AVG antivirus removes Windows system file

Antivirus organisation AVG has mistakenly identified a core Windows file as a piece of malware.

An AVG update, pushed out on Sunday, for versions 7.5 and 8 falsely identified user32.dll as malware. The update identified the file as 'PSW.Banker4.APSA', a banking Trojan.

Users who followed AVG's recommendation to delete the file were left with computers that either would not boot up or continually rebooted. The AVG Free Forum filled with users looking for advice.

"I just detected the Trojan horse PSW.Banker4.APSA sitting in the user32.dll," wrote a user called 'Samba1' on the forum. "I did the recommended removal with AVG, restart and the PC starts rebooting over and over. On a laptop I am servicing — the same thing! The restoration brings the system back but the virus remains and the AVG warning pops up and seems to multiple [sic]."

AVG on Sunday released a further update that did not incorrectly identify the core Windows file as malware.

The company also posted advice on its support page for affected users. People who could run their computers were advised to download a utility that would delete the update files, and then download the fixed update. Users who could not boot their computers were advised to run the XP recovery console on their Windows installation disc, disable AVG Resident Shield, and restore user32.dll.

AVG did not release a statement, but Zbynek Paulen of AVG Technical Support apologised to affected clients on the AVG Free Forum.

"Unfortunately, the previous virus database might have detected the mentioned virus on legitimate files," wrote Paulen. "We can confirm that it was a false alarm. We are sorry for the inconvenience and thank you for your help."

Several users reported an AVG false positive in August, claiming that AVG had falsely identified the IceSword 1.22 rootkit scanner as malware.

AVG supplies both free and paid-for antivirus software.