Jump to content

AVG Virus Scanner Accidentally Removes Critical Windows Component


Recommended Posts

That's old news. Caused a lot of problems.

False positives is a serious issue for av companies.

On the other hand, users must be careful too, especially with system files, something that its not easy for users without experience.

Link to post
  • Root Admin

Yes, it's old news but I wanted to share it here since we've had a couple recent users think that MBAM is the only one around that has removed a valid file by accident.

Even the biggest AV Companies out there have run into this issue and removed valid files before.

Link to post
Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\winnt\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

cureit from safe mode killed this computer

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

combofix seems to handle it

Link to post
  • Root Admin

MBAM DOES NOT remove this file. It says it does, but it doesn't it's there as a marker for Experts to see and know it's infected and needs attention.

Combofix can potentially correct it IF there is a valid clean version it can locate on the drive. Sometimes there isn't or the Malware prevents access to it.

Link to post

MBAM only removed the offending key in the registry

Dr Cureit... it found one: userinit.exe in WINT/System32... I told it to cure all and saw the status of it and showed it was deleted.

Cureit deleted the infected system file

Link to post
  • Root Admin

Well I would assume that Dr Web only removed it because like Combofix it found another valid copy on the system. If that file was removed and another not put in it's place the computer would not boot up and allow you to logon.

Link to post
  • Root Admin

No problem. Some time when you're bored and have some extra time. Boot up with some type of WinPE disk and move or change the name of that file and make sure there is no other copy of it in a cache folder or elsewhere and then restart the PC and see if you can logon now.

Link to post
Would it be safe to say that most false positives happen during heuristic scanning?

At least two thirds of our database is heuristics, so yes, false positives are due to an error in heuristics. The research team fixes them as soon as they hear about them.

Link to post

Thank you Marcin and Arthur for your time in answering my questions.

I think the team does an excellent job of responding to false positives.

Please allow me to ask one more question regarding false positives.

Does the team use test computers with various operating systems to test each database version before release?

Link to post
Does the team use test computers with various operating systems to test each database version before release?

That I don't know. Bruce didn't answer that question when I asked him.

I do know that the research team does not all use the same version of Windows. They do their research on both Windows XP and Windows Vista, and I would believe some of them use 2000 as well. I assume they have to test the database to make sure that each addition does remove what they expect it to remove, but I do not know any specifics about the testing that they do.

Link to post
  • 3 months later...

Thank you for posting this, I had no idea.

I am an AVG user and I hope this hasn't happened to my system.

Do you know if there is a way to tell?

AVG Virus Scanner Accidentally Removes Critical Windows Component

Short story is a bad definition that affected both AVG 7.5 and 8 caused the file user32.dll, a critical Windows component to be deleted.

Link to post
  • Root Admin

You would know right away with an AV or AM scan. This is quite old now and was fixed I think the same day it happened so unless you happen to have had that version on that day and never updated again you won't have this issue.

Link to post

What exactly is Heuristics scanning and what is Heuristics in general?

The only thing I know about them is that I see the name heur in AVG updates of viruses (I always click on the link in the update box that says "more about this update) and then last night when MBAM found an infection on my computer called Heuristic.Malware

So, because of that, the name Heuristic kind of scares me, but again, I don't know much about it.

At least two thirds of our database is heuristics, so yes, false positives are due to an error in heuristics. The research team fixes them as soon as they hear about them.
Link to post

Thank you so much! I think I'm in the clear.

You would know right away with an AV or AM scan. This is quite old now and was fixed I think the same day it happened so unless you happen to have had that version on that day and never updated again you won't have this issue.
Link to post
  • 6 months later...

i have had one problem with malwarebytes anti-malware program. i ran a scan on my computer and it deleted another user's "user profile service" information. so that user was unable to login. I had to delete that account and make a new account for that user. this was malwarebytes anti-malware v.1.41. when i scanned my computer with it, i found 3 trojan.vundo's and 25 adaware.mywebsearch's, i deleted these and that's when my problem occured. if anyone could tell me why malewarebytes anti-maleware v. 1.41 did this please tell me.

Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.