Rebooted today, logged on & only to watch Windows XP Home log my account off. Never saw a Desktop. Rebooted to Safe Mode to access Administrator account which resulted in the same thing.
Found "infected.userinit.exe" & "infected.userinit.exe.000" in my ClamWin quarantine.
Booted into a PE environment and restored a userinit.exe from an old i386 folder (likely SP-nothing).
Extracted SP3 then expanded "userinit.ex_" to SYSTEM32 folder.
Scanned "C:\WINDOWS\system32\userinit.exe" alone and received the following:


Tried updating to make sure I am up to date:

Anyone else have this issue or am I truly infected?
I think this is the latest event(s) from my log:

I've seen the posts concerning the likely false positive(s) with the "Waledac" trojans so this leads me to think there is a false positive for the SP3 (5.1.2600.5512) version of "userinit.exe". Kind of a nasty surprise watching an autologon user login-logout-login-logout-logi... you get the idea.

Hope this helps -UNoHu

yes most likely false positive, you can check executables here:
https://www.virustotal.com/ https://www.virustotal.com/

and then submit the file here:
https://www.clamav.net/sendvirus/ https://www.clamav.net/sendvirus/

I had the same problem yesterday. Took time to move the files from ClamWin quarantine back to their original folders using command line. Once I did that, I was able to log in. Since I have been getting a lot of false positives in the last month or so, this made me change my scan to NOT move the files to quarantine. I sent my file in to be looked at, but today I noticed that there are a lot of "is this a false positive" messages.

Hope this helps others looking for answers.

Heanbuckle, you might want to tell exactly what you did with the command line to restore things. That way, we will have a record of it here on the forum (perhaps it could even be put in the FAQ items), and it could help someone else.

By the way, did you report the file(s) with the false positive to Clam AV so they could fix it?

Regards,

This file is not a virus! This is needed by Windows XP systems to login. Clamwin erased it from 4 workstations that I support, both from the c:\windows\system32 and from the c:\i386 folder. Please submit this as a false positive, so that they can review it ASAP

In most cases, users need to submit their own false positives to Clam AV, starting at https://www.clamav.net/sendvirus/ on the web. If the file is too large to be submitted, they should get back here, and the ClamWin team will arrange something, as it recently did in the case of those Virut.Generic false detections in MS Office files.

Regards,

Yes, the userinit.exe from Windows XP SP3 showing up as a trojan horse from clamwin is indeed a false positive.

Without this file in the /windows/system32 directory, you will only get to a Windows user listing. If you click on a user (even Administrator - and even in safe mode), you will only see a brief blink of the desktop and then you will be back at the user listing again. The only other thing you can do is shutdown or log off from this point.

To correct, boot on a recovery CD or a bootable floppy and get to a command line. It's easiest to copy the userinit.exe file from another working PC on the same Windows version to a CD or floppy, then copy the file to the /windows/system32 directory.

This experience has definitely taught me to NOT delete files that clamwin thinks are viruses.

Tanner, if a user could get a list of absolutely important Windows files that would "tank" their system, they could exclude them from ClamWin's scans via ClamWin's filters. They would be taking a bit of a chance, however, but many viruses now do not want to destroy a system from which they will have the possibility of making money. We recommend ClamWin for use as a backup scanner to another real-time AV, so it wouldn't be that bad--they would still be covered by the RT scanner.

A quarantine of Winlogon did my system in a couple of years ago, so that's my candidate. Next?

Regards,

I had the same problem this weekend. I have clam configured to move infected files and I have my machine configured to shut down nightly. Without userinit.exe the machine would not boot, it was in a loop for loading the profile and would not come up in safe mode as Admin either. I will also add that I have my clam configured to email me anytime it finds a virus so I knew what to look for.

In order to reload userinit I did the following

I booted the XP CD
Select R for recovery mode
at the prompt select the windows instance to login to, I only have 1
You must have the administrator password, type it in
at the prompt cd to windows\system32
at the C:\Windows\Sysyte32 prompt enter "expand x:\I386\userinit.ex_" substitute X with the drive of the CD
this will uncompress the original source file into the windows\system32 directory.

You can use this procedure for any other source file that was deleted but make sure you execute the command from the destination directory or add the destination directory to the command line.

Once I did this I was able to reboot and the machine has been fine since. I am still getting the false positive on USERINIT and CD32 but I modified Clam to just warn me of the virus for now. Once a new data file comes out I can change it back.

Keith

Emailing upon an infection is a good idea, Keith. I've never taken advantage of it. Of course, you would need another computer or be at another location with a computer to know about it though. This has some possibility of monitoring for false positives/outbreaks if everyone used the same email address, but you would need to have personnel/facilities there, and ClamWin just doesn't have them. Besides, the users would not get a personal notice like you do now.

Thanks for the info!

Regards,

I really like the email routine built into Clam and it does work quite well. You get the full report and if you catch it before a reboot you can even restore the file if you suspect a false positive. However after this recent false positive I changed it to just report any viruses.

I have it email into a free pop account so I can retrieve the email from anywhere.

Yes it helps to have more than one PC as well.

Well, Fixing this was a fun use of my Monday. Every remote unit with automatic restarts made for a fun drive around the city. My own fault I suppose, lesson learned. Clam is now my Report only solution

I have encountered a false positive on CB32.exe and my system now logs me off after my pwd is entered. Several copies ended up in quarentine and I am outside wondering how to get in. Even the CB32.EX_ was moved and this file tested positive on my Dell Recovery disk. I feel this preloaded software idea is lousy when you do not get a way to recover without having to reinstall the OS on an empty disk.

I have tried to boot off of a CD that dell sent at my insistance that is their recovery disk. When I do I get the error message "File\I386\bios.inf could not be loaded error code 47827 setup can not continue press any key to exit".

The next event is a black dos screen and then I am greeted with CD Boor can not boot from CD code 5.

I am running XP PRO SP3.

I have not been able to get anywhere with this.

Can anybody shed some light on getting my machine well?

Thanks Bill Hunt

My Dell from 2006 has a factory snapshot made by Norton Ghost on it. I used it once to restore after ClamWin zapped winlogon. It restored the PC to the original factory installation, including (God forbid! McAfee). It took me a day or so to delete all the Dell crap and reinstall everything I had. Since then, I have turned Windows System Restore off (it's not very good) and relied upon a 3rd party commercial snapshot, which I also use a lot after working malware.

From my old 2006 notes, I see that I accessed the Dell snapshot by "booting in Safe Mode and selecting the 2nd or Right option." It's been a while now, and that's all I have on it. If that's not enough, I suggest you contact Dell and verify that a Dell snapshot is on your machine and ask how to access it. Good luck!

Be sure to select Report Only for ClamWin's Infected File Option if you reinstall ClamWin. If you still want to use Quarantine, I suggest you exclude all important Windows system files from ClamWin's scans. I would like to get a list of them--those that will zap you if removed/quarantined. Seems like there are so many! There must be a better OS!

Regards,

Bill

I would suggest you download and build a XP boot CD. Then try to restore the missing file. I had notes on doing this but I do not have them right now. I would not use the recovery cd from Dell. I can try to find the steps and send it later if you need that.

Keith