Within the last two days my clamwin virus scans have been marking Windows XP SP3's userinit.exe as Trojan.Agent-119428

I've run the same file, from multiple installations (different physical locations) through Virustotal and only Clamwin marks this as infected. Could this be a false positive?

File size: 26112 bytes
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
SHA256: 944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f
PEInfo: PE Structure information

I got the same result in this morning's scan--the "userinit" file in two locations on the HD is identified as being a trojan.

please report it as false positive to clamav team:
https://www.clamav.net/sendvirus/ https://www.clamav.net/sendvirus/

I think its fair to say that having Clamwin remove or quarantine files is a risky business. THe last two days I have had calls from users who are suddenly stuck in a login loop after restarting their pc's.

Luckily the problem can be rectified by copying usernit.ex_ from the XP Pro CD to the system32 folder as userinit.exe but I cant help but wonder how useful a program that loves to delete system files really is.

It would be nice to have separate alert that gets sent out when system files report as being infected but still quarantines less sensitive files.

we are working on a solution that should eliminate this problem in the near future.