AVG Virus Scanner Removes Critical Windows File 440
secmartin writes "The popular virus scanner AVG released an update yesterday that caused their software to mark user32.dll as a virus. Since this is a rather critical file, AVG's suggestion to remove it caused problems for users around the world who are now advised to restore the file through the Windows Recovery Console. AVG just posted an update about this (FAQ item 1574) in the support section of their site. Their forums are full of complaints."
Re:It's sad... (Score:5, Informative)
Re:It's sad... (Score:5, Informative)
Go to the install directory and rename "avgresf.dll" and "afgmwdef_us.mht" (adding a .bak or whatever should work fine). I did this a few days ago and the notification bar is no more, with no apparent problems.
Also, don't tell anyone, to prevent AVG from changing it.
Re:I haven't been hit yet... (Score:5, Informative)
If you haven't been hit yet, then you probably won't be either; your AVG quite likely already has the fixed definitions file.
If you -are- hit... guess what? it pops up a warning that it believes it found some sort of trojan in user32.dll . Laymen might just tell it to remove the thing, but I do hope -you- would know better and tell it to stfu and ignore, then fetch the latest update (it will warn you a few more times if you've got the resident shield runnning, as user32.dll gets accessed a lot).
If you -are- hit and it has already removed it... quickly restore it, carry on.
If you are hit, it has removed it, and your machine has already crashed... reboot to a command prompt (safe mode MAY work, but it didn't when I fixed a machine on sunday), restore user32.dll from a cache / restore point. If you can't get it from a cache, get it from the installation CD (if you have one), but keep in mind that it will be missing updates and windows update might not realize that (as everything else on the system tells it hotfixes N-M have been installed - maybe MS will make the update check the MD5 or something of user32.dll, after this problem, just in case).
This was extremely stupid on the end of AVG, but then I'm still baffled why such files can be removed at all; same with ntldr. If you accidentally wipe your root dir, you're all kinds of f'ed.
Re:Should have gone for the gold... (Score:3, Informative)
Re:doh (Score:5, Informative)
McAfee had a similar issue:
http://it.slashdot.org/it/06/03/13/1322215.shtml [slashdot.org]
Re:Arrr! (Score:5, Informative)
Re:It's sad... (Score:5, Informative)
Re:I'm not surprised... (Score:3, Informative)
Re:It's sad... (Score:4, Informative)
You do realize that any account that can execute arbitrary code can end up virus infected right?
On any operating system?
You do realize there is a major difference between an OS's ability to run a virus - and an OS's prevalence to being able to be infected through numerous, never-quite-patched-correctly holes, buffer over/underrun exploits, back doors, open sockets on a TCP/IP stack (that based on it's origin should have been decent) that has been horrendously mangled into a security threat?
There is a big difference between the two. If all Operating Systems had equal market share, Windows would in all probability still have the lion's share of infections simply because there have been tons of flaws/holes in the OS to allow it to be easily infected.
Yes, there are lists that show the numbers often being equal - in quantity... but a true in depth study of the list will show that many of the windows vulnerabilities turned out to be very very simple to exploit - so easy any script kiddie could do it... and that many of those vulnerabilities were never completely fixed and resurfaced utilizing a slightly different access vector.
Add to that, every other OS out there has a better track record at fixing such holes - while Microsoft has often either (a) went out of their way to downplay the issues or (b) outright denied the issues until there was a big enough public outcry. That too adds to the number of infected machines on each platform (again, assuming each had equal market penetration) and once again would lead to Windows still being waaaaay at the top of the mountain.
Of course, by your scenario, you seem to equate "people installing viruses on their own machine via the computer's I/O devices" or "allowing others to do it directly at the machine" the equivalent of a machine that is far easier to infect via external, networked methods. Sadly (for your argument) that is preposterous.
Re:Well... (Score:4, Informative)
viruses (virii?)
No.
Re:Well... (Score:2, Informative)
it's = it is
Yep, I am being a Grammar Nazi.
Re:doh (Score:5, Informative)
How many times will Grisoft pull this crap? First flooding teh intertubes now deleting my l33t filez.
Some time ago I was recommending this and installing this program on all computers. Now, I'm just waiting for Comodo to get their act together and release an AV product I can trust.
