Jump to content
MCFatTongue

TuneUp Utilities 2014 False Positive

Recommended Posts

Hello,

 

I have just installed TuneUp Utilities 2014 from their official site.  I ran a scan immediately after and it found two registery entries and values that it says are browser hijacks, I'm quite sure these are false positives, will someone please confirm if that is the case.

 

If they are FP would you be able to your database so they won't be detected in future.

 

Any help and assistance will be greatly appreciated.

 

I've included the scan log:

 

 

mbam_scan_log.txt

Share this post


Link to post
Share on other sites

Malware uses this more often then a legit application. I would recommend adding these entries to the malwarebytes ignore list if you are using that disabling feature of tuneup.

 

We will still look into this though.

Share this post


Link to post
Share on other sites

Hi,

 

Sorry for the late reply,

 

1.      so are you saying that these entries are legitimate from Tuneup?

 

2.      If I add them to the ignore list will that also ignore any malware using the same method?

 

3.      If I were to quarantine then delete these items, do you know what effect it would have on tuneUp?

 

Any help will be greatly appreciated.

 

Thank you.

Share this post


Link to post
Share on other sites

Hi,

 

Let me first explain what this IMAGE FILE EXECUTION OPTIONS key means when it has a debugger set under this key.

In your case, this is what has been set by Tuneup utilities:

 

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FIREFOX.EXE|Debugger, "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"

 

This means, there's a debugger set for firefox.exe. When a program is listed under the IMAGE FILE EXECUTION OPTIONS and it has a debugger value set, Windows always checks under that key what the valuedata is and launches that instead of the program. So, in your case, when you run Firefox, it will launch C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe instead.

Unsure what TUAutoReactivator64.exe actually does, but I believe it has to do with the "TuneUp Program Deactivator" feature in Tuneup utilities. It's a bit of a weird approach by TuneUp uilities, but I can see why they want to do this.

 

However,

This is unfortunately a method A LOT of malware uses in order to run its malware instead of the program you want to launch, by setting a debugger for the given program under the Image File Execution options key, Hence why we need to detect this, to warn the user. Also, *IN CASE* you uninstall Tuneup utilities and it forgets to remove the debugger value from your registry, you won't be able to run Firefox anymore if the debugger reference is still in the registry. Then windows will check for the TUAutoReactivator64.exe if you want to launch firefox, but since it would then be missing, firefox won't load at all, unless you remove this debugger value.

On top, if the TUAutoReactivator64.exe is buggy/acts buggy, this will affect any program you want to launch that has set this as a debugger.

 

Hence why this approach for legitimate programs and using a debugger is not really recommended and only a few legitimate programs use this approach.

Also see here: http://blogs.msdn.com/b/oldnewthing/archive/2005/12/19/505449.aspx - where MS warns for this. Its original goal/intention for this key is to debug a program, any other approach is not recommended.

 

2. Unfortunately, yes, but in this case, it will only affect this for the IMAGE FILE EXECUTION OPTIONS debugger for Firefox. However, I believe, *In case* malware replaces that key with its own valuedata as debugger, your Tuneup utilities will reset this again to its own debugger as how it was before.

 

3. The only affect it will have is that, in this case, when you launch firefox, it will actually launch firefox instead of TUAutoReactivator64.exe if you delete that key (as how it is on EVERY other system). After all, this key + debugger was created by Tuneup Utilities and is not a default key set.

 

Hope this explanation helps.

Share this post


Link to post
Share on other sites

Hello Mieke,

 

Thank you so much for the time you have taken for your detailed explanation.  I didn't understand what debugger was before, but now thanks to your clear concise explanation I now fully comprehend. 

 

From what you have said I have decided to go with option 3, quarantine and delete the effected keys.  I think that is the safest option and the effect on TuneUp will be negligible.

 

Once again thank you very much.

 

Kind regards.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.