Welcome to SecurityForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

AVG false positive reported on user32.dll

 
   Security Forums (Home) -> AVG RSS
Next:  AVG  
Author Message
tommy

External


Since: Nov 19, 2008
Posts: 7



(Msg. 1) Posted: Wed Nov 19, 2008 5:01 am
Post subject: AVG false positive reported on user32.dll
Archived from groups: alt>comp>anti-virus (more info?)

Back to top
Login to vote
Wolf Kirchmeir

External


Since: Apr 24, 2008
Posts: 18



(Msg. 2) Posted: Wed Nov 19, 2008 10:51 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

tommy wrote:
> http://tinyurl.com/66okyz
>
> -
> Tommy
>
>
>

Quote:

"AVG is detecting a key windows file as a false positive trojan virus.
An update for the AVG virus scanner released yesterday contained an
incorrect virus signature, which led it to think user32.dll contained
the Trojan Horses PSW.Banker4.APSA or Generic9TBN."

Unfortunately, there is no date on the article, so it's unclear what
"yesterday" refers to. I've e-mailed the webmaster and hope that in
future all articles (and follow-ups) will be dated.

--
Wolf Kirchmeir

 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
tommy

External


Since: Nov 19, 2008
Posts: 7



(Msg. 3) Posted: Wed Nov 19, 2008 10:51 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

I belong to the users group hal pc users. I will call tomorrow and see what
they say. I was looking for the date too.

"Wolf Kirchmeir" wrote in message

tommy wrote:
> http://tinyurl.com/66okyz
>
> -
> Tommy
>
>
>

Quote:

"AVG is detecting a key windows file as a false positive trojan virus.
An update for the AVG virus scanner released yesterday contained an
incorrect virus signature, which led it to think user32.dll contained
the Trojan Horses PSW.Banker4.APSA or Generic9TBN."

Unfortunately, there is no date on the article, so it's unclear what
"yesterday" refers to. I've e-mailed the webmaster and hope that in
future all articles (and follow-ups) will be dated.

--
Wolf Kirchmeir
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
tommy

External


Since: Nov 19, 2008
Posts: 7



(Msg. 4) Posted: Thu Nov 20, 2008 3:24 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"Wolf Kirchmeir" wrote in message

> tommy wrote:
> > http://tinyurl.com/66okyz
> >
> > -
> > Tommy
> >
> >
> >
>
> Quote:
>
> "AVG is detecting a key windows file as a false positive trojan virus.
> An update for the AVG virus scanner released yesterday contained an
> incorrect virus signature, which led it to think user32.dll contained
> the Trojan Horses PSW.Banker4.APSA or Generic9TBN."
>
> Unfortunately, there is no date on the article, so it's unclear what
> "yesterday" refers to. I've e-mailed the webmaster and hope that in
> future all articles (and follow-ups) will be dated.
>
> --
> Wolf Kirchmeir

sources at halpc said Dwight Silverman's blog mentioned this in their widely
read techblog for the Houston Chronicle.

http://blogs.chron.com/techblog/

search for "avg free"
--
Tommy
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
David H. Lipman

External


Since: Jul 04, 2003
Posts: 1756



(Msg. 5) Posted: Mon Nov 24, 2008 12:07 am
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From: "tommy"


| http://tinyurl.com/66okyz

| -
| Tommy

I just examined the payload of a PDF exploiting the Collab.collectEmailInfo() Javascript
function in a highly obfuscated Javascript. The payload is a file named SVCHOST.EXE -- http://www.virustotal.com/analisis/0e2cef86cda905258d39b9482ca08f9f

The malicious file did the following...

