Slashdot Mirror

← Back to Stories (view on slashdot.org)

AVG Virus Scanner Removes Critical Windows File

Posted by kdawson on from the it-just-acts-like-one dept.

secmartin writes "The popular virus scanner AVG released an update yesterday that caused their software to mark user32.dll as a virus. Since this is a rather critical file, AVG's suggestion to remove it caused problems for users around the world who are now advised to restore the file through the Windows Recovery Console. AVG just posted an update about this (FAQ item 1574) in the support section of their site. Their forums are full of complaints."

12 of 440 comments (clear)

  1. Re:It's sad... by fuzzyfuzzyfungus · · Score: 4, Informative

    I'm not sure that there would be. Antivirus is one of those things that(at least until actual heuristic scanning that seriously works comes out) leans heavily on having a whole bunch of security guys and worker drones hammering out signature updates all day every day. That isn't something that falls under "The Open Source is strong with this one". In particular, antivirus is basically a bandaid designed to let clueless users use critically flawed systems without understanding them. If OSS coders were more common on Windows, they would probably just read and write to any of the various guides for running Windows with minimal privileges, and ignore the problem.

  2. Re:It's sad... by maxume · · Score: 5, Informative

    Go to the install directory and rename "avgresf.dll" and "afgmwdef_us.mht" (adding a .bak or whatever should work fine). I did this a few days ago and the notification bar is no more, with no apparent problems.

    Also, don't tell anyone, to prevent AVG from changing it.

    --
    Nerd rage is the funniest rage.
  3. Re:I haven't been hit yet... by Animaether · · Score: 4, Informative

    If you haven't been hit yet, then you probably won't be either; your AVG quite likely already has the fixed definitions file.

    If you -are- hit... guess what? it pops up a warning that it believes it found some sort of trojan in user32.dll . Laymen might just tell it to remove the thing, but I do hope -you- would know better and tell it to stfu and ignore, then fetch the latest update (it will warn you a few more times if you've got the resident shield runnning, as user32.dll gets accessed a lot).

    If you -are- hit and it has already removed it... quickly restore it, carry on.

    If you are hit, it has removed it, and your machine has already crashed... reboot to a command prompt (safe mode MAY work, but it didn't when I fixed a machine on sunday), restore user32.dll from a cache / restore point. If you can't get it from a cache, get it from the installation CD (if you have one), but keep in mind that it will be missing updates and windows update might not realize that (as everything else on the system tells it hotfixes N-M have been installed - maybe MS will make the update check the MD5 or something of user32.dll, after this problem, just in case).

    This was extremely stupid on the end of AVG, but then I'm still baffled why such files can be removed at all; same with ntldr. If you accidentally wipe your root dir, you're all kinds of f'ed.

  4. Re:doh by thetrick · · Score: 5, Informative

    McAfee had a similar issue:

    http://it.slashdot.org/it/06/03/13/1322215.shtml

  5. Re:Arrr! by Anonymous Coward · · Score: 5, Informative

    No, Avast ye scurvy viruses, dammit! Not everything that looks vaguely latin should be pluralized with an i, and most certainly nothing should be pluralized by changing the word-final "us" to "ii"! You're just a dumbass trying to look educated, and failing miserably. http://dictionary.reference.com/browse/virus

  6. Re:It's sad... by e+r+i+k+0 · · Score: 5, Informative

    I'm thinking that's a server-side error, so it should actually be 563 No More Kitten if you're following RFC 2616 correctly.

  7. Re:Well... by ChameleonDave · · Score: 4, Informative

    viruses (virii?)

    No.

  8. Re:doh by Machtyn · · Score: 4, Informative

    Interestingly, as a non-paying customer, I was affected by this bug. I now have three programs that I will not be able to uninstall. AVG detected their uninstaller file as a virus and deleted them.

    How many times will Grisoft pull this crap? First flooding teh intertubes now deleting my l33t filez.

    Some time ago I was recommending this and installing this program on all computers. Now, I'm just waiting for Comodo to get their act together and release an AV product I can trust.

  9. Re:Well... by Opyros · · Score: 5, Informative

    Arguably, it should just be "viruses". Not all Latin words retain Latinate plurals in English (e.g. "circus/circuses"), and not all Latin words ending in -us had plurals ending in -i. See this excerpt from the alt.usage.english FAQ for more. </pedantry>

  10. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  11. Re:Well... by Hooded+One · · Score: 4, Informative

    I doubt Unix would either.

    And you'd be wrong. It doesn't crash because deleting an open file in Unix only unlinks it from the filesystem tree, leaving the contents alone. Only when all programs release the file does the deletion complete.

  12. Re:Well... by chrish · · Score: 4, Informative

    This is often (usually?) filesystem stupidity. Specifically, that in Windows (and DOS before it for that matter), an open file is considered sacrosanct. You can't delete it until everybody closes their file handles. Everybody, no exceptions.

    This is very bad when Windows helpfully caches things for you, like DLLs and EXEs, even after you've exitted the program. That's why you often have to reboot after installing something innocuous like Acrobat.

    UNIX filesystem semantics are superior here; it's the DOS legacy that keeps Windows from changing its behaviour.

    --
    - chrish