userinit.exe is a false positive‎ on my XP scan I think.

Says:

C:\WINDOWS\system32\userinit.exe: W32.Virut-82 FOUND

I renewed directly from XP install disk and same thing happened.

This has been driving me nuts all evening because it just happened to coincide with some mis-behaving hardware BSODs on one of my systems here. So, I finally extracted the contents of the MS released SP3 to a folder:

<windows_command_prompt>windowsxp-kb936929-sp3-x86-enu.exe -x:e:\sp3

and scanned the compressed file in the extracted i386 folder there with ClamWin:

userinit.ex_

Clamwin ALSO claims this file is infected with W32.Virut-82

I've had his service pack file since MS released it in the spring of 2008.

This was the clamwin database definition update that started reporting the false positive on the MS official release of userinit.exe:

ClamAV update process started at Fri Feb 12 19:46:12 2010
main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-10388.cdiff [100%]
Downloading daily-10389.cdiff [100%]
daily.cld updated (version: 10389, sigs: 168523, f-level: 44, builder: guitar)
Database updated (713558 signatures) from database.clamav.net (IP: 130.59.10.36)

Hi,

Clamwin is reporting W32.Virut-82 , testet userinit.exe @ virustotal and clam is the only one reporting infection.

-b

Please submit the file as false positive here --> https://cgi.clamav.net/sendvirus.cgi

Also kindly provide them supporting information, such as Virustotal scan result only showing Clam as detecting it.

I just reported this file as false positive, but it's kind of silly to screw this one up, as userinit.exe is actually a target for legit viruses. (Can't believe I'm referring to a virus as legit).

Again, ClamWin has started reporting all legitimate SP3 Microsoft XP versions of system32/userinit.exe as infected with W32-Virut-82 as of Friday afternoon, Feb. 12, including all versions of userinit.exe that have come from all XP SP3 install disks and all XP SP3 service pack files, both in compressed (on the CD disk or extracted from the SP3 service pack file, or in an windows/system32 directory with SP3 installed). Official Microsoft file version information if you click the file for properties is as follows:

5.1.2600.5512

and the the version information will show the typical official Microsoft release information.

Upon noticing Clamwin reporting the above file version as infected, all users should consider these reports by ClamWin of infection of userinit.exe fully suspect as false positive until an official announcement is made that the problem has been corrected. The problem does not affect SP2 releases of userinit.exe

If ClamWin is set to quarantine or remove the file, Windows System File Protection will replace the correct file back automatically and prevent the inherent system instability that will come (make it impossible to boot up/login to your computer) if this file is removed. If the user's' system is already infected with another virus that has disabled Windows File Protection, quarantining of deleting this file will present user with even more system instability.

This is going to freak out a lot of people, most notably because the file will automatically reappear in most cases if a user deletes it, unless that users' Windows File Protection has already been disabled (as noted above), in which case removal will further trash a user's system.

This needs to get fixed FAST!

Upon reporting....

This virus is already recognized by ClamAV 0.95.3/10389/Sat Feb 13 02:11:17 2010 (timezone: ) as W32.Virut-82 . Be careful when submitting samples and remember to run freshclam!



ALL LEGITIMATE VERSIONS OF XP SP3 userinit.exe reporting as W32.Virut-82 ARE FALSE

I suggest you temporarily exclude userinit.exe from ClamWin scans via Configure, Filters, Exclude Matching Filenames, and insert the filename and extension (left side of page). Microsoft had a problem with the BSOD in its Tuesday patches which fried some Windows XP, SP3 machines, I understand. It has been suggested that the problem may occur when there is an unnoticed infection by the TDSS Rootkit because it doesn't affect all Win XP, SP3 machines. Furthermore, I think that Microsoft may have tried to shove down a "fix" on Friday that triggers the Virut detection by Clam. Every time there is a change in Windows files, there are a bunch of Virut false positives by Clam and they have to whitelist new versions.

Regards,

Hey Bob,

This is definitely not the case with userinit.exe. This is not a file that was patched by KB977165. userinit.exe is from SP3 is being reported by Clam as a false postiive on the SP3 releases dating back to original release of userinit.exe. Userinit.exe from MS has not changed since May of 2008, when SP3 was released to the public.

Thanks much,
Tim

This happened to me as well when I was rescanning after the Feb, 12 scan reported 16 apparently false positives:

C:\WINDOWS\ServicePackFiles\i386\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\SYSTEM32\DLLCACHE\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\SYSTEM32\userinit.exe: W32.Virut-82 FOUND

I will just re-scan tonight. The last time I deleted system files that were "infected" I ended up owing my computer service guy a nice chunk of change.

~~~ yours in Chaos, Scarlett

To reaffirm, W32.Virut-82 was found in three instances on a recent (unpatched) install of SP3 today.

For now, I'm disregarding the scan report.

Peter B.

-----

Confirming that the latest (a subsequent) clawin database definition update is still reporting this false positive on userinit.exe:

ClamAV update process started at Sun Feb 14 12:00:26 2010
main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-10390.cdiff [100%]
daily.cld updated (version: 10390, sigs: 168528, f-level: 44, builder: guitar)
Database updated (713563 signatures) from database.clamav.net (IP: 130.59.10.36)

This should have been corrected immediately by the db maintainers, as it is now causing serious problems for users of the software. Shameful.

Clamwin is still reporting false positives for Virut-82 on all versions of userinit.exe dating back to the May 2008 release of userinit.exe on XP SP3, including, upon extraction, from original MS XP OEM and Corporate install disks, upon extraction from original XP3 Service Pack files, and at all their respective install locations in Windows XP itself.

Sigh...

Have you sent at least one of those files to Clam? I noticed one submitted userinit.exe file was "whitelisted" last night, but perhaps the entire signature needs to be dropped. Please send them a couple of those files (if they are still detected) to give them the message. They are reluctant to drop Virut sigs because it is such a bad virus, and they tend to whitelist its false positives if they can.

Regards,

Appears that the virus database file has been adjusted for this:
ClamAV update process started at Mon Feb 15 09:48:11 2010
main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
daily.cvd is up to date (version: 10393, sigs: 8809, f-level: 44, builder: sven)



Scan Started Mon Feb 15 09:48:32 2010

-------------------------------------------------------------------------------



C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb: Permission denied

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT: Permission denied

C:\WINDOWS\SYSTEM32\CONFIG\SAM: Permission denied

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY: Permission denied

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE: Permission denied

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM: Permission denied



----------- SCAN SUMMARY -----------

Known viruses: 712850

Engine version: 0.95.3

Scanned directories: 421

Scanned files: 5739

Infected files: 0



Data scanned: 1340.14 MB

Data read: 1346.63 MB (ratio 1.00:1)

Time: 380.547 sec (6 m 20 s)

--------------------------------------

Completed

--------------------------------------