File Renamed:
Old Filename New Filename
C:\WINDOWS\system32\user32.DLL C:\WINDOWS\system32\gucrqqx

Files Created:
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\5E7EYQDH\data[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\5E7EYQDH\r[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\BNPHK11H\data[1].htm
C:\WINDOWS\system32\aston.mt
C:\WINDOWS\system32\clfjmnm
C:\WINDOWS\system32\dllcache\user32.dll
C:\WINDOWS\system32\fjes.ra
C:\WINDOWS\system32\fxe.sp
C:\WINDOWS\system32\nvaux32.dll
C:\WINDOWS\system32\rigv.xl
C:\WINDOWS\system32\user32.DLL

So one has to be "cautious" of calling something like this a False Positive.

In the above case, as you can see, user32.DLL is renamed and then the malware dropped a
file to replace the one in %windir%\system32\ as well as in the
%windir%\system32\dllcache\ .



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
tommy

External


Since: Nov 19, 2008
Posts: 7



(Msg. 6) Posted: Mon Nov 24, 2008 3:11 am
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"David H. Lipman" wrote in message

> From: "tommy"
>
>
> | http://tinyurl.com/66okyz
>
> | -
> | Tommy
>
> I just examined the payload of a PDF exploiting the
Collab.collectEmailInfo() Javascript
> function in a highly obfuscated Javascript. The payload is a file named
SVCHOST.EXE --
http://www.virustotal.com/analisis/0e2cef86cda905258d39b9482ca08f9f
>
> The malicious file did the following...
>
> File Renamed:
> Old Filename New Filename
> C:\WINDOWS\system32\user32.DLL C:\WINDOWS\system32\gucrqqx
>
> Files Created:
> C:\Documents and Settings\user\Local Settings\Temporary Internet
> Files\Content.IE5\5E7EYQDH\data[1].htm
> C:\Documents and Settings\user\Local Settings\Temporary Internet
> Files\Content.IE5\5E7EYQDH\r[1].htm
> C:\Documents and Settings\user\Local Settings\Temporary Internet
> Files\Content.IE5\BNPHK11H\data[1].htm
> C:\WINDOWS\system32\aston.mt
> C:\WINDOWS\system32\clfjmnm
> C:\WINDOWS\system32\dllcache\user32.dll
> C:\WINDOWS\system32\fjes.ra
> C:\WINDOWS\system32\fxe.sp
> C:\WINDOWS\system32\nvaux32.dll
> C:\WINDOWS\system32\rigv.xl
> C:\WINDOWS\system32\user32.DLL
>
> So one has to be "cautious" of calling something like this a False
Positive.
>
> In the above case, as you can see, user32.DLL is renamed and then the
malware dropped a
> file to replace the one in %windir%\system32\ as well as in the
> %windir%\system32\dllcache\ .
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
I see your point. That's really scary. So many sites require Javascript too.
Did you see the sources for those reports about AVG?

here's Dwight's first blog post on the subj 11-11-08
http://tinyurl.com/6o6akp

here's his source [s]:
http://tinyurl.com/5sug22

http://www.pcworld.com/article/154378/

he made another post about AVG false pos on 11 23 08
http://blogs.chron.com/techblog/archives/2008/11/

seems as though they admit it, and are offering free updates to the pro
version for a year for those that suffered any damage.

Adobe flash has also been labeled

Slick fellow that Dwight, he spoke to our user group and sold / signed
copies of his book about Vista.

I have switched to AVAST after reinstalling due to a bad drive because I
tried to install AVG 8 Free and it wouldn't install to anything but C:
drive. Avast is slicker than I first perceived, but I wish I could schedule
scans with it, and stamp email with certification stamps .
--
Tommy
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
Beauregard T. Shagnasty

External


Since: Aug 01, 2004
Posts: 501



(Msg. 7) Posted: Mon Nov 24, 2008 4:30 am
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

tommy wrote:

> and stamp email with certification stamps .

Please don't do that. It's only advertising. There is no way any a-v
product can truthfully state that your mail is virus-free. Think about
it.

