[Fals positive - itunes.exe ?]

OK.

Thank you very much.

I have a suggestion:

I understand, why you can't just delete this false positive and why MBAM has to keep detecting this type of registry-modifications.

But would'nt it be better to have this exceptional case diagnosed as something like "possible security threat" or "possible security hijack" or whatever?

Under the conditions, of course, that it's that specific key with those specific "Debugger"-values.

So people would go look it up instead of getting scared and having MBAM "fix" it, which would probably result in the deactivator not working properly for itunes.

I don't think that there is any malware out there which would actually redirect to "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe".

"Security.Hijack" for something that, in a considerable number of cases, is actually completely normal, sounds a bit terrifying to me. ;-)

[Fals positive - itunes.exe ?]

Thanks for the fast response.

Since you did'nt give a reason for answer 1, I suppose it's the same as in the mentioned thread:

In short: It's just normal "tuneup"-behavior in this case. Although this kind of behavior could be dangerous, if it was malware which modified/created that "Debugger"-key to run a malicious executable instead of that reactivator.

Correct?

In that case, "TUAutoReactivator64.exe" would very likely have been detected as being malware as well, either by MBAM or Antivirus.

Correct?

If both yes: I guess, Tuneup modifies/creates keys like that one for every application (executables, services etc.) which I choose to deactivate.

But I've been using TU's program deactivator for quite some time now, like at least 2 years. I'm using it, for example, to deactivate Acronis TrueImage Home and some other stuff which uses up RAM or CPU, even if I don't use it and don't need it to run in the backround.

That "Debugger"-Key must be just as dangerous, if it redirects from, let's say "TrueImageLauncher.exe" instead of itunes.

So here is my question: Why does MBAM only detect the registry-modification made for itunes and not the others?

[Fals positive - itunes.exe ?]

Hey guys.

I've found a "security.hijack".

I'm guessing, it's a false positive, like this one:

http://forums.malwarebytes.org/index.php?showtopic=113609

Just to be safe, I would like to hear your opinion on it.

Here is my log:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Datenbank Version: v2013.01.11.15

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

XXX :: XXX [Administrator]

12.01.2013 01:07:44

MBAM-log-2013-01-12 (01-14-24).txt

Art des Suchlaufs: Quick-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 204305

Laufzeit: 2 Minute(n),

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\itunes.exe (Security.Hijack) -> Keine Aktion durchgeführt.

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0

(Keine bösartigen Objekte gefunden)

(Ende)

In that registry folder, there are two keys: "(Standart)", which seems to be empty, and "Debugger", which contains "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe".

- I'm using Tuneup 2012's program deactivator to completely deactivate itunes, as long as I don't need it.

- I use Avira Antivirus 2012 premium and it never found anything.

- I downloaded itunes (as far as I remember, since I am very careful about what I download and install) directly from apple.

So, I have two questions now:

1. Am I right, that this "Security.Highjack" can be ignored?

2. If yes: What if I put it on the ignore-list and after that some malware actually compromises that registry key? Would MBAM ignore that as well?

Regards

Max