Jump to content
muciqi

False Positive - userinit.exe

Recommended Posts

Thats happend serveral times to our clients since tomorrow even though the file direction (C:\Windows\System32\userinit.exe)  is included to Anti-Malware and Anti-Ransomware Exclusion List

Any help?

 

 

Thanks in advance :)

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 12.02.2020 16:01:30

Server Hostname:

Server Domain/Workgroup: 

Description:

Ransomware threat detected, see details below:

Time  HostName    IPAddress   ThreatName  Operation   Clean Result      ObjectScanned

12.02.2020 16:01:23           Malware.Ransom.Agent.Generic      QUARANTINE  SUCCESSFUL  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit

12.02.2020 16:00:49           Malware.Ransom.Agent.Generic      QUARANTINE  WHITELISTED userinit.exe

Total count: 3.

-------------------------------------------

Comment: This email was generated by Malwarebytes Management Server. Please do not reply to this message.

 

logs.zip

Edited by LiquidTension
Edited per poster request

Share this post


Link to post
Share on other sites

Hello,

Thank you for the report. How many machines in total have encountered this?

Please export the following keys and provide them to us:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Could you also carry out the following instructions and attach the two generated files:
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Share this post


Link to post
Share on other sites

Thank you for that information. We haven't been able to reproduce this with our initial efforts.

A Process Monitor boot time log may help shine some light on this.

If you're able to reproduce the detection once more, please generate a boot time log using the instructions in the article below:
https://support.malwarebytes.com/hc/en-us/articles/360039025073-Use-Process-Monitor-to-create-real-time-event-logs (refer to the "Create a boot log" steps)

Once you have the log, please provide the following:

Please ensure the second, third and forth items are uploaded after generating the Process Monitor log.

Edited by LiquidTension

Share this post


Link to post
Share on other sites

We are seeing the same issue. Please let me know if you want information, we had two more machines today.

Share this post


Link to post
Share on other sites

Hi LiquidTension

The issue is repeated again to the same Clients a few more times. 
Currently I am out of Office. I will come back to you on Monday and I will provide the logs you requiered. 

 

Share this post


Link to post
Share on other sites
3 hours ago, muciqi said:

Hi LiquidTension

The issue is repeated again to the same Clients a few more times. 
Currently I am out of Office. I will come back to you on Monday and I will provide the logs you requiered. 

 

Thank you!

 

16 hours ago, torrey said:

We are seeing the same issue. Please let me know if you want information, we had two more machines today.

Hi @torrey, which Malwarebytes product are you using?

Share this post


Link to post
Share on other sites

Hi @LiquidTension

We've also had this same issue occur on a company laptop. The file in question was quarantined and I haven't been able to reproduce the detection, but here are the rest of the requested logs. 

We're using Malwarebytes Anti-Ransomware 0.9.18.806 and Malwarebytes Anti-Exploit for Business v1.13.2.127

Ransomware-2020-02-20.zip

Share this post


Link to post
Share on other sites

Hello, 

We're currently using Malwarebytes Business Suite (Through Connectwise) and we are also experiencing this issue.

Malwarebytes Anti-Exploit for Business v1.13.2.127

Malwarebytes Anti-Ransomware 0.9.18.806

Attached are the registry keys for the one computer affected.

REgistry KEys.zip

Share this post


Link to post
Share on other sites
Just now, Chammer32 said:

Hello, 

We're currently using Malwarebytes Business Suite (Through Connectwise) and we are also experiencing this issue.

Malwarebytes Anti-Exploit for Business v1.13.2.127

Malwarebytes Anti-Ransomware 0.9.18.806

Attached are the registry keys for the one computer affected.

REgistry KEys.zip 12.26 kB · 0 downloads

Attached is the FRST Logs.

