Jump to content

PUP.Winlogon.Heuristic


Recommended Posts

I'm reluctant to delete this item. I read something about a false positive related this type of flagged item. Can somebody please explain to me what this is in general terms, and how can I tell whether I'm going to cause serious harm to my system?

This is from the log file, which looks innocuous to me:

PUP.Winlogon.Heuristic          HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the AdwCleaner Help forum.
In order to help us assist you to resolve your issue, please post or attach your latest AdwCleaner log files with your post. https://support.malwarebytes.com/hc/en-us/articles/360039021593

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

 

 

 

notify me.jpeg

mbst_advanced_gather_logs.jpg

mbst_get_started.jpg

mbst_getting_logs.jpg

mbst_log_saved_desktop.jpg

Link to post
Share on other sites

Can you please collect and upload as an attachment the diagnostic data using our MBST?

  • Download and run the Malwarebytes Support Tool
  • Accept the EULA and click Advanced tab on the left (not Start Repair)
  • Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply
Link to post
Share on other sites

Thank-you for taking the time to respond.

Respectfully, if ADWCleaner does not produce sufficient diagnostic information for a user to assess the validity of flagged items recommended for deletion, it would probably be a good idea to have it automatically perform the additional steps you have recommended. Wouldn't that make life much easier for users, and techs alike? I'm not trying to be rude, but I was a rech for 25 years (on mainframes), and one of my biggest pet peeves was dealing with applications/subsystems which regularly spit out incomprehensible error messages which meant nothing to anyone. Considerable digging was required to make any determination as to what was wrong, and more importantly, how to resolve the issue.

Link to post
Share on other sites

5 minutes ago, vinny_marino said:

Respectfully, if ADWCleaner does not produce sufficient diagnostic information for a user to assess the validity of flagged items recommended for deletion, it would probably be a good idea to have it automatically perform the additional steps you have recommended.

You did not actually post the actual log from ADWcleaner.

The support tool would have given us the info to actually determine if this is a legit detection or a False positive.

Link to post
Share on other sites

If it's a hijacked Userinit it could be extremely harmful, at least potentially.  There's no way to know without the file it points to I suspect.  It looks like ADWCleaner is hitting on the registry value based on heuristics, meaning something about the entry isn't right.  Either its placement in the registry, or perhaps it contains one or more Cyrillic characters to make it appear to a human as a normal/innocuous entry (a common tactic of some threats).  There is also the possibility of a false positive, but that's not likely given the fact that the legit Userinit startup entry exists on every Windows system, so the forums and support would be flooded with inquiries about it if it were such an FP (plus I suspect there are likely safeguards in place to prevent such an FP from occurring as that tends to be how Malwarebytes does things).

Link to post
Share on other sites

2 hours ago, Porthos said:

You did not actually post the actual log from ADWcleaner.

The support tool would have given us the info to actually determine if this is a legit detection or a False positive.

I posted the error message in question. If there is other pertinent info in the log, I apologize. I am including it herewith.

AdwCleaner[S02].txt

Link to post
Share on other sites

I knew I had some kind of virus/adware/hijacker/phishing issue, and I had run three different tools (each requiring up to 6 hours to run a full scan) before using ADWCleaner, which detected a number of undesirable items. I used it to quarantine a few of them, and this is the only issue left in question. If it's all the same to you, I'd like to focus on this one item. As I said earlier, this sounds scary, like removing it may prevent me from logging into Windows at all. So, you can appreciate my nervousness. But at the same time, I'd like to try to resolve this asap before any real damage occurs.

Link to post
Share on other sites

  • Root Admin

Hello @vinny_marino

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 

 

Spoiler

 

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

  • Thanks 1
Link to post
Share on other sites

Thanks, but no thanks. It seems to me that the medicine is fraught with risks of its own. never mind the time and effort. Also, I have to say I'm not happy about several people coming into this thread, asking me to do things before the previous person has finished pursuing his line of attacking the problem. It's not conducive to a structured mode of analysis/diagnosis etc. Thanks-you all for your time, and effort, but I think I'll pursue this on my own.

Link to post
Share on other sites

  • Root Admin

Thank you for the feedback and input. For clarification, you created your post in a publicly open area that all members have the right and ability to reply with their own opinions and ideas on how to best help someone.

I moved your topic to the Malware Removal forum where it is controlled for one-on-one support.

I think you'll find that the majority of public forums are wide open and have no methods in place to prevent all users from replying. Microsoft Answers is one good example. You sometimes find popular subjects where hundreds of users have replied and none of the answers are correct. We try to prevent that type of wild-wild-west when we can but all topics need to start out somewhere.

I will go ahead then and close your topic per your request and desire to work on the issue on your own and wish you the best.

Good luck and stay stay safe out there

Cheers

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.