False Positive Browser Hijack

[MCFatTongue]

This is my first time in the forum.

This Morning MBAM detect a browser hijack after I did a quick scan, but I think it maybe a false positive. The file it mentions in the log belongs to Tune-up Utilities. TU stops processes running that belong to a particular program after that program is closed, this is to conserve system resources.

In this case Tune-up asked me if I wanted to disable Firefox, I said yes, soon after I did a scan and a browser hijack was reported.

Can you please confirm this is a false positive, and put my mind at rest.

I have included the log which I ran using mbam.exe /developer.

[MCFatTongue]

I don't think I attached the log file propperly in my fist post, so here it is.

mbam-log-2013-11-07 (13-08-31).txt

[Fatdcuk]

Hi MCFatTongue and welcome to the Malwarebytes support forums.

 

In your particular instance this is a false positive detection as its a legitimate program setting itself as the default debugger for FireFox.

However this is a trick commonly used by malware.so we will not be removing the hijack detection.

 

You can safely add this detection to the ignore list inorder not to see this again when you scan.

[MCFatTongue]

Thank you so much Malware BBQ'er.

 

This is my first experiance of using this forum and I'm very impresed, your responce was really quick. I wish all forum moderators were so diligent.

 

From what little experiance of MBAM I've had (I've been a user for a little under a year), I can't sing it's praises high enough, and have recommended it to anyone that will listen.

 

Once again thank you, you have certainly put my mind at rest.

[MCFatTongue]

Hi FatDcuk,

 

Just a thought, I have now put these two items in my ignore list and it now scans clean. Does the fact that I have these exeptions mean that now no browser exploits will be found even if it's from a malicious source and not just from Tune-up utilities, or will it just ignore the Tune-up utilities browser exploit and legitimately catch all others.

 

Your help will be appreciated.

[Fatdcuk]

Hi MCFatTongue.

 

The scan will only ignore any changes to the default debugger for FireFox.

 

This will not effect any other Exploit or Hijack detection and protection that we utilize.

[MCFatTongue]

Please forgive my ignorance because I don't really know what the default debugger for Firefox does, but is there specific malware that would uses the default debugger to attack Firefox, but because of my exeptions will now not be detected.

[Fatdcuk]

Hi,

 

Yes some malware has been seen to set itself either as IFEO(Image File Execution Object) or set itself as as debugger so it is called when the parent file is executed.

 

The ignore detection would ignore the whole registry key where the hijack is being detected so would be unable to monitor for future changes should they occur.

 

Looking into this deeper currently for a possible solution.

 

Will PM you back if we can get a fix available.

[MCFatTongue]

Fatdcuk thakyou for the time you have put into this.

 

If a solution could be found that would be brilliant. In the mean time I'm going to delete the exeptions from the ignore list becasue, I dont want there to be a situation were malware could exploit my system and it not be detected because of my exeptions.

 

For the time beeing I'm going to ignore the tuneup detection after every scan then imediatly delete the exeptions from the list, that way MBAM would be able to detect any other exploit pataining to that particular registery key.

 

If you can think of a better work around please let me know.

 

Thank you for all your help.