Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Is this a false positive userinit.exe


Amos9
 Share

Recommended Posts

  • Staff

Hi,

We are not aware of this false positive. Can you post the malwarebytes log please? Also, what was the detection?

 

Edited to add, userinit.exe is whitelisted, so it's most probably a userinit.exe file not located in system32 folder, a malicious file, but using userinit.exe as a name (as we see this all the time)

Edited by miekiemoes
Link to post
Share on other sites

Hi, please see below, its being detected as Trojan.agent

 

-<mbam-log>


-<header>

<version>1.75.0.1300</version>

<database>v2019.07.04.04</database>

<windows>Windows 7 Service Pack 1</windows>

<arch>x64</arch>

<filesys>NTFS</filesys>

<msie>Internet Explorer 11.0.9600.19377</msie>

<username>SYSTEM</username>

<cpuname>COMPUTER</cpuname>

<date>Thu, 04 Jul 2019 11:05:03 GMT</date>

<log>mbam-log-2019-07-04 (12-05-03).xml</log>


-<summary>

<type>quick</type>

<objects>281491</objects>

<time>511</time>

<processes>0</processes>

<modules>0</modules>

<keys>0</keys>

<values>0</values>

<datas>1</datas>

<folders>0</folders>

<files>1</files>

</summary>

</header>


-<items>


-<data>

<path>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</path>

<valuename>Userinit</valuename>

<vendor>Trojan.Agent</vendor>

<action>success</action>

<valuedata>userinit.exe</valuedata>

<baddata>userinit.exe</baddata>

<gooddata/>

</data>


-<file>

<path>userinit.exe</path>

<vendor>Trojan.Agent</vendor>

<action>success</action>

</file>

</items>

</mbam-log>

Link to post
Share on other sites

  • Staff

Hi,

That's the valuedata under the winlogon key, we target when the default data userinit.exe isn't properly set, but hijacked.

However, given you run a way out of dated version of Malwarebytes here (1.75.0.1300), please update malwarebytes to the latest version: https://www.malwarebytes.com/premium/, run a scan again and post the new malwarebytes log here, as that might show a lot more info.

Additionally, real old versions of Malwarebytes are less stable than recent versions, plus, detection rate is 50% less than current Malwarebytes versions. Hence why updating is recommended, as you aren't protected from latest threats anyway with this real old version you are having.

Link to post
Share on other sites

  • Staff

Can you post the malwarebytes log please? Please post the log from latest version of malwarebytes.

It might be a valid detection though, where malware adjusted the Winlogon|Userinit valuedata, so when we detect, we replace it again with the correct data.

Edited by miekiemoes
Link to post
Share on other sites

Same here on one of my machines. Running Win7 on both. One computer is clean but the other reports a TrojanAgent in the userinit.exe found in the C:\\WINDOWS\SYSWOW64 directory.

I'm running latest Premium version of Malwarebytes with latest virusdefinitions.

Link to post
Share on other sites

  • Staff

Yes, we found the culprit. Just unquarantine again and wait until next database update.

@Mikebob, can you post the malwarebytes detection log please, where it shows the C:\WINDOWS\SYSWOW64\IMAGERES.DLL

Because it really helps us faster with logs. Thx!

Edited by miekiemoes
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.