 

Addition_20-02-2020 09.02.05.txt FRST_20-02-2020 09.02.05.txt

Share this post


Link to post
Share on other sites

We are using Malwarebytes Endpoint Security 1.9.1.0019. Managed Client is 109.0.3671, Anit-Malware is 10.80.2.1012, Anti-Exploit is 1.13.2.127 and anti-Ransomware is 0.9.18.806

Share this post


Link to post
Share on other sites
1 minute ago, torrey said:

We are using Malwarebytes Endpoint Security 1.9.1.0019. Managed Client is 109.0.3671, Anit-Malware is 10.80.2.1012, Anti-Exploit is 1.13.2.127 and anti-Ransomware is 0.9.18.806

Sorry. Anti-Malware is 1.80.2.1012 - fat fingers.

Share this post


Link to post
Share on other sites

Thank you for the additional information.

We're still looking for Process Monitor boot time logs captured as the issue is reproduced.

If you're able to reproduce the detection once more, please generate a boot time log using the instructions in the article below:
https://support.malwarebytes.com/hc/en-us/articles/360039025073-Use-Process-Monitor-to-create-real-time-event-logs (refer to the "Create a boot log" steps)

Once you have the log, please zip up and provide the following:

Please ensure the second, third and forth items are uploaded after generating the Process Monitor log.

Share this post


Link to post
Share on other sites

Hi,

We now have this on 3 machines. @LiquidTension - could you please verify whether this is a false positive - you've now had 11 days to investigate this with the logs.
Otherwise we need to escalate to the National Cyber Security Centre - and ask them to escalate with the directors of Malware Bytes.  

Share this post


Link to post
Share on other sites

@AndyGarside The reports from the above users are indeed a false-positive.

To confirm with certainty if this applies to your 3 affected machines, we would need to see the MBAMService.log file (found in %programdata%\Malwarebytes\MBAMService\logs or %programdata%\Malwarebytes\MB3Service\logs).

The additional information requested in post #13 is to aid our efforts in finding a solution for the false-positive. 

Share this post


Link to post
Share on other sites

We're seeing it on a few of ours as well:

2/23/2020 7:47:49 PM    hostname        111.111.111.111   Malware.Ransom.Agent.Generic    QUARANTINE      DORQUEUED       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit

2/23/2020 7:47:30 PM    hostname        111.111.111.111   Malware.Ransom.Agent.Generic    QUARANTINE      WHITELISTED     userinit.exe

Share this post


Link to post
Share on other sites
On 2/25/2020 at 6:34 AM, LiquidTension said:

Hi @PiRat,
 
Please provide us with the information mentioned in the following post: https://forums.malwarebytes.com/topic/256682-false-positive-userinitexe/?do=findComment&comment=1363624

The tricky part is generating the "Malware.Ransom.Agent.Generic" event, in order to capture the logs. The pattern doesn't seem to be predictable either...any suggestions?

Share this post


Link to post
Share on other sites
47 minutes ago, PiRat said:

The tricky part is generating the "Malware.Ransom.Agent.Generic" event, in order to capture the logs. The pattern doesn't seem to be predictable either...any suggestions?

We have not been able to generaMBAMSERVICE.LOGte the event either although it is happening on random PCs. I attached the log file from the most recent occurence.

Share this post


Link to post
Share on other sites

Hi all,

After further investigation of this issue with the data we've received so far, we believe this issue may involve process injection that is being performed at startup by a McAfee product.

For users who have not provided logs, please could we get confirmation that affected machines have a McAfee product installed (e.g. McAfee Endpoint Security).

Is there anyone in a position to temporarily uninstall the McAfee product, reboot the machine and verify if the detection persists or not?

Share this post


Link to post
Share on other sites

I can confirm we use McAfee Endpoint Security, though we have been unable to force a detection, nor will we be able to temporarily uninstall our antivirus.

Share this post


Link to post
Share on other sites

Thank you for confirming. We are in the process of investigating a potential fix for this issue and will provide an update to this topic as soon as possible.

If the issue is consistently reproducible on any machine, we are still looking for the troubleshooting information mentioned in the following post (we do appreciate this may be difficult to generate if the issue only occurs randomly).

Share this post


Link to post
Share on other sites

Over the weekend Windows updates were applied to my machine. When I came in this morning my machine was exhibiting the lock-up. The updates from February might be the issue.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.