Important note: be sure to read all the way down to the end of the article for the latest updates. Since publishing this article, AVG has offered a free license to all affected users; more about that here. 

An update for the AVG virus scanner released yesterday contained an incorrect virus signature, which led it to think user32.dll contained the Trojan Horses PSW.Banker4.APSA or Generic9TBN. AVG then recommended deleting this file; this causes the affected systems to either stop booting or go into a continuous reboot cycle. So far, the problem only appears to affect Windows XP, but there is no guarantee that other versions of Windows don’t have the same issue.

Both AVG 7.5 and AVG 8.0 were affected by the update; a revised signature database has just been published that corrects this issue. People that have removed the user32.dll can either boot from their original Windows CD and choose the repair option, or use another CD to boot from and restore the file from C:WindowsSystem32dllcache. If you happen to need a bootable CD: my personal favorite is the Ultimate Boot CD (mirror of UBCD 4.1.1 ISO).

AVG claims to have approximately 80 million users worldwide; there is no official reaction on the AVG website yet, but FAQ item 1574 in their support section covers a “False positive user32.dll” and offers some advice on restoring your system using the Windows Recovery Console.

AVG’s popularity stems mainly from the free version they offer for home users; if you’re looking for an alternative free virus scanner for Windows I highly recommend Avast!. ClamWin is another alternative; it’s a Windows port of the popular Linux scanner ClamAV.

Update: AVG has responded on their forum, but there is no press release or other info on their main website yet, other than the info in their FAQ. The response in the forum:

Unfortunately, the previous virus database might have detected the
mentioned virus on legitimate files. We can confirm that it was a
false alarm. We have immediately released a new virus update
(270.9.0/1778) that removes the false positive detection on this file.
Please update your AVG and check your files again.

[…]

We are sorry for the inconvenience and thank you for your help.

Update 2: According to comments at ghacks, users of AVG version 7.5 might have an easier alternative: reboot in safe mode and disable the scanner, then update to the latest version.

Update 3: A reader suggested Avira as another alternative free virus scanner; I’ve never heard of it, but you can check it out here. And of course, if your virus scanner should ever detect a file that looks to you like a false positive, head over to virustotal.com and submit it to all major virus scanners at once!

Update 4: As Pat Bitton just noted in the comments, AVG has just issued an official statement. It hasn’t made it to the AVG homepage or their own press releases-section yet, but I’m sure it will be there soon. Here is the full text:

AMSTERDAM, Netherlands, Nov. 11 /PRNewswire/ — AVG is actively working to remedy the problem some users are experiencing related to the most recent update to commercial and free versions of AVG 7.5 and AVG 8.0 in some languages. A number of users who installed the update mistakenly received a warning that the Windows system file user32.dll product version 5.1.2600.3099 was infected with a Trojan virus and were prompted to delete a file essential to the operation of Windows XP.

The problem only affects users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.

AVG is taking these steps to assist users in remedying the problem:

— Immediate release of a new update to correct the problem.
— Creation of a specific informational section on the AVG website that enables users to resolve the problem.

Affected users should follow the weblinks below for further information and to download the fix tool:

(1) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll
(2) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll – fix tool

Affected users unable to use their PCs should contact their AVG reseller or ask a friend to download the information and fix tool for them. After running the fix tool, users should run the AVG update program to download and install the correct AVG update.

AVG sincerely regrets the inconvenience users have experienced. We are working to remedy the problem and ensure that any other potential vulnerabilities are identified and eliminated before they can impact users.


YARPP