Gdata and avast issue a false alarm in user32.dll
Widely used antivirus programs avast and Gdata are both reporting user32.dll in Windows XP as a Trojan. By deleting this supposedly infected file users can hamstring their systems. The issue affects German and Dutch Windows versions, but English versions seem not to be endangered.
Apparently avast adapted a generic Trojan detector - distributed on Sunday - that identifies user32.dll as a malicious file. This library provides important functions for Windows applications, such as management of pop-up dialogs, timers, menus, and communication. If the file is deleted many Windows applications may no longer work – the system may even fail to start up. Windows System File Protection (SFP) should restore the file. However, if the user deletes all of the copies of the file or deactivates SFP, he will need to restore it using the rescue system or a rescue disk.
For both avast and Gdata, updated signatures are now available which no longer trigger the false alarm. Affected users should start a manual update if the softare has not already fetched the update automatically.
Virus scanners issuing false alarms for important system files is apparently becoming a widespread problem. In late December, Kaspersky even identified Windows Explorer as a virus; early last year Avira did the same with the winlogon.exe file. Gdata explained to heise Security that their company does not release any signature updates without first testing them on a test system, so it is still unclear how this update was able to slip through the cracks.
- False alarm triggered by Kaspersky paralyses Windows computers, heise Security news report