Guru3D.com Forums

Go Back   Guru3D.com Forums > General > General Software and Applications
General Software and Applications Trouble with software/DirectX or other programs like Detonator Destroyer.



Reply
 
Thread Tools Display Modes
AVG Free + Windows XP SP2: Warning
Old
  (#1)
Andrés
Ancient Guru
 
Andrés's Avatar
 
Videocard: Sapphire HD 6950 2Gb
Processor: Q6600 @ 3.0Ghz
Mainboard: Asus P5E
Memory: 4x1Gb Kingston DDR2 667
Soundcard: X-Fi Titanium
PSU: CM Silent Pro M700
Default AVG Free + Windows XP SP2: Warning - 11-13-2007, 09:57 | posts: 4,554 | Location: Buenos Aires, Argentina

I love this antivirus but yersterday when it downloaded the latest update (AVG 7.5.503 - AVI 269.15.30/1127) it started complaining about my XP SP2's user32.dll file having a trojan:



This is a false alarm, as I know the user32.dll file was perfect and even more I compared it to the original on the CD with the FC command, matching both bit by bit. So I kept on clicking on the Ignore button every time AVG complained about this, and then I went to sleep.

Today, I wake up, turn on the computer again and whala, I get this:

STOP: c0000135 (unable to locate component) this application has failed to start because winsrv was not found. Re-installing the application may fix this problem...

Ya, started on the parallel installation I have on the same disk, compared user32.dll again, this time against the one belonging to the XP SP2 I booted from the second partition, and they were still identical. So remembering yesterday's false alarm I went to C:\Program Files and renamed the folder Grisoft (where AVG Free is located). Booted again from the first OS and whala, antivirus is no more but Windows loads again flawlessly...

Furthermore, now at another computer with XP SP2 I have experienced exactly this same problem after updating AVG.

I'll see what Grisoft has to say about this, haven't found anything related on their website at the moment.

The affected Windows is XP SP2 Spanish. The user32.dll file size is 578,048. If anyone else experiences this, let's hope not!, I leave here a small tip about my experience.

EDIT: They haven't mentioned anything and I doubt they ever will, but there's a new update (AVI 269.15.31/1128) that fixes the false alarm and the blue screen during bootup. On a system with the Grisoft folder renamed, the best fix is to download and run the latest AVG installer and it will detect the damaged installation and repair it. Then apply the latest database update.

Last edited by Andrés; 11-16-2007 at 10:03.
   
Reply With Quote
 
Old
  (#2)
Alexstarfire
Ancient Guru
 
Videocard: GeForce 9800GTX+ @ stock
Processor: Intel C2D E6400 @ 390*8
Mainboard: DFI LanParty NF4 SLI-D
Memory: 2x2GB @ 468Mhz 6-6-6-18
Soundcard: Sound Blaster Audigy 2 ZS
PSU: 650w CM Real Power Pro
Default 11-13-2007, 20:30 | posts: 8,316 | Location: Georgia

Hmmm, well I just went and looked at my useer32.dll file and it's the EXACT same size as yours. I thought that perhaps since you have a different language that the file size might be slightly different, but it doesn't seem so.

At least they fixed it, right? I think it's sad that they didn't even say anything about it though.
   
Reply With Quote
Old
  (#3)
Andrés
Ancient Guru
 
Andrés's Avatar
 
Videocard: Sapphire HD 6950 2Gb
Processor: Q6600 @ 3.0Ghz
Mainboard: Asus P5E
Memory: 4x1Gb Kingston DDR2 667
Soundcard: X-Fi Titanium
PSU: CM Silent Pro M700
Default 11-13-2007, 21:07 | posts: 4,554 | Location: Buenos Aires, Argentina

I've seen several false alarms with AVG Free but this was the first time it rendered the computer unbootable. Anyways, I'm happy the next update fixed it.
   
Reply With Quote
(in Spanish) solution for the winsrv problem.
Old
  (#4)
TecFuerte
Newbie
 
Videocard:
Processor:
Mainboard:
Memory:
Soundcard:
PSU:
Default (in Spanish) solution for the winsrv problem. - 11-14-2007, 15:46 | posts: 2 | Location: Fuerteventura

Just in case someone may need it, I can translate it if asked to...

Buenas. Ayer pase toda la noche buscando soluciones a este problema, hasta que di con la combinacion perfecta (al menos para mi lo es), y desde luego muy rapida. Puedes tener la maquina otra vez en marcha en unos 20 minutos.
Ahi van los pasos que yo sigo.

