Jump to content

Fals Positive - userinit.exe

Recommended Posts

Thats happend serveral times to our clients since tomorrow even though the file direction (C:\Windows\System32\userinit.exe)  is included to Anti-Malware and Anti-Ransomware Exclusion List

Any help?



Thanks in advance :)


Malwarebytes Management Server Notification



Alert Time: 12.02.2020 16:01:30

Server Hostname: P

Server Domain/Workgroup: 


Ransomware threat detected, see details below:

Time  HostName    IPAddress   ThreatName  Operation   Clean Result      ObjectScanned

12.02.2020 16:01:23     VM0034      Malware.Ransom.Agent.Generic      QUARANTINE  SUCCESSFUL  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit

12.02.2020 16:00:49     VM0034      Malware.Ransom.Agent.Generic      QUARANTINE  WHITELISTED userinit.exe

Total count: 3.


Comment: This email was generated by Malwarebytes Management Server. Please do not reply to this message.



Share this post

Link to post
Share on other sites


Thank you for the report. How many machines in total have encountered this?

Please export the following keys and provide them to us:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Could you also carry out the following instructions and attach the two generated files:

Share this post

Link to post
Share on other sites

Thank you for that information. We haven't been able to reproduce this with our initial efforts.

A Process Monitor boot time log may help shine some light on this.

If you're able to reproduce the detection once more, please generate a boot time log using the instructions in the article below:
https://support.malwarebytes.com/hc/en-us/articles/360039025073-Use-Process-Monitor-to-create-real-time-event-logs (refer to the "Create a boot log" steps)

Once you have the log, please provide the following:

  • Process Monitor boot time log
  • MBAMService.log
  • Contents of the C:\ProgramData\Malwarebytes\MB3Service\ARW directory.

Please ensure the last two items are uploaded after generating the Process Monitor log.

Edited by LiquidTension

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.