AVG False Positive Cripples Windows XP PCs, on November 9, 2008

A faulty definitions update issued on November 9, 2008 caused AVG Anti Virus 7.5 and 8.0 (free and paid versions) to either automatically or manually delete and/or quarantine a required Windows XP System file; User32.dll, as soon a scheduled scan came to that file, or when a user opened the System32 directory to search files in it. Without this file in the System32 directory, Windows will not boot! AVG released updated definitions shortly thereafter to fix the false positive detection. If your computer was still on and you checked for AVG updates again before shutting it down, you may have received the patched definitions and are OK to operate as usual. You will know the next time you reboot or shut down and restart your computer!

If this bad update occurred while your PC was operating and you either rebooted, or shut it down, before obtaining the updates that fixed the false detection, it will not boot into Windows again until you disable the AVG Resident shields using the Recovery Console and restore user32.dll from a backup image, or location, or from your Windows XP CD.

The system can be restored by using the Windows XP Recovery Console to copy a backup of User32.dll into the System32 directory. If you have already installed the Recovery Console as a boot option, boot into it, then run the copy command listed in the next paragraph.

If you haven't installed the Recovery Console, but you do have your bootable Microsoft XP CD, it contains the Recovery Console. Boot from the Microsoft Windows XP CD and choose Setup Option "R" to Repair your Windows Installation using the "Recovery Console." You will be taken to a black screen with white text which will halt at a blinking command prompt (just like MS DOS). The Recovery Console command to type in would be as follows:
copy c:\windows\system32\dllcache\user32.dll c:\windows\system32\user32.dll
Press Enter and wait a second or two. If it reports "1 file copied" then the Windows boot portion of the problem is fixed. However, you will still need to disable the AVG Resident shields from the Recovery Console, as described in my extended comments and on the AVG Support website, until you are able to boot into Windows and run a manual check for AVG updates and receive the patched definitions file. Don't forget to reactivate the resident shields after updating the definitions (as described in my extended comments or on the AVG Support site)!

If the above code fails, try the following:
copy c:\windows\servicepackfiles\i386\user32.dll c:\windows\system32\user32.dll
If that doesn't work you will have to expand and copy it from the XP CD, as follows:
copy d:\i386\user32.dl_ c:\windows\system32\user32.dll
The above uses drive letter "d:" as the source for the CD drive containing the recovery media. Your CD drive letter may be different, depending on how many hard disks or partitions you have installed. So, for instance, if your Windows CD is in drive F, substitute F: for D: in the last command.

If this, or another update or software installation has crippled your PC and you use Acronis True Image to make daily backups, insert your bootable Acronis Recovery CD (you were told to create that CD when you installed Acronis True Image), boot into the rescue interface, locate the most recent backup of the entire computer and restore it to the C drive. You should be up and running within about a half hour, or so.

If you don t have any recent backup images, nor a Windows operating system CD, your OEM hard drive might have a hidden recovery partition on it. Reboot your computer and press the Pause key when the first screen appears. It will usually contain information about pressing a particular key to restore your computer to "Day-1" condition. You will lose everything you have saved or created since that day, but at least the PC will boot into Windows. This is a worse case scenario for most of you.

How to disable the AVG Resident Shields via the Windows XP Recovery Console

If AVG has erroneously deleted a Windows System file named User32.dll and you are able to restore a fresh copy from a backup location, or using the Windows Recovery Console, you are only halfway done with the fix. Unless you disable certain AVG resident services there is a strong likelihood that AVG will delete the restored file as Windows is booting into its graphical interface (which User32.dll is part of). To save yourself a lot of repetitive recovery procedures, fix the whole ball of wax at the same time.

While still in the Recovery Console, either before or after having successfully restored a fresh copy of User32.dll to the Windows\System32 directory, type the following commands to disable the AVG Resident Shield from loading, pressing Enter after each one (some of these might not be present in all AVG editions):

For AVG 8.0 try these:

disable avgMfx86
disable avgMfa86
disable avgldx86
disable avglda86

For AVG 7.5 try these:

disable Avg7Core
disable Avg7RsW
disable AvgClean
disable Avg7RsXP
disable AvgMfx86

If you have not already restored User32.dll as described in my main comments, type the following command (in the Recovery Console):

expand D:\i386\user32.dl_ c:\windows\system32\

In case the command fails, please use the following command to rename original user32.dll and repeat the command above.

ren user32.dll user32.bak

Type "quit" to exit the Recovery Console and boot into Windows.

Re-enable the AVG Resident Shields

To enable the resident shields after restoring User32.dll, reboot into the Recovery Console again and at the command prompt type each of the following commands, pressing Enter after each one (only valid services will respond):

For AVG 8.0 try these:

enable avgMfx86
enable avgMfa86
enable avgldx86
enable avglda86

For AVG 7.5 try these:

enable Avg7Core
enable Avg7RsW
enable AvgClean
enable Avg7RsXP
enable AvgMfx86

Type "quit" to exit the Recovery Console and boot into Windows. When Windows finishes loading look in your System Tray for the AVG icon, right-click on it and select Check for Updates (or whatever words are to that effect). Accept the new definitions and apply them. Open the Interface by double clicking on the AVG icon and find the settings for various scanning options. In all instances, if the option is preset to automatically heal and quarantine suspected files, change it to "Ask me what to do," or similar wording. Click Allpy, then use the Scan links to scan a particular file and navigate to (C): Windows\System32\user32.dll and scan the file. It should show as clean if you have obtained the corrected definition file.

Of course there is always the possibility that your user32.dll really is infected with an injected virus, or other malware threat. But, that's another story. This article is about a false positive detection in User32.dll.

AVG Support recommends downloading the latest version of your AVG program, then installing it using the Repair installation option. This will ensure that you have the most recent "engine" for your security application. If you use this method you need not use the Recovery Console to re-enable the resident shields, as this will be done by the Repair installation. Note, that you may need to re-enter (copy/paste) your AVG license code after using the Repair method.

Restart your computer and immediately update AVG to the latest definitions.

I hope this helps you!