Page 1 of 1

Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Tue Nov 11, 2008 8:32 pm
by Cracked Pleasures
OK, I am posting from a public computer now thanks to my AVG Free virusscanner seriously messing up my computer at home.
This is what happened...

there was an issue on Sunday where the quite essential user32.dll file was wrongly detected as Trojan Horse PSW. banker4.APSA. I too was believing that the file was really a Trojan Horse and healed the file. Thinking everything was fixed, I wanted to check if my windows Firewall was running properly. It was then I noticed something was wrong, as I got an error message that the security panel could not be accessed due to missing user32.dll file.

I have Windows XP Professional ServicePack 2 (Dutch language edition as the computer was bought in my former home country Belgium).
Following problems occur:

- no access to the security settings in my Control Panel
- I cannot open a new browser session with Internet Explorer, however I can still browse using the IE window which was running before the virus warning came (luckily I did not close the IE window)
- I cannot empty the cache or delete cookies, temp internet files and URL history
- I cannot open Notepad, Paint, etc
- when opening Run and typing cmd it does not work
- when clicking the microphone icon on the bottom right to change the volume, I cannot load the volume settings

each time the error message came that my user32.dll file was missing.

I could not open the AVG regularly and could not access the virus vault to restore the files, I could only see there are 2 files in the vault but cannot access it.

As I do not have the Windows installation CD ROM I could not just replace the user32.dll file. I downloaded a user32.dll file from a site I found in google, but when copying this into my Windows32 and DLLCACHE folders I got the message that I was installing a non original variant of a vital file. It prompted me to run the installation CD instead, but I do not have this CD anymore. After installing this .dll file though I did not get the "missing user32.dll file" error message anymore though when opening a program; however no program or application opens, instead of the error message just nothing happens.

I then got the right user32.dll file from a friend but after placing this in the Windows32 and DLLCACHE folders, I tried to open a new browser session and got the error message that computer cannot retrieve entrypoint of procedure GdiGetBitmapBitsSize in .dll file GDi32.dll

Can somebody please tell me how to fix the problem? I am a real rookie and not familiar with system restore or safe mode (I am still in windows anyway, restarting may not be needed but I can just not run several applications or programs... I also dont know if I will still be able to log in to windows from the screensaver, as the Administrator password may also not work anymore due to the missing user32.dll file?)

I hope to avoid any loss or corruption of files on my hard drive as several thousands of photos, MP3s etc are stored on it.
I guess I somehow need to get the right user32.dll again, otherwise I guess rebooting in safe mode to restore the wrongly removed file from the virus vault is the only option. I never used safe mode before though so I am quite scared to do something wrongly and corrupt my own files :(

Re: Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Wed Nov 12, 2008 2:15 am
by Boxguy
If you are able burn off a CD you can try running the recovery tool that AVG has provided. The CD image and steps are available here.

Re: Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Sat Nov 15, 2008 3:26 pm
by Cracked Pleasures
Grand, I will try that tonight :)

Just in case it would not work (but lets keep fingers crossed it will work): the alternative is either rebooting in safe mode to restore the user32.dll from the virus vault, or a system restore. I have experience with neither of both. Is there a very detailed instruction somewhere with terms easy enough for a dummie to understand?

Also two side questions: is the firewall still on when the user32.dll is removed? (I could not access my security center in control panel, but the computer did still have a green icon saying it is fully protected)
and can system restore be done only per week (restoring to the PC as it was one week ago) or can it also be done per day (eg restoring to 8 or 9 days ago)?

Re: Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Sun Nov 16, 2008 1:52 am
by Cracked Pleasures

Eureka!! My PC is up and running again!

It was a whole hassle though. I could not even reboot anymore or press any icon. One folder with my music and photo files was still open so I was worried for damage. No other option though but to manually press the on/off button of the PC and reboot that way. I used the AVG restore CD ROM but this did not help, and rookie as I am I could not understand the error messages neither. I rebooted again by pressing the power button of the PC, again the CD had no effect. In a last attempt I rebooted once more manually, using a CD with an alternative user32 restore program this time (I had burnt this on CD in the cybercafe after reading about it on a forum). The first time it did not work, but the second time suddenly my user32.dll was restored and my PC was working again.

