Flawed AVG antivirus update cripples Windows XP PCs

A flawed signature update to AVG Technologies ' antivirus software over the weekend crippled some Windows XP PCs by mistakenly deleting a critical system file, the company has confirmed.

According to messages on AVG's support forums and its own support site, an update released late Saturday for the company's security software fingered the "user32.dll" file as a Trojan horse. As per the program's settings, the AVG software, including the newest version 8.0 and its predecessor 7.5, shut the .dll away in quarantine. The result: A crippled computer.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

"If you have chosen 'heal' or 'quarantine,' your PC will no longer restart," said a panicked user named "pa3bar" in a message Sunday . "It shows a blue screen at start up and tells you it cannot find winsvr, error c0000135. System recovery has no effect."

AVG, best known for its free Antivirus, confirmed the error in a FAQ on its support site . "In case you are not able to run your Windows XP operating system after AVG 8.0 virus definition update, it may be caused by a false positive on a specific 'user32.dll' system file," the company said. "The file was moved to the AVG Virus Vault and deleted. Therefore it is not possible to start Windows."

Although some systems refused to boot, others rebooted endlessly instead.

On its support site, AVG posted instructions for affected users that involved running Windows XP's Recovery Console, disabling several AVG services and restoring the user32.dll file by copying it from the operating system's install CD. For users unable to locate their installation disc, AVG offered a utility that fixed the problem; those users also needed to create a bootable CD or USB drive.

The utility work-around was for AVG Antivirus 8.0 only; a similar utility for AVG Antivirus 7.5 will be available "soon," according to a message posted by a support forum moderator Tuesday.

An AVG technical support representative provided more detail on the snafu. "We can confirm that it was a false alarm," said Zbynek Paulen, who identified himself as an AVG employee. "We have immediately released a new virus update (270.9.0/1778) that removes the false positive detection on this file. Please update your AVG and check your files again."

That suggestion, however, only worked if the user had not turned off his or her PC, or rebooted it, in the meantime.

"We are sorry for the inconvenience," Paulen added.

AVG did not publicize the problem on the front page of its Web site and did not immediately respond to several questions, including how the flawed signature slipped through internal checks.

This wasn't the first time that AVG has been in the spotlight. Last summer, the LinkScanner Search-Shield component of its antivirus software triggered a flood of bogus traffic to Web sites, angering site operators.

Nor is AVG the only security vendor to issue a damaging update. Only last September, a Trend Micro signature mistook several critical Windows XP and Vista system files for malware, blocking the PCs from booting.