Herramientas necesarias: CD WinXP SP2, Floppys, Pendrive o CDs virgenes para mover los parches, Maquina alternativa con XPSP2 sin infeccion, o bien descargar librerias de http://www.dll-files.com/ , y
drivers SATA en floppy del PC infectado, por si el CD de WinXP no reconoce el disco duro.


1.- Cargo el cd de Winxp SP2, con los controladores SATA de la maquina si los necesita.

2.- Arranco la recuperacion del sistema, con "R" mediante la consola de recuperacion.

3.- Inserto un disquete en el que previamente he conseguido meter una version limpia de estos dos ficheros : "winsrv.dll" y "user32.dll" . (version limpia= mas moderna, porque es la que aplica el parche que luego meto) Como indicacion de la version en propiedades de esos ficheros yo tengo:
winsrv.dll 5.1.2600.3099
user32.dll 5.1.2600.3103

4.- Uso estos comandos, en este orden:
a: <Enter>
copy winsrv.dll c:\windows\system32 <Enter>
"desea sobreescribir?" s <Enter>
copy user32.dll c:\windows\system32 <Enter>
"desea sobreescribir?" s <Enter>

5.- Reinicio EN MODO A PRUEBA DE FALLOS. (pulso F8 en cuanto aparece el arranque en pantalla)
****OJO!!! si reinicias UNA sola vez en modo normal despues de sobreescribir esos ficheros,
tendras que repetir los pasos 1 al 5!!!! *****

6.- Aplico el parche "WindowsXP-KB925902-x86-ESN"
->> http://www.microsoft.com/downloads/d...displaylang=es
que habre copiado en un pendrive o cd descargado desde una maquina limpia.

7.- Reinicio en modo normal.

8.- Aplico la acumulacion de parches "winup.ver27"
->> www.winup.es/, la puedo descargar en la maquina ya que ahora es 100% operativa.

7.- Reinicio en modo normal.

9.- Limpio registro con el Regseeker.
- >> http://www.hoverdesk.net/freeware.htm

10.- Maquina operativa SIN necesidad de eliminar el AVG.


En todas las maquinas en las que he seguido este proceso funciono a la primera, incluida una de la que perdi la particion por cambiar de tipo de disco con un particionador y que luego arregle con Paragon Drive Backup, un programa muy bueno segun he comprobado.

Espero esta solucion le sirva a mucha gente, yo la seguire usando con mis clientes. Y mantendre el AVG en ellos, hasta ahora me ha demostrado ser muy bueno en mas de dos ańos de uso con mas de 500 clientes, y creo que descubrir vulnerabilidades de windows es muy util para prevenir nuevas amenazas para los PCs.

Saludos y suerte en las recuperaciones de vuestro sistemas.


Hope it will help. Thanks in advantage for comments, good or bad about it. Learning is the path...
   
Reply With Quote
 
Old
  (#5)
basura
Newbie
 
Videocard:
Processor:
Mainboard:
Memory:
Soundcard:
PSU:
Default 11-14-2007, 19:42 | posts: 1

yesterday i had exactly the same issue with 2 computers.
(i've found this thread just because i was curious about if it was only me)

lost some precious hours fixin this, now i'm searching for another free av.

pd. i've also WinXPSP2 spanish
   
Reply With Quote
Old
  (#6)
Andrés
Ancient Guru
 
Andrés's Avatar
 
Videocard: Sapphire HD 6950 2Gb
Processor: Q6600 @ 3.0Ghz
Mainboard: Asus P5E
Memory: 4x1Gb Kingston DDR2 667
Soundcard: X-Fi Titanium
PSU: CM Silent Pro M700
Default 11-14-2007, 21:09 | posts: 4,554 | Location: Buenos Aires, Argentina

Quote:
Originally Posted by basura View Post
lost some precious hours fixin this, now i'm searching for another free av.
I didn't look for another free antivirus, I'm very happy with AVG. I can't demand perfection on a free product, and it speaks good of them that they fixed it in one day.
   
Reply With Quote
Old
  (#7)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 11-15-2007, 15:31 | posts: 6,843 | Location: Denmark

So this was a language specific false positive i assume ? Your all running XP in Spanish right ? I only get results back to stuff in Spanish when i google for "Trojan Horse Generic9.TBN". I can't find any information about it.

Perfect or not, free or not, false positing system files is bad. In the worse cases it can almost be just as bad as a virus infection if the person hit by it is computer illiterate enough. Most run of the mill PC users would not be able to fix this so easily i fear. But it has been known to happen that AVs will flag system files. The only advice i can give is to add the file(s) to the exclusions list immediately and test it. Test the exclusion by scanning the file.
   
