Jump to content

AVG Virus Scanner Accidentally Removes Critical Windows Component

Recommended Posts

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\winnt\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

cureit from safe mode killed this computer

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

combofix seems to handle it

Link to post
  • Root Admin

MBAM DOES NOT remove this file. It says it does, but it doesn't it's there as a marker for Experts to see and know it's infected and needs attention.

Combofix can potentially correct it IF there is a valid clean version it can locate on the drive. Sometimes there isn't or the Malware prevents access to it.

Link to post

Thank you Marcin and Arthur for your time in answering my questions.

I think the team does an excellent job of responding to false positives.

Please allow me to ask one more question regarding false positives.

Does the team use test computers with various operating systems to test each database version before release?

Link to post
Does the team use test computers with various operating systems to test each database version before release?

That I don't know. Bruce didn't answer that question when I asked him.

I do know that the research team does not all use the same version of Windows. They do their research on both Windows XP and Windows Vista, and I would believe some of them use 2000 as well. I assume they have to test the database to make sure that each addition does remove what they expect it to remove, but I do not know any specifics about the testing that they do.

Link to post
  • 3 months later...

Thank you for posting this, I had no idea.

I am an AVG user and I hope this hasn't happened to my system.

Do you know if there is a way to tell?

AVG Virus Scanner Accidentally Removes Critical Windows Component

Short story is a bad definition that affected both AVG 7.5 and 8 caused the file user32.dll, a critical Windows component to be deleted.

Link to post

What exactly is Heuristics scanning and what is Heuristics in general?

The only thing I know about them is that I see the name heur in AVG updates of viruses (I always click on the link in the update box that says "more about this update) and then last night when MBAM found an infection on my computer called Heuristic.Malware

So, because of that, the name Heuristic kind of scares me, but again, I don't know much about it.

At least two thirds of our database is heuristics, so yes, false positives are due to an error in heuristics. The research team fixes them as soon as they hear about them.
Link to post

Thank you so much! I think I'm in the clear.

You would know right away with an AV or AM scan. This is quite old now and was fixed I think the same day it happened so unless you happen to have had that version on that day and never updated again you won't have this issue.
Link to post
  • 6 months later...

i have had one problem with malwarebytes anti-malware program. i ran a scan on my computer and it deleted another user's "user profile service" information. so that user was unable to login. I had to delete that account and make a new account for that user. this was malwarebytes anti-malware v.1.41. when i scanned my computer with it, i found 3 trojan.vundo's and 25 adaware.mywebsearch's, i deleted these and that's when my problem occured. if anyone could tell me why malewarebytes anti-maleware v. 1.41 did this please tell me.

Link to post
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.