Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological

A Groovy Kind of Hack

Why do they persist?


Get It

Try It

The ship is sinking. The hull has sprung a thousand leaks. Yet those in charge still haven't arrived at an agreement for the seating arrangement.

Microsoft and their flagship Windows products are getting more ridiculous by the day.

Perhaps this latest mishap will usher in an era of humiliating hacks for fun that will finally send Mister Bill and Monkey Steve to the door.

Antivirus Can Hurt You

The AVG antivirus people released an update on 9 November which flagged a core Windows component as a 'bad file' infected with the 'Generic9.TBN' trojan. Once the file is removed Windows starts waxing comical.

The file in question is user32.dll, the 32-bit update to the original 16-bit USER.EXE, the windows management API module, one of the three core 'DLLs' on that system.

Removing user32.dll sort of makes Windows more useless than before.

AVG users screamed and surprisingly enough the matter reached the otherwise erudite Slashdot.

Please Insert the Windows XP Installation CD

AVG users shat on by this gaffe have quite the task ahead. A simple update from AVG won't do it.

  1. Insert your XP install CD.
  2. Run your Windows Recovery Console.
  3. Choose the correct target system to repair.
  4. Disable AVG. You do this by typing in the following commands.
    disable avgMfx86
    disable avgMfa86
    disable avgldx86
    disable avglda86
  5. Restore the user32.dll AVG borked for you.
    expand <CD-ROM>\i386\user32.dl_ C:\Windows\system32\
  6. Should the above command fail then use the following command and repeat the above step.
    ren C:\Windows\system32\user32.dll C:\Windows\system32\user32.bak
  7. Reboot.
  8. Now perform an AVG repair installation, starting with downloading AVG Antivirus, AVG Internet Security, or AVG Antivirus + Firewall. Do not set the download to automatically open. Save the file instead to your Desktop.
  9. Reboot again.
  10. Find that file you downloaded. It should be on your Desktop, right? And it has a four colour square icon and its name begins with 'AVG'.
  11. Double-click the file.
  12. Follow the instructions of the install 'wizard'.
  13. Select 'repair installation' when prompted.
  14. Submit your licence number when prompted. Use 'copy and paste' as this is not only easier but also circumvents keystroke loggers you might have on your system.
  15. Reboot for the third time.
  16. Update your AVG installation.

Where's My XP Install CD?

Should you as many others not have an XP install CD then do the following instead to use a special 'fix' provided by AVG.

For CD-ROM:

  1. Download AVG's special 'fix' download image at <http://www.avg.com/filedir/util/bootcd_en.iso>.
  2. Use your favourite CD burning software to 'burn' the downloaded image using the 'burn CD from image' option.
  3. Put the CD into the CD-ROM drive of the computer AVG borked and reboot from it. Consult your computer user manual as to how to get the sorry thing to boot from an inserted CD. Should you not be able to find your computer user manual then return to your computer store and purchase a new computer.
  4. Continue with instructions as per below.

For USB thumbs:

  1. Download a different file - the 'USB flash archive' at <http://www.avg.com/filedir/util/rescue_en.zip>.
  2. Unarchive the file to your USB thumb. IMPORTANT: go to the root of the flash drive.
  3. WARNING: take care to do the next step only when you are located on the flash drive. Doing the step on the local disk can DESTROY BOOT FILES ON YOUR HARD DRIVE!
  4. Run 'makeboot.bat' from the USB thumb and follow the instructions.
  5. Be damned well sure you're on the USB thumb as the AVG team have not provided full paths for the file references in the script. And if you're not on your USB thumb when you run the script you might be kissing your Microsoft Windows® computer goodbye.
  6. Connect the USB flash drive to the computer AVG borked and reboot. Consult your computer user manual as to how to get the sorry thing to boot from a USB thumb. Should you not be able to find your computer user manual then return to your computer store and purchase a new computer.

Final instructions for both CD-ROM and USB thumb:

  1. Reboot from the CD-ROM or USB thumb.
  2. Follow the rescue process.
  3. Log in as a member of Administrators.
  4. Open AVG User Interface and click 'Update now'.
  5. Navigate to the AVG 8.0 program folder ('C:\Program Files\AVG\AVG8' on English language installations).
  6. Rename the file 'avgrsx.exe_off' to 'avgrsx.exe'.
  7. Rename the file 'avgsched.dll_off' to 'avgsched.dll'.
  8. Drink a half glass of good 8yo Scotch whisky, bourbon, VSOP cognac, or a drink of your personal preference.
  9. Remove the CD-ROM or USB thumb.
  10. Reboot.

Was this information helpful to you?

|

The Catch — The Groovy Hack

The fact remains a basic very important core component of Windows itself was flagged as compromised. The following letter received from AVG shines considerable light onto the situation.

Unfortunately, the previous virus database might have detected the mentioned virus on legitimate files. We can confirm that it was a false alarm. We have immediately released a new virus update (270.9.0/1778) that removes the false positive detection on this file. Please update your AVG and check your files again.

The system can be restored by following the steps in one of the comments on forum (using safe mode or recovery console and copying c:\windows\system32\dllcache\user32.dll into the right location)

If you need to restore deleted files from AVG Virus Vault you can do it this way:
- Open AVG user interface.
- Choose 'Virus Vault' option from the 'History' menu.
- Locate the file that was incorrectly removed and select it (one click).
- Click on the 'Restore' button.

We are sorry for the inconvenience and thank you for your help.

Best regards,

Zbynek Paulen
AVG Technical Support

So it was a false alarm, a 'false positive' as it's called, and AVG say so. But it also follows that AVG first looked into the matter - because it's perfectly possible it wasn't a false alarm at all.

And why not? What's to protect the most crucial of Windows files from corruption by malware?

Nothing.

That's the way Windows works, folks!

So what the world can now expect is a fully new class of malware coming to your neighbourhood soon. This won't be the new professional 'hack for cash' type of malware - it'll be the good old 'we do this for fun' type of hack.

Spread in the same way as all malware today - through hundreds of millions of brutally infected Windows machines - it will instead simply attach 'Bad Things™' to core Windows components such as user32.dll, gdi32.dll, MSVCRT.dll, MSHTML.dll, shell32.dll, and of course good old win32k.sys.

And then it'll sit back and let the antivirus companies do the rest.

See Also
Slashdot: AVG Virus Scanner Removes Critical Windows File
Security and the Net: AVG virus scanner removes critical Windows file

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.