14 DAY TRIAL // Users of the popular AVG antivirus software had an unpleasant surprise when they were locked outside of the Windows operating system because they accepted a confirmation dialog saying that user32.dll (Windows User API Client DLL) is a Trojan component and needs to be deleted. AVG issued an update to fix the problem and extended their apologies for the incident.
A bug in the definitions file caused both commercial and free versions of AVG 7.5 and AVG 8.0 to tag the user32.dll file version 5.1.2600.3099 as PSW.Banker4.APSA or Generic9TBN. According to a Microsoft KB article “Windows stores instructions for graphical elements such as dialog boxes and windows in the User32.dll file. The User32.dll file is necessary to the operation of Windows. If this file is damaged, deleted, or removed, the system will no longer work correctly”.
The false positive prompted the users with an alert and asked them to confirm the removal of the .dll file. The unsuspecting users who went ahead and agreed with AVG's suggested course of action ended up being locked out of Windows, being unable to boot, or with their system entering an endless reboot cycle. AVG confirmed the problem, but only for Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP. In addition, they posted detailed instructions on how to restore the deleted Windows component from the Recovery Console and provided a tool to delete the bogus definitions.
“Affected users unable to use their PCs should contact their AVG reseller or ask a friend to download the information and fix tool for them. After running the fix tool, users should run the AVG update program to download and install the correct AVG update,” was noted in a press release issued by the company. “AVG sincerely regrets the inconvenience users have experienced,” the antivirus vendor adds.
The company, widely known for the free version of their antivirus product, is not at its first incident of this nature. Less than a month ago, another buggy definitions update tagged and blocked components of Check Point's popular ZoneAlarm firewall solution as malware. Such false positives are not unknown with other security vendors either. Recently, both Trend Micro and McAfee products identified Windows system files as malicious applications and put users in difficulty.