Jump to content

Recommended Posts

Hey guys.

I've found a "security.hijack".

I'm guessing, it's a false positive, like this one:

http://forums.malwarebytes.org/index.php?showtopic=113609

Just to be safe, I would like to hear your opinion on it.

Here is my log:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Datenbank Version: v2013.01.11.15

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

XXX :: XXX [Administrator]

12.01.2013 01:07:44

MBAM-log-2013-01-12 (01-14-24).txt

Art des Suchlaufs: Quick-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 204305

Laufzeit: 2 Minute(n),

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\itunes.exe (Security.Hijack) -> Keine Aktion durchgeführt.

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0

(Keine bösartigen Objekte gefunden)

(Ende)

In that registry folder, there are two keys: "(Standart)", which seems to be empty, and "Debugger", which contains "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe".

- I'm using Tuneup 2012's program deactivator to completely deactivate itunes, as long as I don't need it.

- I use Avira Antivirus 2012 premium and it never found anything.

- I downloaded itunes (as far as I remember, since I am very careful about what I download and install) directly from apple.

So, I have two questions now:

1. Am I right, that this "Security.Highjack" can be ignored?

2. If yes: What if I put it on the ignore-list and after that some malware actually compromises that registry key? Would MBAM ignore that as well?

Regards

Max

Link to post
Share on other sites

Thanks for the fast response.

Since you did'nt give a reason for answer 1, I suppose it's the same as in the mentioned thread:

In short: It's just normal "tuneup"-behavior in this case. Although this kind of behavior could be dangerous, if it was malware which modified/created that "Debugger"-key to run a malicious executable instead of that reactivator.

Correct?

In that case, "TUAutoReactivator64.exe" would very likely have been detected as being malware as well, either by MBAM or Antivirus.

Correct?

If both yes: I guess, Tuneup modifies/creates keys like that one for every application (executables, services etc.) which I choose to deactivate.

But I've been using TU's program deactivator for quite some time now, like at least 2 years. I'm using it, for example, to deactivate Acronis TrueImage Home and some other stuff which uses up RAM or CPU, even if I don't use it and don't need it to run in the backround.

That "Debugger"-Key must be just as dangerous, if it redirects from, let's say "TrueImageLauncher.exe" instead of itunes.

So here is my question: Why does MBAM only detect the registry-modification made for itunes and not the others?

Link to post
Share on other sites

  • Staff

We have seen mostly malware do this. Tuneup utilities is so far the only legit app that sets those keys in that way. You are correct on both parts.

We detect only the ones we have seen malware abuse. If malware puts its exe in there like tuneup does then everytime you would go to launch itunes it would launch the malware instead. Itunes is very popular and most machines would have it so its commonly abused by them.

Link to post
Share on other sites

OK.

Thank you very much.

I have a suggestion:

I understand, why you can't just delete this false positive and why MBAM has to keep detecting this type of registry-modifications.

But would'nt it be better to have this exceptional case diagnosed as something like "possible security threat" or "possible security hijack" or whatever?

Under the conditions, of course, that it's that specific key with those specific "Debugger"-values.

So people would go look it up instead of getting scared and having MBAM "fix" it, which would probably result in the deactivator not working properly for itunes.

I don't think that there is any malware out there which would actually redirect to "C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe".

"Security.Hijack" for something that, in a considerable number of cases, is actually completely normal, sounds a bit terrifying to me. ;-)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.