AVG Free + Windows XP SP2: Warning

Discussion in 'General Software and Applications' started by Andrés, Nov 13, 2007.

  1. Andrés

    Andrés Ancient Guru

    Messages:
    4,554
    Likes Received:
    0
    GPU:
    Sapphire HD 6950 2Gb
    I love this antivirus but yersterday when it downloaded the latest update (AVG 7.5.503 - AVI 269.15.30/1127) it started complaining about my XP SP2's user32.dll file having a trojan:

    [​IMG]

    This is a false alarm, as I know the user32.dll file was perfect and even more I compared it to the original on the CD with the FC command, matching both bit by bit. So I kept on clicking on the Ignore button every time AVG complained about this, and then I went to sleep.

    Today, I wake up, turn on the computer again and whala, I get this:

    STOP: c0000135 (unable to locate component) this application has failed to start because winsrv was not found. Re-installing the application may fix this problem...

    Ya, started on the parallel installation I have on the same disk, compared user32.dll again, this time against the one belonging to the XP SP2 I booted from the second partition, and they were still identical. So remembering yesterday's false alarm I went to C:\Program Files and renamed the folder Grisoft (where AVG Free is located). Booted again from the first OS and whala, antivirus is no more but Windows loads again flawlessly...

    Furthermore, now at another computer with XP SP2 I have experienced exactly this same problem after updating AVG.

    I'll see what Grisoft has to say about this, haven't found anything related on their website at the moment.

    The affected Windows is XP SP2 Spanish. The user32.dll file size is 578,048. If anyone else experiences this, let's hope not!, I leave here a small tip about my experience.

    EDIT: They haven't mentioned anything and I doubt they ever will, but there's a new update (AVI 269.15.31/1128) that fixes the false alarm and the blue screen during bootup. On a system with the Grisoft folder renamed, the best fix is to download and run the latest AVG installer and it will detect the damaged installation and repair it. Then apply the latest database update.
     
    Last edited: Nov 16, 2007
  2. Alexstarfire

    Alexstarfire Ancient Guru

    Messages:
    8,316
    Likes Received:
    0
    GPU:
    GeForce 9800GTX+ @ stock
    Hmmm, well I just went and looked at my useer32.dll file and it's the EXACT same size as yours. I thought that perhaps since you have a different language that the file size might be slightly different, but it doesn't seem so.

    At least they fixed it, right? I think it's sad that they didn't even say anything about it though.
     
  3. Andrés

    Andrés Ancient Guru

    Messages:
    4,554
    Likes Received:
    0
    GPU:
    Sapphire HD 6950 2Gb
    I've seen several false alarms with AVG Free but this was the first time it rendered the computer unbootable. Anyways, I'm happy the next update fixed it.
     
  4. TecFuerte

    TecFuerte New Member

    Messages:
    2
    Likes Received:
    0
    (in Spanish) solution for the winsrv problem.

    Just in case someone may need it, I can translate it if asked to...

    Buenas. Ayer pase toda la noche buscando soluciones a este problema, hasta que di con la combinacion perfecta (al menos para mi lo es), y desde luego muy rapida. Puedes tener la maquina otra vez en marcha en unos 20 minutos.
    Ahi van los pasos que yo sigo.

    Herramientas necesarias: CD WinXP SP2, Floppys, Pendrive o CDs virgenes para mover los parches, Maquina alternativa con XPSP2 sin infeccion, o bien descargar librerias de http://www.dll-files.com/ , y
    drivers SATA en floppy del PC infectado, por si el CD de WinXP no reconoce el disco duro.


    1.- Cargo el cd de Winxp SP2, con los controladores SATA de la maquina si los necesita.

    2.- Arranco la recuperacion del sistema, con "R" mediante la consola de recuperacion.

