Conder Posted December 11, 2018 ID:1286372 Share Posted December 11, 2018 AdwCleaner is detecting registry key "HKLM\SOFTWARE\029c4619-0385-5543-9426-46f9987161d9" as PUP.Adware.Heuristic. It is probably a false positive, because this key is created by Streamlabs OBS (streamlabs.com). [HKEY_LOCAL_MACHINE\SOFTWARE\029c4619-0385-5543-9426-46f9987161d9] "InstallLocation"="C:\\Program Files\\Streamlabs OBS" "KeepShortcuts"="true" "ShortcutName"="Streamlabs OBS" Link to post Share on other sites More sharing options...
Staff Malwarebytes Posted December 11, 2018 Staff ID:1286373 Share Posted December 11, 2018 ***This is an automated reply*** Hi, Thanks for posting in the AdwCleaner Help forum. Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue: AdwCleaner user guide A malicious element isn't being detected? Submit the sample here! Need help with another Malwarebytes product or malware removal? Click here for home support Click here for business support Click here for malware removal help Thanks in advance for your patience. -The Malwarebytes Forum Team Link to post Share on other sites More sharing options...
Staff jboursier Posted December 11, 2018 Staff ID:1286381 Share Posted December 11, 2018 Hello, Can you share the whole AdwCleaner logfile showing this detection? Thanks, Link to post Share on other sites More sharing options...
Conder Posted December 17, 2018 Author ID:1287710 Share Posted December 17, 2018 Sorry for late reply. Here is the log: # ------------------------------- # Malwarebytes AdwCleaner 7.2.5.0 # ------------------------------- # Build: 11-26-2018 # Database: 2018-12-07.1 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Scan # ------------------------------- # Start: 12-17-2018 # Duration: 00:00:15 # OS: Windows 7 Ultimate # Scanned: 32299 # Detected: 1 ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Adware.Heuristic HKLM\SOFTWARE\029c4619-0385-5543-9426-46f9987161d9 ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries found. ***** [ Chromium URLs ] ***** No malicious Chromium URLs found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries found. ***** [ Firefox URLs ] ***** No malicious Firefox URLs found. ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ########## Link to post Share on other sites More sharing options...
Elisabeth Posted December 18, 2018 ID:1287784 Share Posted December 18, 2018 Hello, Yes, it's a FP that unfortunatly we can't fix yet. It's the same issue as the one described in post below: Please exclude it for now. We're working on a fix for this FP and will try to solve it asap. We'll keep you posted. Thank you! Link to post Share on other sites More sharing options...
Vectorize Posted March 9, 2019 ID:1302956 Share Posted March 9, 2019 Hi, in my case, I'm getting 'PUP.Winlogon.Heuristic' with HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit being flagged on a fresh install of Win 7. Pretty sure it's a false positive, but would like your opinions. Link to post Share on other sites More sharing options...
exile360 Posted March 9, 2019 ID:1302979 Share Posted March 9, 2019 1 hour ago, Vectorize said: Hi, in my case, I'm getting 'PUP.Winlogon.Heuristic' with HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit being flagged on a fresh install of Win 7. Pretty sure it's a false positive, but would like your opinions. Greetings, It seems in your case that the issue may be the same one mentioned in this thread. If you would, please provide a scan log from ADWCleaner showing the detection along with a registry export of the key being detected in your next reply (you may refer to the instructions provided in the thread I linked to above if you require them for exporting and attaching the key). Link to post Share on other sites More sharing options...
Vectorize Posted March 9, 2019 ID:1302983 Share Posted March 9, 2019 Thanks for your reply exile, I had initially done the Adwcleaner cleanup since it is pretty reliable, but had second thoughts and restored the reg key after that. This is the log and the .reg file (appended with a .log extension to be able to attach it). # ------------------------------- # Malwarebytes AdwCleaner 7.2.7.0 # ------------------------------- # Build: 01-30-2019 # Database: 2019-03-04.3 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Scan # ------------------------------- # Start: 03-08-2019 # Duration: 00:00:07 # OS: Windows 7 Ultimate # Scanned: 31858 # Detected: 1 ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Winlogon.Heuristic HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries found. ***** [ Chromium URLs ] ***** No malicious Chromium URLs found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries found. ***** [ Firefox URLs ] ***** No malicious Firefox URLs found. ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ########## Winlogon.reg.log Link to post Share on other sites More sharing options...
exile360 Posted March 9, 2019 ID:1302989 Share Posted March 9, 2019 Thanks I think I see the problem. For some odd reason your key is pointing to the 32-bit/x86 copy of userinit.exe located in SysWOW64 rather than the default/standard native x64 copy located in System32. I'm on Windows 7 x64 myself, and here's what my key looks like: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\Windows\\system32\\userinit.exe," Here's what the export of yours shows, and is likely the very reason it's being detected: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\Windows\\SysWOW64\\userinit.exe," Note the difference in the path there between the two. I'm pretty sure it's supposed to be System32 so I'm guessing that for whatever reason, some application changed it on your system at some point so now it's triggering this detection (since malware has also been known to modify this value to load their own Trojans/malicious executables). Malwarebytes and ADWCleaner both have a lot of generic heuristics signatures like this that detect any modification of default system loading point values for this very reason, because theoretically they should never be altered from their defaults. You may await a response from fr33tux or Elisabeth if you wish, but I'm pretty sure I figured out why this is being detected. I can do some more research and hit up Microsoft's web documentation as well if you wish, just to make certain there's no legit reason for it to be pointing to that copy of the file before you make any changes, but I don't believe it should do any harm to set it back to its default value (which is what ADWCleaner should do when it removes/quarantines the detection, though you can verify that as well if you wish by trying it again and then checking the value left behind afterwards). Link to post Share on other sites More sharing options...
Vectorize Posted March 9, 2019 ID:1302991 Share Posted March 9, 2019 Yes, i'm also pretty sure it would normally point to System32... I wonder if it could be my (32bit) interactive UPS software causing that... Link to post Share on other sites More sharing options...
exile360 Posted March 9, 2019 ID:1302993 Share Posted March 9, 2019 It shouldn't change that key, Userinit is a system process, but you never know I suppose. If it's a really old app with some odd function that tries to verify/write that key/value for XP/32 bit operating systems then I suppose it would be possible for it to modify it, but with that said, my guess would actually be some kind of older malware scanner or system error fixing/system optimization application (I'm thinking something along the lines of Registry Mechanic or System Mechanic or a utility like Dial-a-Fix etc.) as any older system error fixing app/security tool could be liable to accidentally write the wrong entry there due to Windows WOW64 redirection that would point them to SysWOW64 instead of the native System32 (though theoretically it should also point them to the HKLM\SOFTWARE\Wow6432Node key/branch also rather than the native one where this issue is being detected). Link to post Share on other sites More sharing options...
Vectorize Posted March 9, 2019 ID:1303001 Share Posted March 9, 2019 I think you're surely right. I re-ran the repair and the key now correctly points to System32. (I had installed a trial of Avg PC tuneup... didn't keep it, so maybe that's the culprit). Everything seems just fine - ran Adwcleaner again and it comes up clean now. Thanks so much for your expertise on this! Link to post Share on other sites More sharing options...
exile360 Posted March 10, 2019 ID:1303024 Share Posted March 10, 2019 Ah, that certainly could be it. All it would take is a bad signature in AVG writing the wrong path or using the wrong API and not getting the correct/native path and writing that to your registry to cause this. If it comes back though, please do let us know as I am curious to know just what may have caused it in case this issue comes up again. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now