--
-bts
-Friends don't let friends drive Windows
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
tommy

External


Since: Nov 19, 2008
Posts: 7



(Msg. 8) Posted: Mon Nov 24, 2008 12:02 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"Beauregard T. Shagnasty" wrote in message

> tommy wrote:
>
> > and stamp email with certification stamps .
>
> Please don't do that. It's only advertising. There is no way any a-v
> product can truthfully state that your mail is virus-free. Think about
> it.
>
> --
> -bts
> -Friends don't let friends drive Windows

its reassuring to pc novices, and verifies that I do "have" an anti-virus
program running on my pc.
--
Tommy
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
Beauregard T. Shagnasty

External


Since: Aug 01, 2004
Posts: 501



(Msg. 9) Posted: Mon Nov 24, 2008 1:40 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

tommy wrote:

> "Beauregard T. Shagnasty" wrote:
>> tommy wrote:
>>> and stamp email with certification stamps .
>>
>> Please don't do that. It's only advertising. There is no way any
>> a-v product can truthfully state that your mail is virus-free. Think
>> about it.
>> -- [please trim signatures. thanks.]
>
> its reassuring to pc novices, and verifies that I do "have" an
> anti-virus program running on my pc.

It is probably more annoying than reassuring to even novices. I doubt
they care if you have an a-v app running, especially those who don't
know what one is. Further, for those who forward email all over the
place, that 'certification' will be included - meaning nothing to the
next level except to confuse.

And as I said, there isn't a single a-v app that can fully guarantee
that what you sent is virus-free. Remember, zero-day viruses won't be
detected, along with the latest morphs of older viruses. It truly is
only an advertisement.

You may certainly continue to scan your outgoing mail (though that isn't
even necessary as all modern viruses use their own SMTP engines quietly
sending while you aren't looking), but there is no need to bother
everyone else. I have one friend who can't be talked out of removing the
ad, and all he does is embarrass himself by showing that he scanned with
an a-v database that is always three to four weeks or more out of date,
and therefore useless.

Be kind to your correspondents and turn it off.

--
-bts
-Friends don't let friends drive Windows
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
David H. Lipman

External


Since: Jul 04, 2003
Posts: 1756



(Msg. 10) Posted: Mon Nov 24, 2008 9:40 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From: "Beauregard T. Shagnasty"

| tommy wrote:

>> "Beauregard T. Shagnasty" wrote:
>>> tommy wrote:
>>>> and stamp email with certification stamps .

>>> Please don't do that. It's only advertising. There is no way any
>>> a-v product can truthfully state that your mail is virus-free. Think
>>> about it.
>>> -- [please trim signatures. thanks.]

>> its reassuring to pc novices, and verifies that I do "have" an
>> anti-virus program running on my pc.

| It is probably more annoying than reassuring to even novices. I doubt
| they care if you have an a-v app running, especially those who don't
| know what one is. Further, for those who forward email all over the
| place, that 'certification' will be included - meaning nothing to the
| next level except to confuse.

| And as I said, there isn't a single a-v app that can fully guarantee
| that what you sent is virus-free. Remember, zero-day viruses won't be
| detected, along with the latest morphs of older viruses. It truly is
| only an advertisement.

| You may certainly continue to scan your outgoing mail (though that isn't
| even necessary as all modern viruses use their own SMTP engines quietly
| sending while you aren't looking), but there is no need to bother
| everyone else. I have one friend who can't be talked out of removing the
| ad, and all he does is embarrass himself by showing that he scanned with
| an a-v database that is always three to four weeks or more out of date,
| and therefore useless.

| Be kind to your correspondents and turn it off.

| --
| -bts
| -Friends don't let friends drive Windows

I agree with what BTS posted here.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
tommy

External


Since: Nov 19, 2008
Posts: 7



(Msg. 11) Posted: Mon Nov 24, 2008 10:11 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"David H. Lipman" wrote in message