Reply With Quote
Solution for issue
Old
  (#8)
TecFuerte
Newbie
 
Videocard:
Processor:
Mainboard:
Memory:
Soundcard:
PSU:
Default Solution for issue - 11-16-2007, 09:45 | posts: 2 | Location: Fuerteventura

Here is the translation for the last post.
And yes, it seems to happen only in XPSP2 SPANISH version.

I looked for solutions to this problem, until came across the perfect combination (at least for me it is), and of course very fast. You can have the machine again under way in about 20 minutes.
Here are the steps I follow.

Tools Required: CD WinXP SP2, Floppys, Pendrive or virgin CDs to move patches, alternative machine with XPSP2 without infection, or download libraries http://www.dll-files.com/, and
Floppy with SATA drivers on the PC infected, in case the CD WinXP does not recognize the hard drive.


1 .- Charge of the CD Winxp SP2 with SATA controllers of the machine if needed.

2 .- began the recovery of the system, with "R" through recovery console.

3 .- insert a diskette in which I previously managed to get a clean version of these two files: "winsrv.dll" and "user32.dll". (= More modern version clean, because it applies the patch)
Version of the files I have:
Winsrv.dll 5.1.2600.3099
User32.dll 5.1.2600.3103

4 .- Use these commands, in this order:
A: <Enter>
Copy winsrv.dll c:\windows\system32 <Enter>
"Overwrite want?" S <Enter>
Copy user32.dll c:\windows\system32 <Enter>
"Overwrite want?" S <Enter>

5 .- Restarting MODE TO TEST FOR BUGS. (Pulse F8 as soon as I get the boot on the screen)
**** WARNING!!! If you restart once in normal mode after overwriting those files, you will have to repeat steps 1 through 5!! *****

6 .- Install patch "WindowsXP-KB925902-x86-ESN"
->> http://www.microsoft.com/downloads/d...3-10ac20a75020
Copied to a CD or pendrive downloaded from clean machine.

7 .- Restarting in normal mode.

8 .- Install multi-patch "winup.ver27"
->> Www.winup.es
I downloaded into the machine, as now it´s 100% operational.

7 .- Restarting in normal mode.

9 .- Clean Registry with Regseeker.
->> Http://www.hoverdesk.net/freeware.htm

10 .- machine operational WITHOUT need to eliminate AVG.


In all machines on which I have followed this process works right, including one in which I lost partition playing badly with a partitioner and then arrange with Paragon Drive Backup, a really good program as I could test.

I hope this solution will serve many people, I will use it with my clients. And keep the AVG in them, so far It has been proved to be very good in more than two years of use with over 500 clients, and I believe that discover vulnerabilities windows it is very useful to prevent new threats to PCs.

Greetings and good luck in the recoveries of your systems.

PD: Thinking about the problem and changing AVG or not, I believe that having this kind of problems in an early stage (if you follow this instructins, nothing is lost) is somehow better than having the issue WITHOUT the patch and let something worse happen when a REAL virus takes advantage of it.
If you have in your system a file like user32.dll or winsrv.dll UNPROTECTED BY SYSTEM and so critical to boot, then the problem is not the AVG. The problem is the chance ANY program can have to erase or modify a single bit of those files and make you spend time and money recovering the problem.
At least AVG solved the problem, quickly. Is Microsoft gonna protect the critical files at all? I doubt it.
Anyway, I´m starting to look for a whole parallel functional system in linux for companies. I´m tired of this issues hanging every computer without warning.
If someone has good links for such a project please let me know. Thanks a lot.
   
Reply With Quote
Old
  (#9)
Andrés
Ancient Guru
 
Andrés's Avatar
 
Videocard: Sapphire HD 6950 2Gb
Processor: Q6600 @ 3.0Ghz
Mainboard: Asus P5E
Memory: 4x1Gb Kingston DDR2 667
Soundcard: X-Fi Titanium
PSU: CM Silent Pro M700
Default 11-16-2007, 10:02 | posts: 4,554 | Location: Buenos Aires, Argentina

Quote:
Originally Posted by Animatrix View Post
So this was a language specific false positive i assume ? Your all running XP in Spanish right ? I only get results back to stuff in Spanish when i google for "Trojan Horse Generic9.TBN". I can't find any information about it.
That "Trojan horse Generic9.TBN" is very mysterious, since AVG detects it but it has no reference on its database. I think it's more a heuristic thing than anything else. I'm seriously considering registering on their free forum just to ask them about this.
   