Everything works again as if nothing happened: I can use all my programs again, I can start new browser sessions, I can clear the cookies and temporary internet files again, I can access the control panel and security center again... Happy days! :D I immedietaly updated the antivirus and the Spybot Search-and-Destroy (the latter for some reason removed 21000 temporary files spontaneously, not sure why...)

My only question remaining... When I realised my PC was cured and working normally again, I immediately opened the control panel and security center to check if my Windows Firewall was running. It was, only the virus protection was indicating to be in bad state but updating the AVG resolved that. The firewall was active!
I wonder however if it has been active all the time during the week when the user32.dll was missing. I could not access the control panel and security center to control that. Now that the PC works normally again, I notice the windows firewall is on. But does this mean it has been on all the time, also when the user32.dll was missing?

It is very important to know because
- if the firewall was off someone could have accessed the hard drive and mess with my files, and there is no way to control if the files remained untouched I guess? So the only way to be assured of that is knowing the firewall was on...
- without the user32 file I could not delete cookies, so if someone could access my computer he could use the cookies to check passwords. Again, it is vital to know if the firewall was on all the time ...

I am just a bit worried about those latter two issues, but I am very happy my PC works again and I wont need internet cafes anymore... Now if only I knew all my music files, video files and photos are untouched and in perfect state, then I am really going to scream hurray :)

Short addition: after installing the new windows updates and rebooting the PC as it is required then, I got an odd warning about possibly being victim of fraudulent software. The warning is in the bottom right corner of my desktop, which is suddenly black instead of having the normal background. The warning just says that I may have non legitimate Windows software, and offers the option to resolve now or resolve later. When clicking the warning it explains the Windows software would not have all necessary elements for validation, and that I would have a blocked Volume License Key. It also offers the option to install ServicePack 3 (I have SP2) and advises to make a backup prior to that.
I have not done anything as I think this warning about non legitime Windows software is fake, with a recovery CD I basically restored the user32.dll from the c:\windows\$NTuninstallKB925902$\ folder so it is my original user32 file. Fake software? Impossible. Since all my programs including my firewall and antivirus are working fine, I have so far ignored the warning. I wonder where that warning comes from though and why my desktop background suddenly turned black.

Re: Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Mon Nov 17, 2008 5:45 am
by Boxguy
As I understand it user32.dll implements functions that applications can call in order to draw graphical user interface components (windows, buttons, check boxes, the like). It's absence shouldn't have caused the firewall service to stop.

The message and black desktop background are due to "Windows Genuine Advantage" (Microsoft's anti-piracy crap) likely not liking the copy of user32 that you restored, since from the looks of the directory you copied it from it's an older version. Have you tried restoring the older copy from AVG's virus vault if it's still there? That may likely stop the WGA nagging. If it doesn't or you can't restore user32 from the virus vault for some reason I would try upgrading to service pack 3.

Re: Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Mon Nov 17, 2008 12:54 pm
by Cracked Pleasures
Thanks for the advice, will do that. But in case an upgrade to servicepack 3 ís needed, it advised to back up my HD beforehand. Do any files usually get lost or corrupted when upgrading to a new servicepack? In that case I may prefer the black desktop and ignore the warning from windows, as everything works well anyway, it is not really worth the hassle of making back ups of all those files on the HD. If upgrading to SP3 is harmless, then we go for it I guess :)

Re: Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Wed Nov 19, 2008 2:31 am
by Cracked Pleasures
PS is there a good online test that can scan the security of my PC? I need to process some creditcard payments and log in to some of my more private accounts soon, but after this mess with first the user32.dll and then this weird warning about illegal software... well, one gets oversuspicious.

My antivirus updates daily and I also update Spybot Search&Destroy 2 or 3 times per week, so in theory I should be protected. The last scans, three days ago, resulted in no harmful files found.

Still, is there an additional test that can check if my PC is fully protected? I mean, just to be on the safe side and do those payments without the slightest worries.

I should add my PC is really slow in opwning IE, browsing and sometimes the IE browser just gets stuck and freezes. But I think this is simply due to the fact that internet speed here in Eastern Europe is quite low compared to ADSL speed in Western Europe and the States. So I guess the slowness is not really something I should worry about...

Re: Computer rookie needs help (Boxguy?? anyone??)

PostPosted: Wed Nov 19, 2008 5:15 am
by Boxguy
To me it sounds like you should be good to go. If you do want to use another product however, you could try ClamWin.