    3.- Inserto un disquete en el que previamente he conseguido meter una version limpia de estos dos ficheros : "winsrv.dll" y "user32.dll" . (version limpia= mas moderna, porque es la que aplica el parche que luego meto) Como indicacion de la version en propiedades de esos ficheros yo tengo:
    winsrv.dll 5.1.2600.3099
    user32.dll 5.1.2600.3103

    4.- Uso estos comandos, en este orden:
    a: <Enter>
    copy winsrv.dll c:\windows\system32 <Enter>
    "desea sobreescribir?" s <Enter>
    copy user32.dll c:\windows\system32 <Enter>
    "desea sobreescribir?" s <Enter>

    5.- Reinicio EN MODO A PRUEBA DE FALLOS. (pulso F8 en cuanto aparece el arranque en pantalla)
    ****OJO!!! si reinicias UNA sola vez en modo normal despues de sobreescribir esos ficheros,
    tendras que repetir los pasos 1 al 5!!!! *****

    6.- Aplico el parche "WindowsXP-KB925902-x86-ESN"
    ->> http://www.microsoft.com/downloads/...84-945F-4B78-9463-10AC20A75020&displaylang=es
    que habre copiado en un pendrive o cd descargado desde una maquina limpia.

    7.- Reinicio en modo normal.

    8.- Aplico la acumulacion de parches "winup.ver27"
    ->> www.winup.es/, la puedo descargar en la maquina ya que ahora es 100% operativa.

    7.- Reinicio en modo normal.

    9.- Limpio registro con el Regseeker.
    - >> http://www.hoverdesk.net/freeware.htm

    10.- Maquina operativa SIN necesidad de eliminar el AVG.


    En todas las maquinas en las que he seguido este proceso funciono a la primera, incluida una de la que perdi la particion por cambiar de tipo de disco con un particionador y que luego arregle con Paragon Drive Backup, un programa muy bueno segun he comprobado.

    Espero esta solucion le sirva a mucha gente, yo la seguire usando con mis clientes. Y mantendre el AVG en ellos, hasta ahora me ha demostrado ser muy bueno en mas de dos años de uso con mas de 500 clientes, y creo que descubrir vulnerabilidades de windows es muy util para prevenir nuevas amenazas para los PCs.

    Saludos y suerte en las recuperaciones de vuestro sistemas.


    Hope it will help. Thanks in advantage for comments, good or bad about it. Learning is the path...
     

  5. basura

    basura New Member

    Messages:
    1
    Likes Received:
    0
    yesterday i had exactly the same issue with 2 computers.
    (i've found this thread just because i was curious about if it was only me)

    lost some precious hours fixin this, now i'm searching for another free av. :(

    pd. i've also WinXPSP2 spanish
     
  6. Andrés

    Andrés Ancient Guru

    Messages:
    4,554
    Likes Received:
    0
    GPU:
    Sapphire HD 6950 2Gb
    I didn't look for another free antivirus, I'm very happy with AVG. I can't demand perfection on a free product, and it speaks good of them that they fixed it in one day.
     
  7. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    So this was a language specific false positive i assume ? Your all running XP in Spanish right ? I only get results back to stuff in Spanish when i google for "Trojan Horse Generic9.TBN". I can't find any information about it.

    Perfect or not, free or not, false positing system files is bad. In the worse cases it can almost be just as bad as a virus infection if the person hit by it is computer illiterate enough. Most run of the mill PC users would not be able to fix this so easily i fear. But it has been known to happen that AVs will flag system files. The only advice i can give is to add the file(s) to the exclusions list immediately and test it. Test the exclusion by scanning the file.
     
  8. TecFuerte

    TecFuerte New Member

    Messages:
    2
    Likes Received:
    0
    Solution for issue

    Here is the translation for the last post.
    And yes, it seems to happen only in XPSP2 SPANISH version.

    I looked for solutions to this problem, until came across the perfect combination (at least for me it is), and of course very fast. You can have the machine again under way in about 20 minutes.
    Here are the steps I follow.

    Tools Required: CD WinXP SP2, Floppys, Pendrive or virgin CDs to move patches, alternative machine with XPSP2 without infection, or download libraries http://www.dll-files.com/, and
    Floppy with SATA drivers on the PC infected, in case the CD WinXP does not recognize the hard drive.


    1 .- Charge of the CD Winxp SP2 with SATA controllers of the machine if needed.

    2 .- began the recovery of the system, with "R" through recovery console.

