Jump to content
Amos9

Is this a false positive userinit.exe

Recommended Posts

Hi, could someone from Malwarebytes confirm if userinit.exe is being detected as a false positive today?? i am running Windows 7 64bit, malwarebytes DB is v2019.07.04.04

Regards

Share this post


Link to post
Share on other sites
Posted (edited)

Hi,

We are not aware of this false positive. Can you post the malwarebytes log please? Also, what was the detection?

 

Edited to add, userinit.exe is whitelisted, so it's most probably a userinit.exe file not located in system32 folder, a malicious file, but using userinit.exe as a name (as we see this all the time)

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Hi, please see below, its being detected as Trojan.agent

 

-<mbam-log>


-<header>

<version>1.75.0.1300</version>

<database>v2019.07.04.04</database>

<windows>Windows 7 Service Pack 1</windows>

<arch>x64</arch>

<filesys>NTFS</filesys>

<msie>Internet Explorer 11.0.9600.19377</msie>

<username>SYSTEM</username>

<cpuname>COMPUTER</cpuname>

<date>Thu, 04 Jul 2019 11:05:03 GMT</date>

<log>mbam-log-2019-07-04 (12-05-03).xml</log>


-<summary>

<type>quick</type>

<objects>281491</objects>

<time>511</time>

<processes>0</processes>

<modules>0</modules>

<keys>0</keys>

<values>0</values>

<datas>1</datas>

<folders>0</folders>

<files>1</files>

</summary>

</header>


-<items>


-<data>

<path>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</path>

<valuename>Userinit</valuename>

<vendor>Trojan.Agent</vendor>

<action>success</action>

<valuedata>userinit.exe</valuedata>

<baddata>userinit.exe</baddata>

<gooddata/>

</data>


-<file>

<path>userinit.exe</path>

<vendor>Trojan.Agent</vendor>

<action>success</action>

</file>

</items>

</mbam-log>

Share this post


Link to post
Share on other sites

Hi,

That's the valuedata under the winlogon key, we target when the default data userinit.exe isn't properly set, but hijacked.

However, given you run a way out of dated version of Malwarebytes here (1.75.0.1300), please update malwarebytes to the latest version: https://www.malwarebytes.com/premium/, run a scan again and post the new malwarebytes log here, as that might show a lot more info.

Additionally, real old versions of Malwarebytes are less stable than recent versions, plus, detection rate is 50% less than current Malwarebytes versions. Hence why updating is recommended, as you aren't protected from latest threats anyway with this real old version you are having.

Share this post


Link to post
Share on other sites
Posted (edited)

Can you post the malwarebytes log please? Please post the log from latest version of malwarebytes.

It might be a valid detection though, where malware adjusted the Winlogon|Userinit valuedata, so when we detect, we replace it again with the correct data.

Edited by miekiemoes

Share this post


Link to post
Share on other sites
Posted (edited)

Hi,

We think we found the culprit what is causing this. Next database that should go out in a bit will solve this.

Please restore that key from unquarantine again and wait till next database update.

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Same here on one of my machines. Running Win7 on both. One computer is clean but the other reports a TrojanAgent in the userinit.exe found in the C:\\WINDOWS\SYSWOW64 directory.

I'm running latest Premium version of Malwarebytes with latest virusdefinitions.

Share this post


Link to post
Share on other sites

Ok, sorry didn't see your last post. It seems there's nothing to worry about then.

Share this post


Link to post
Share on other sites

Im seeing the userinit too but one machine has C:\WINDOWS\SYSWOW64\IMAGERES.DLL

Share this post


Link to post
Share on other sites
Posted (edited)

Yes, we found the culprit. Just unquarantine again and wait until next database update.

@Mikebob, can you post the malwarebytes detection log please, where it shows the C:\WINDOWS\SYSWOW64\IMAGERES.DLL

Because it really helps us faster with logs. Thx!

Edited by miekiemoes

Share this post


Link to post
Share on other sites
Posted (edited)

new Database is out: 

MBAM2 Version: v2019.07.04.11
MBAM3 Version: 1.0.11406

So please unquarantine and update.

Thanks!!

 

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.