Jump to content
lulusol

Riskware.IFEOHijack False Positive?

Recommended Posts

Hi,

 

These are not false positives. Please read here for some more explanation:

https://forums.malwarebytes.org/index.php?/topic/147426-tuneup-utilities-2014-false-positive

 

Or you can either have mbam remove those or have these added to your whitelist.

Oh man.

 

Well, I'm scanning now so I'll be sure to do that after Malwarebytes catch them again. 

 

I'll come back if I have any problems or more questions.

 

Thank you.

Share this post


Link to post
Share on other sites

Okay.

 

Here's the weird part.

 

The registry keys and values that were detected as threats vanished from the Registry Editor, and Malwarebytes detected nothing. 

 

I'm not sure how those keys and values were created but I guess they disappeared after I enabled Bonjour and turned on iTunes.

Share this post


Link to post
Share on other sites

It's your AVG PC TuneUp that created those entries - where it has set a debugger for your iTunes. So when you launch your iTunes (if this debugger is set), it launches the C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe instead first and runs iTunes through the "AVG Program Deactivator".

http://www.tune-up.com/products/tuneup-utilities/features/tuneup-program-deactivator/

https://support.avg.com/answers?id=906b0000000D4viAAC

 

I don't know why these entries now suddenly disappeared - unless you made changes in the AVG tuneup program.

 

Share this post


Link to post
Share on other sites

Well I think I had made those debuggers disappear after re-enabling iTunes and Bonjour. 

 

Now I'm not sure if I need some optimization.

Share this post


Link to post
Share on other sites

I have this same problem.  The following entries appear in the malware-bytes scan detection:

Registry Key: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE, No Action By User, [878], [249395],1.0.1467
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE, No Action By User, [878], [249395],1.0.1467

Registry Value: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE|DEBUGGER, No Action By User, [878], [249395],1.0.1467
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE|DEBUGGER, No Action By User, [878], [249395],1.0.1467


Isn't that detecting your own program?  and Why is DEBUGGER turned on at all?  I quarantine these items and they reappear on the next scan.

I have premium licenses for malware-bytes anti-malware AND malware-bytes anti-exploit.  You then pushed down Malwarebytes Premium 3.0.6.  mbae.exe (anti-exploit) no longer runs because it is now included in your new version of anti-malware (according to your documentation - I hope this is a correct assumption).  This was found on a windows7 64-bit machine. 

Please Help!

Share this post


Link to post
Share on other sites

Hi,

No this isn't a false positive - nor an entry that Malwarebytes created.

Let me first explain what this IMAGE FILE EXECUTION OPTIONS key means when it has a debugger set under this key

This means, there's a debugger set for mbam.exe. When a program is listed under the IMAGE FILE EXECUTION OPTIONS and it has a debugger value set, Windows always checks under that key what the valuedata is and launches that instead of the program. So, in your case, when you run mbam.exe, it will launch the program present under the debugger valuedata instead.

I don't know in your case what the valuedata of debugger here is - so what program it will run instead when you launch mbam.exe

You can see that this approach is often used/abused by malware, so it sets a debugger (pointing to its own malware file) for an antivirus/antimalware executable name, so when you would launch your antivirus, it will launch the malware instead.

In some cases, legitimate programs set itself as a debugger as well, as TuneUp Utilities do.

Also, *IN CASE* you uninstall Tuneup utilities and it forgets to remove the debugger value from your registry, you won't be able to run mbam.exe anymore if the debugger reference is still in the registry. Then windows will check for the TUAutoReactivator64.exe if you want to launch mbam.exe, but since it would then be missing, mbam won't load at all, unless you remove this debugger value.

On top, if the TUAutoReactivator64.exe is buggy/acts buggy, this will affect any program you want to launch that has set this as a debugger.

Also, the approach for legitimate programs and using a debugger is not really recommended and only a few legitimate programs use this approach.

Also see here: http://blogs.msdn.com/b/oldnewthing/archive/2005/12/19/505449.aspx - where MS warns for this. Its original goal/intention for this key is to debug a program, any other approach is not recommended.

 

Hope this explains it a bit more why this isn't a false positive and why we need to detect/warn the user about this.

 

Also:

You then pushed down Malwarebytes Premium 3.0.6.  mbae.exe (anti-exploit) no longer runs because it is now included in your new version of anti-malware (according to your documentation - I hope this is a correct assumption).  

This is because MBAE is now part of MBAM 3, so it's implemented there instead now and hasuninstalled the standalone one (as there's no need to run it twice). So it's still running/present, just inside MBAM 3. :) 

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Let me first explain what this IMAGE FILE EXECUTION OPTIONS key means when it has a debugger set under this key

I didn't do that.  So what you are telling me is that when mbam.exe is referenced to run, it will launch some program that is NOT mbam.  How do I fix this?  It looks like mbam and acts like mbam.

In some cases, legitimate programs set itself as a debugger as well, as TuneUp Utilities do.

I do not have Tunup Utilities on my machine.  I have a program named 'DriverTuner' that I want to uninstall, but now I am concerned that it will leave this debugger key.  When malewarebytes updated itself it 'pushed' the code to my machine.  I do not have an install set for malwarebytes 3.0  How do I obtain a clean copy of the program?

This is because MBAE is now part of MBAM 3, so it's implemented there instead now and hasuninstalled the standalone one (as there's no need to run it twice). So it's still running/present, just inside MBAM 3. :)  

It did not uninstall Malwarebytes Anti-Exploit.  I am assuming I need to uninstall this program manually and then reinstall malwarebytes 3.0

Any help you can provide would be appreciated.

Share this post


Link to post
Share on other sites

Yes, it will launch some other program in between - it all depends what program is set under this debugger valudata. With TuneUp Utilities, it actually did run mbam, but through another program first.

Probably, this DriverTuner program is a bit the same as TuneUp Utities. 

Just let Malwarebytes delete those keys and then you should be OK. You can download Malwarebytes from here: https://www.malwarebytes.com/mwb-download/

If it finds MBAE, it will uninstall it automatically. Please see here for the info on install:

 

 

Then you can uninstall that "DriverTuner" program. 

 

Share this post


Link to post
Share on other sites

I downloaded the malwarebytes setup program and reinstalled malwarebytes.  The 1st try it got stuck on a .dll file, so I rebooted my machine and tried again.  That  time it installed correctly and removed malwarebytes anti-exploit as advertised. 

Ran a full scan and nothing was detected.

I then ran for 24 hours allowing all scans that I run to complete 1 full 24 hour cycle.  No IEFO.hijack !

Looks like I am in business. 

Thank you for all of your help :) 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.