What you're doing inside your createUserFile is grabbing the "user" parameter from your CGI script without checking it. Meanwhile, you're running your script with taint checking on (the -T option). Since you're not doing any kind of checking on the input that you get from the CGI script, the input is considered tainted by default.

To untaint the user input, do as ccn suggested:

param('user') =~ /^(\w+)$/
  or die "Bad parameter " . param('user');

my $theFile = "$1.txt";
[download]

This will prevent the user from entering some potentially destructive input that will execute an "rm -r /" command on your system.