Re:doh (Score:3, Informative)
I agree. As someone deals with viruses on an almost daily basis I suggest avast and spybot to detect (if not remove) viruses. These two don't catch them all, but they usually make the system usable enough to remove the rest (the pre-boot avast check is especially useful). Also from my own experience: beware kaspersky! While it is good at preventing infections, my experience with virus ridden systems is that it makes them unbootable. Various other anti-malware/virus tools are hit and miss, and while detection has improved in programs like mcafee, I have found they still require manual removal.
Installing and performing multiple scans in multiple AV products takes longer than just reinstalling windows on MOST PCs. And reinstalling windows misses less and cleans out general windows rot too. If you're a large enough company that you have recovery images, it takes even less time.
But it takes me maybe 3.5 hours to backup key data, then repartition, reformat, install XPSP3, drivers, configure the network identification, printers, and install Office, filemaker, citrix xenapp client, java runtime, flash, acrobat reader, firefox, our remote support software, configure email, and perform updates (including ie7), restore data, configure email, etc on one of our office PCs. On machines where we have a good restore image, we can wipe and image in an hour-ish, including data backup and restore.
It easily takes 8+ hours to run an AVG scan, avast scan, spybot scans, and then manually troubleshoot and remove the stuff that's left, and takes a miniumum of 3-4 hours.
Re:Well... (Score:5, Informative)
Re:Sigh (Score:2, Informative)
i do not think that a "small private school" running TWO HUNDRED copies (not that either item alone would be any different.. it wouldn't) fits within the limitations for using avg free:
from http://free.avg.com/download-avg-anti-virus-free-edition#tba2
keygens, magical jelly bean etc... (Score:4, Informative)
It's always good to have a second opinion - see e.g.portable clamwin [portableapps.com]
Andy
Comment removed (Score:5, Informative)
Re:Arrr! (Score:3, Informative)
Re:Well... (Score:2, Informative)
No, pendi.
Re:Well... (Score:5, Informative)
I doubt Unix would either.
And you'd be wrong. It doesn't crash because deleting an open file in Unix only unlinks it from the filesystem tree, leaving the contents alone. Only when all programs release the file does the deletion complete.
Re:Well... (Score:5, Informative)
This is often (usually?) filesystem stupidity. Specifically, that in Windows (and DOS before it for that matter), an open file is considered sacrosanct. You can't delete it until everybody closes their file handles. Everybody, no exceptions.
This is very bad when Windows helpfully caches things for you, like DLLs and EXEs, even after you've exitted the program. That's why you often have to reboot after installing something innocuous like Acrobat.
UNIX filesystem semantics are superior here; it's the DOS legacy that keeps Windows from changing its behaviour.
Re:Well... (Score:3, Informative)
Or because administrater doesn't have permission. Under windows it doesn't necessarily. It does have permission to change the permissions though.
Re:Well... (Score:2, Informative)
Viri already has a Latin meaning, it means 'men'. So, even if the old rule about pluralising Latin words ending with '-us' to '-i' was not obsolete (and it is), 'viri' would still be wrong.
The correct word is 'viruses'.
That's because "virus" in Latin is neuter, while "vir" is masculine. The Latin plural for "virus" is "vira" (in the nominative, anyway).
Re:Well... (Score:3, Informative)
XP Explorer also likes to leak file handles every now and again, which has every so often prevented me from being able to delete something.
Fortunately Sysinternals' Handles tool exists and is very useful and awesome.
Re:Well... (Score:2, Informative)
That's because "virus" in Latin is neuter, while "vir" is masculine. The Latin plural for "virus" is "vira" (in the nominative, anyway).
Wrong. "Virus" in Latin had no plural. It was a mass noun meaning "poison", "foulness". One can guess at what the plural form would have been ("vira", "virus", "virua"...) but you cannot state it as a fact.
In English, its plural is "viruses". In Latin, it had no plural. I actually don't mind "viri" too much. It's naive, but a reasonable mistake to make, given precedents such as "cacti". What annoys me is "virii", which is just idiotic.
I wish I'd linked my first "No [wikipedia.org]" to Wikipedia, to nip this thread in the bud.