    3 .- insert a diskette in which I previously managed to get a clean version of these two files: "winsrv.dll" and "user32.dll". (= More modern version clean, because it applies the patch)
    Version of the files I have:
    Winsrv.dll 5.1.2600.3099
    User32.dll 5.1.2600.3103

    4 .- Use these commands, in this order:
    A: <Enter>
    Copy winsrv.dll c:\windows\system32 <Enter>
    "Overwrite want?" S <Enter>
    Copy user32.dll c:\windows\system32 <Enter>
    "Overwrite want?" S <Enter>

    5 .- Restarting MODE TO TEST FOR BUGS. (Pulse F8 as soon as I get the boot on the screen)
    **** WARNING!!! If you restart once in normal mode after overwriting those files, you will have to repeat steps 1 through 5!! *****

    6 .- Install patch "WindowsXP-KB925902-x86-ESN"
    ->> http://www.microsoft.com/downloads/...FamilyID=f82ea184-945f-4b78-9463-10ac20a75020
    Copied to a CD or pendrive downloaded from clean machine.

    7 .- Restarting in normal mode.

    8 .- Install multi-patch "winup.ver27"
    ->> Www.winup.es
    I downloaded into the machine, as now it´s 100% operational.

    7 .- Restarting in normal mode.

    9 .- Clean Registry with Regseeker.
    ->> Http://www.hoverdesk.net/freeware.htm

    10 .- machine operational WITHOUT need to eliminate AVG.


    In all machines on which I have followed this process works right, including one in which I lost partition playing badly with a partitioner and then arrange with Paragon Drive Backup, a really good program as I could test.

    I hope this solution will serve many people, I will use it with my clients. And keep the AVG in them, so far It has been proved to be very good in more than two years of use with over 500 clients, and I believe that discover vulnerabilities windows it is very useful to prevent new threats to PCs.

    Greetings and good luck in the recoveries of your systems.

    PD: Thinking about the problem and changing AVG or not, I believe that having this kind of problems in an early stage (if you follow this instructins, nothing is lost) is somehow better than having the issue WITHOUT the patch and let something worse happen when a REAL virus takes advantage of it.
    If you have in your system a file like user32.dll or winsrv.dll UNPROTECTED BY SYSTEM and so critical to boot, then the problem is not the AVG. The problem is the chance ANY program can have to erase or modify a single bit of those files and make you spend time and money recovering the problem.
    At least AVG solved the problem, quickly. Is Microsoft gonna protect the critical files at all? I doubt it.
    Anyway, I´m starting to look for a whole parallel functional system in linux for companies. I´m tired of this issues hanging every computer without warning.
    If someone has good links for such a project please let me know. Thanks a lot.
     
  9. Andrés

    Andrés Ancient Guru

    Messages:
    4,554
    Likes Received:
    0
    GPU:
    Sapphire HD 6950 2Gb
    That "Trojan horse Generic9.TBN" is very mysterious, since AVG detects it but it has no reference on its database. I think it's more a heuristic thing than anything else. I'm seriously considering registering on their free forum just to ask them about this.
     
  10. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    The reason why it is not in the db may be that generic detects variants and this was also a false positive. Not sure though how their generic detection works in this respect. If you look at the name it appears that Generic#.TBN is used for other kinds of malware like BackDoor.Generic5.TBN. But again this name is not found when doing a search on grisoft. It is likely just not possible to list all variants. I don't know what .TBN stands for. The first thing to pop into my head was "to-be-named" but that is probably not it, i can't think of anything that makes much sens, "tracked-but-new", "something-bit-number" who knows ?

    Your right generic detection can be seen as a form of heuristics, to some degree, i.e. "looks for sequences within the file typical for certain viruses".
    That would be a static analysis i guess and is not the same as heuristics doing run time analysis in say a sandbox (heuristics can do both, well ok that depends but anyway).

    That's always one of the best way to get the information. Or at least it should be.
     

  11. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    I have to disagree it is both AVG and possibly also the users fault, i don't see MS being at fault here.

    1. System files are protected
    Description of the Windows File Protection feature

    2. People turn it off for all kinds of reasons.
    3. AVG must have delete the file on boot before it was put in use by the OS.

    4. This should not happen if put on the exclusion list, however i can't say what happens if you just ignore the message and then reboots. It may in fact then "delete" the file (depends on action to take on detection, or cleaning method).
     