Reply With Quote
Old
  (#10)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 11-16-2007, 14:22 | posts: 6,843 | Location: Denmark

Quote:
Originally Posted by andrescm View Post
That "Trojan horse Generic9.TBN" is very mysterious, since AVG detects it but it has no reference on its database.
The reason why it is not in the db may be that generic detects variants and this was also a false positive. Not sure though how their generic detection works in this respect. If you look at the name it appears that Generic#.TBN is used for other kinds of malware like BackDoor.Generic5.TBN. But again this name is not found when doing a search on grisoft. It is likely just not possible to list all variants. I don't know what .TBN stands for. The first thing to pop into my head was "to-be-named" but that is probably not it, i can't think of anything that makes much sens, "tracked-but-new", "something-bit-number" who knows ?

Quote:
Originally Posted by andrescm View Post
I think it's more a heuristic thing than anything else.
Your right generic detection can be seen as a form of heuristics, to some degree, i.e. "looks for sequences within the file typical for certain viruses".
Quote:
http://www.grisoft.com/doc/72/us/crp/0
Generic detection

This is a more common method for the detection of known viruses and is used to determine new variants of known viruses. If no known virus is identified, generic detection looks for sequences within the file typical for certain viruses. Such sequences usually don't change within the virus when it is modified, even if the behavior of the new variant is different. This method is effective especially in the detection of macro-viruses and script-viruses.
That would be a static analysis i guess and is not the same as heuristics doing run time analysis in say a sandbox (heuristics can do both, well ok that depends but anyway).

Quote:
Originally Posted by andrescm View Post
I'm seriously considering registering on their free forum just to ask them about this.
That's always one of the best way to get the information. Or at least it should be.
   
Reply With Quote
Old
  (#11)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 11-16-2007, 14:34 | posts: 6,843 | Location: Denmark

Quote:
Originally Posted by TecFuerte View Post
If you have in your system a file like user32.dll or winsrv.dll UNPROTECTED BY SYSTEM and so critical to boot, then the problem is not the AVG. The problem is the chance ANY program can have to erase or modify a single bit of those files and make you spend time and money recovering the problem.
At least AVG solved the problem, quickly. Is Microsoft gonna protect the critical files at all? I doubt it.
I have to disagree it is both AVG and possibly also the users fault, i don't see MS being at fault here.

1. System files are protected
Description of the Windows File Protection feature

2. People turn it off for all kinds of reasons.
Quote:
http://www.crystalxp.net/news/en187-...bricopack.html
Step 3: Editing user32.dll

First: you can't edit "user32.dll" directly because it is in use. Also, Windows File Protection would hinder you in this effort.
3. AVG must have delete the file on boot before it was put in use by the OS.

4. This should not happen if put on the exclusion list, however i can't say what happens if you just ignore the message and then reboots. It may in fact then "delete" the file (depends on action to take on detection, or cleaning method).
   
Reply With Quote
Old
  (#12)
Andrés
Ancient Guru
 
Andrés's Avatar
 
Videocard: Sapphire HD 6950 2Gb
Processor: Q6600 @ 3.0Ghz
Mainboard: Asus P5E
Memory: 4x1Gb Kingston DDR2 667
Soundcard: X-Fi Titanium
PSU: CM Silent Pro M700
Default 11-16-2007, 15:31 | posts: 4,554 | Location: Buenos Aires, Argentina

Quote:
Originally Posted by Animatrix View Post
4. This should not happen if put on the exclusion list, however i can't say what happens if you just ignore the message and then reboots. It may in fact then "delete" the file (depends on action to take on detection, or cleaning method).
Based on my experience, if AVG detects a virus or trojan in a file it blocks all access to it until the user decides to either ignore the report or take actions. However when you reboot it seems the antivirus detects the trojan again, blocking the file and leading directly to a blue screen because Windows can't load that file just when it needs it.

Thanks for your feedback Animatrix, it's very useful.
   
Reply With Quote
Old
  (#13)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 11-16-2007, 17:51 | posts: 6,843 | Location: Denmark

Your welcome. I think you right the Resident Shield in AVG only blocks and do not clean or delete. But why would it delete it on boot when not told to do so.
   
Reply With Quote
Old
  (#14)
Andrés
Ancient Guru
 
Andrés's Avatar
 
Videocard: Sapphire HD 6950 2Gb
Processor: Q6600 @ 3.0Ghz
Mainboard: Asus P5E
Memory: 4x1Gb Kingston DDR2 667
Soundcard: X-Fi Titanium
PSU: CM Silent Pro M700
Default 11-16-2007, 19:00 | posts: 4,554 | Location: Buenos Aires, Argentina

Quote:
Originally Posted by Animatrix View Post
Your welcome. I think you right the Resident Shield in AVG only blocks and do not clean or delete. But why would it delete it on boot when not told to do so.
It doesn't delete the file, it stays where it was, untouched. The guy Tecfuerte proposed a cumbersome fix when in truth there's nothing that needs to be restored (provided he was talking about the same issue as me). Making the antivirus to not load (by renaming its folder) was all I needed to get Windows back on line. And after the next update was released, downloading and running the latest AVG Free installer fixed the rest.
   
