Jump to content
muciqi

Fals Positive - userinit.exe

Recommended Posts

Thats happend serveral times to our clients since tomorrow even though the file direction (C:\Windows\System32\userinit.exe)  is included to Anti-Malware and Anti-Ransomware Exclusion List

Any help?

 

 

Thanks in advance :)

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 12.02.2020 16:01:30

Server Hostname: P

Server Domain/Workgroup: 

Description:

Ransomware threat detected, see details below:

Time  HostName    IPAddress   ThreatName  Operation   Clean Result      ObjectScanned

12.02.2020 16:01:23     VM0034      161.110.7.87      Malware.Ransom.Agent.Generic      QUARANTINE  SUCCESSFUL  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit

12.02.2020 16:00:49     VM0034      161.110.7.87      Malware.Ransom.Agent.Generic      QUARANTINE  WHITELISTED userinit.exe

Total count: 3.

-------------------------------------------

Comment: This email was generated by Malwarebytes Management Server. Please do not reply to this message.

 

logs.zip

Share this post


Link to post
Share on other sites

Hello,

Thank you for the report. How many machines in total have encountered this?

Please export the following keys and provide them to us:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Could you also carry out the following instructions and attach the two generated files:
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Share this post


Link to post
Share on other sites

Thank you for that information. We haven't been able to reproduce this with our initial efforts.

A Process Monitor boot time log may help shine some light on this.

If you're able to reproduce the detection once more, please generate a boot time log using the instructions in the article below:
https://support.malwarebytes.com/hc/en-us/articles/360039025073-Use-Process-Monitor-to-create-real-time-event-logs (refer to the "Create a boot log" steps)

Once you have the log, please provide the following:

  • Process Monitor boot time log
  • MBAMService.log
  • Contents of the C:\ProgramData\Malwarebytes\MB3Service\ARW directory.

Please ensure the last two items are uploaded after generating the Process Monitor log.

Edited by LiquidTension

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.