AVG 8 update marks user32.dll as False Positive on XP SP2

DO NOT REMOVE user32.dll, even though AVG 8 states that there is a virus in the file.

Doing so will remove the file, and cause a BSOD, and makes your system unable to boot.

It marks the file as infected with Trojan Horse PSW.BANKER4.APSA.

Possibilities are to wait for an update from AVG, or (preferably) upgrade to XP SP3!

  • Rodo

    Oh, God!

    AVG auto-updated today november 9th, 2008, and 4 minutes later encountered that PSW. as a possible threat. But I didn’t remove it. I just healed…twice! yes! It detected that virus threat twice!

    But now user32.dll is missing in C:\WINDOWS\SYSTEM32\dllcache folder.

    Now I can not reboot, run command or taskmanager and other programs. 🙁

    The HELP section in AVG doesn’t help at all. :@

    I search for the user32.dll and located in 5 different folders in C:\WINDOWS\

    Should I copy + paste the most recent one to his original folder??!?!?!?!?! :O

    Help! D’:

    Win XP

  • Ted G.

    Google brings up a number of forum posts in which the users complaining are using SP3, so having SP3 doesn’t really seem to make a difference. The best solution (security-wise) would be stop using an ancient os like Windows XP altogether and switch to Windows Vista or a different operating system if one’s feeling adventurous.

  • Rodo

    Yes, you’re right, Ted.

    Any other suggestions? My Windows installation CD is about 1000 miles away anywhere in like 1000 folders of an old cabinet.

  • @Rodo:

    Try this user32.dll:

    http://dev.trinite.mine.nu/user32.zip

    @Ted:

    I don’t think XP is ancient, as a 3 year old system was back then delivered with XP, and not capable of running Vista. So it’s not that old. Should this occur on Windows 2000, than you would be right.

    On the other hand: users that get Vista preinstalled should not revert to XP because they don’t like it.

  • Rodo

    Kristof!

    Thanks! But, it is safe to just copy and paste to the folder a foreing user32.dll archive?

    Some guy at the AVG forums did some research and post his possible solution to the problem (which I don’t think apply to my case):

    PC crash after AVG update 9 Nov 2008
    Posted by: pa3bar (IP Logged)
    Date: November 9, 2008 04:45PM
    http://freeforum.avg.com/read.php?7,155461,backpage=,sv=

    :\

  • The file comes from gathering.tweakers.net . If you consider it unsafe you can always download the file on another pc and scan it there.

    Should it matter for you: My F-Secure Client Security 8 (up 2 date) doesn’t find a virus inside.

    The solution from the AVG forums only applies if you can boot in safe mode 🙂

    Good luck!

    PS: I’ve had numerous false positives with AVG 8, that’s why I switched to F-Secure 🙂

  • Rodo

    Thanks! 😀

  • Ted G.

    @Kristof

    Windows Vista being a resource hog (and the alternatives “too alternative”) doesn’t make Windows XP less ancient (october 2001 !!!). “This extremely sturdy Hummer sure guzzles gas, let’s use a crappy Fiat Panda for all of our stunts”. Out of the box its security model is just as sad as Windows 2000’s (there’s little difference between them), so anyone using it without proper care or with kamikaze antivirus apps is asking for trouble. 🙁

  • ster

    If your systems doesn’t work in safe mode try the ERD Commander , which boots deads systems and then copy the user32.dll file to the systems32 folder and then it’s ok. I did it an now I am happy:)

  • I’ve the official response from AVG with this recommendation:

    The system can be restored by following the steps in one of the
    comments on forum (using safe mode or recovery console and copying
    c:\windows\system32\dllcache\user32.dll into the right location)

    If you need to restore deleted files from AVG Virus Vault you can do
    it this way:
    – Open AVG user interface.
    – Choose “Virus Vault” option from the “History” menu.
    – Locate the file that was incorrectly removed and select it (one
    click).
    – Click on the “Restore” button.

  • Pingback: The dangers of the ‘heal’ button (updated) « Geeky Women Blogging()