first "No" to Wikipedia, to nip this thread in the bud.