Reply With Quote
Vista + AVG generic9.vpa
Old
  (#15)
WonkoTheSane
Newbie
 
Videocard: Intel 915
Processor: Intel Pentium M 1.70Ghz
Mainboard: Dell Inspiron 1300
Memory: 1.2Gb crucial
Soundcard:
PSU:
Default Vista + AVG generic9.vpa - 11-18-2007, 22:37 | posts: 1

I'm getting an threat found message from AVG Free on Windows Vista Business (32Bit, British English) running on a Dell Inspiron 1300 laptop.

c:\Windows\system32\ntoskrnl.exe Change Changed
c:\Program files\Dell\QuickSet\SVCLauncher.exe Deleted

It claimed that SVCLauncher.exe was infected with "Trojan horse Generic9.VPA"

I can't find any reference to Generic9.VPA virus.

I was wondering if this is likely to be another false positive?

Last edited by WonkoTheSane; 11-18-2007 at 22:53.
   
Reply With Quote
Old
  (#16)
SolidBladez
Ancient Guru
 
Videocard: 2x 7950 Boost
Processor: Intel i7 4770K @ 4.3GHz
Mainboard: ASRock Z87 Extreme6
Memory: Samsung 30nm 8GB DDR3
Soundcard:
PSU: NZXT Hale 90 550W
Default 11-18-2007, 22:47 | posts: 3,716 | Location: CO

Yeah, I'm not too sure what's going on with AVG right now cause I'm having serious issues with it and Vista. I noticed that my computer would literally freeze for about a minute or so when I would open up a drive folder. I tried getting Task Manager to load up but by the time it did, the freezing was gone and I couldn't figure out with process was lagging my computer.

It was only until I was looking up something else under Task Manager, that the freeze happend again. This time, I was able to figure out who was the culprit. avgrssvc.exe

I like AVG but I have no idea what the company is doing to update their product to the point where I almost don't want an Antivirus installed on my computer.
   
Reply With Quote
Another year over, and what have they done? ; )
Old
  (#17)
devnullius
Newbie
 
Videocard: apple
Processor: powerpc
Mainboard:
Memory:
Soundcard:
PSU: 1 kwpcu
Default Another year over, and what have they done? ; ) - 11-20-2008, 15:26 | posts: 1

one year later... and they did it again. LOL.

Take avast as your free scanner, everybody just loves avast

This time I have a Dutch machine that lost regsrv & user32... Sigh.

Good luck copying ya'll

Peace!

Devvie Nuis

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
------
All spelling mistakes are my own and may only be distributed under the GNU General Public License! - ((c) 1995-2001 by Coredump; 2002-008 by DevNullius)
   
Reply With Quote
Old
  (#18)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 11-20-2008, 20:49 | posts: 6,843 | Location: Denmark

Lol deja vu, i had completely forgotten about that. But this time it was worse i think as it wasn't language specific as i understood it, though i didn't look into it much this time around. Also last time it was a generic detection which just like heuristics can't be tested as easily for false positives (OK on system files it actually can be tested though). This time the detection sounds like a sig (PSW.Banker4.APSA) but i don't know for sure.

As i have said, it happens. Not that i find it very acceptable because if you ask me testing the sigs and generic/heuristics detection should catch such mistakes on system files. But to test all language versions of Windows is no small task.
   
Reply With Quote
Old
  (#19)
Year
Ancient Guru
 
Year's Avatar
 
Videocard: EVGA GTX 690
Processor: Intel® i7 2600
Mainboard: Asus P67 Evo
Memory: G.Skill Sniper DDR3 16GB
Soundcard: Auzentech Bravura 7.1
PSU: Enermax Galaxy 850W
Default 11-24-2008, 09:33 | posts: 11,596 | Location: ♫

i haven't touched AVG in years, Avira Antivir is my fave (avast a close 2nd as far as free antivirus goes), i'm not saying every other antivirus is immune to such borked updates, but in all the years i've been using Antivir i've never encountered any of this and that's with the free version, German technology hahahahaha (they proudly claim that on the Avira website). it shows.

AVG is getting sloppy as of late, my friends swear by it (even though it missed 3 trojans detected by every other antivirus out there). meh.
   
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com
Copyright (c) 2017, All Rights Reserved. The Guru of 3D, the Hardware Guru, and 3D Guru are trademarks owned by Hilbert Hagedoorn.