> From: "Beauregard T. Shagnasty"
>
> | tommy wrote:
>
> >> "Beauregard T. Shagnasty" wrote:
> >>> tommy wrote:
> >>>> and stamp email with certification stamps .
>
> >>> Please don't do that. It's only advertising. There is no way any
> >>> a-v product can truthfully state that your mail is virus-free. Think
> >>> about it.
> >>> -- [please trim signatures. thanks.]
>
> >> its reassuring to pc novices, and verifies that I do "have" an
> >> anti-virus program running on my pc.
>
> | It is probably more annoying than reassuring to even novices. I doubt
> | they care if you have an a-v app running, especially those who don't
> | know what one is. Further, for those who forward email all over the
> | place, that 'certification' will be included - meaning nothing to the
> | next level except to confuse.
>
> | And as I said, there isn't a single a-v app that can fully guarantee
> | that what you sent is virus-free. Remember, zero-day viruses won't be
> | detected, along with the latest morphs of older viruses. It truly is
> | only an advertisement.
>
> | You may certainly continue to scan your outgoing mail (though that isn't
> | even necessary as all modern viruses use their own SMTP engines quietly
> | sending while you aren't looking), but there is no need to bother
> | everyone else. I have one friend who can't be talked out of removing the
> | ad, and all he does is embarrass himself by showing that he scanned with
> | an a-v database that is always three to four weeks or more out of date,
> | and therefore useless.
>
> | Be kind to your correspondents and turn it off.
>
> | --
> | -bts
> | -Friends don't let friends drive Windows
>
> I agree with what BTS posted here.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
I don't have it turned on. I don't know if AVAST has that feature even. I
like feedback , at least until I can verify that something new to me is
working.
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
Duh_OZ

External


Since: Dec 17, 2007
Posts: 12



(Msg. 12) Posted: Mon Dec 08, 2008 11:08 am
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

On Nov 24, 7:02 am, "tommy"
wrote:
>
> its reassuring to pc novices, and verifies that I do "have" an anti-virus
> program running on my pc.
> --
> Tommy
==========
That can work 2 ways. I've had malware attachments even though the e-
mails had 'certified virus free by *insert AV name*'. Of course the e-
mail was never scanned by any vendor, the text was added in to give
the impression the attachment was scanned.
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
tommy

External


Since: Nov 19, 2008
Posts: 7



(Msg. 13) Posted: Mon Dec 08, 2008 2:52 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"Duh_OZ" wrote in message

On Nov 24, 7:02 am, "tommy"
wrote:
>
> its reassuring to pc novices, and verifies that I do "have" an anti-virus
> program running on my pc.
> --
> Tommy
==========
That can work 2 ways. I've had malware attachments even though the e-
mails had 'certified virus free by *insert AV name*'. Of course the e-
mail was never scanned by any vendor, the text was added in to give
the impression the attachment was scanned.

perfection is hard to attain. I settle in such cases for 99% where it's not.
I can't tag messages because gmail uses ssl, but since I use gmail now, the
incoming mail is scanned by them . Moot point
 >> Stay informed about: AVG false positive reported on user32.dll 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
AVG 7 false positive... - unrar32.exe gives a flase positive for.. BackDoor.Iroffer.3.AR R!

AVG reports trojan in Abiword plugins. False positive? -

one_half reported by AVG but not AVP or F-Prot? - Yesterday a message popped up on my computer from Norton AV that something was messing with my boot disk. I scanned with AVG which reported the presence of one_half, a boot disk virus. When AVG gave no options for removal or treatment I searched for..

AVG false positve - Hello, As of last scan my AVG anti-virus (free edition) is reporting that the Zip32.dll file located in the program folder of the UltraVNC program is Torjan Horse Backdoor.Generic2.YJY. My other PC has Norton which does not report this file as a virus...

AVG - false poisitve? - AVG has just found shell32.dll changed c:\windows\system32\shell32.dll Is this a false positive? Could something have "changed" this without making it a virus? I did just do all the Windows Updates. TIA Louise
   Security Forums (Home) -> AVG All times are: Pacific Time (US & Canada)
Page 1 of 1

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]