  12. Andrés

    Andrés Ancient Guru

    Messages:
    4,554
    Likes Received:
    0
    GPU:
    Sapphire HD 6950 2Gb
    Based on my experience, if AVG detects a virus or trojan in a file it blocks all access to it until the user decides to either ignore the report or take actions. However when you reboot it seems the antivirus detects the trojan again, blocking the file and leading directly to a blue screen because Windows can't load that file just when it needs it.

    Thanks for your feedback Animatrix, it's very useful.
     
  13. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    Your welcome. I think you right the Resident Shield in AVG only blocks and do not clean or delete. But why would it delete it on boot when not told to do so.
     
  14. Andrés

    Andrés Ancient Guru

    Messages:
    4,554
    Likes Received:
    0
    GPU:
    Sapphire HD 6950 2Gb
    It doesn't delete the file, it stays where it was, untouched. The guy Tecfuerte proposed a cumbersome fix when in truth there's nothing that needs to be restored (provided he was talking about the same issue as me). Making the antivirus to not load (by renaming its folder) was all I needed to get Windows back on line. And after the next update was released, downloading and running the latest AVG Free installer fixed the rest.
     
  15. WonkoTheSane

    WonkoTheSane New Member

    Messages:
    1
    Likes Received:
    0
    GPU:
    Intel 915
    Vista + AVG generic9.vpa

    I'm getting an threat found message from AVG Free on Windows Vista Business (32Bit, British English) running on a Dell Inspiron 1300 laptop.

    c:\Windows\system32\ntoskrnl.exe Change Changed
    c:\Program files\Dell\QuickSet\SVCLauncher.exe Deleted

    It claimed that SVCLauncher.exe was infected with "Trojan horse Generic9.VPA"

    I can't find any reference to Generic9.VPA virus.

    I was wondering if this is likely to be another false positive?
     
    Last edited: Nov 18, 2007

  16. SolidBladez

    SolidBladez Ancient Guru

    Messages:
    3,716
    Likes Received:
    0
    GPU:
    2x 7950 Boost
    Yeah, I'm not too sure what's going on with AVG right now cause I'm having serious issues with it and Vista. I noticed that my computer would literally freeze for about a minute or so when I would open up a drive folder. I tried getting Task Manager to load up but by the time it did, the freezing was gone and I couldn't figure out with process was lagging my computer.

    It was only until I was looking up something else under Task Manager, that the freeze happend again. This time, I was able to figure out who was the culprit. avgrssvc.exe

    I like AVG but I have no idea what the company is doing to update their product to the point where I almost don't want an Antivirus installed on my computer.
     
  17. devnullius

    devnullius New Member

    Messages:
    1
    Likes Received:
    0
    GPU:
    apple
    Another year over, and what have they done? ; )

    one year later... and they did it again. LOL.

    Take avast as your free scanner, everybody just loves avast :p

    This time I have a Dutch machine that lost regsrv & user32... Sigh.

    Good luck copying ya'll ;)

    Peace!

    Devvie Nuis

    Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
    ------
    All spelling mistakes are my own and may only be distributed under the GNU General Public License! - ((c) 1995-2001 by Coredump; 2002-008 by DevNullius)
     
  18. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    Lol deja vu, i had completely forgotten about that. But this time it was worse i think as it wasn't language specific as i understood it, though i didn't look into it much this time around. Also last time it was a generic detection which just like heuristics can't be tested as easily for false positives (OK on system files it actually can be tested though). This time the detection sounds like a sig (PSW.Banker4.APSA) but i don't know for sure.

    As i have said, it happens. Not that i find it very acceptable because if you ask me testing the sigs and generic/heuristics detection should catch such mistakes on system files. But to test all language versions of Windows is no small task.
     
  19. Year

    Year Ancient Guru

    Messages:
    11,595
    Likes Received:
    0
    GPU:
    EVGA GTX 690
    i haven't touched AVG in years, Avira Antivir is my fave (avast a close 2nd as far as free antivirus goes), i'm not saying every other antivirus is immune to such borked updates, but in all the years i've been using Antivir i've never encountered any of this and that's with the free version, German technology hahahahaha (they proudly claim that on the Avira website). it shows. :D

    AVG is getting sloppy as of late, my friends swear by it (even though it missed 3 trojans detected by every other antivirus out there). meh.
     

Share This Page