Jump to content

Potential false positive detection iTunes


hoeschi

Recommended Posts

  • Staff

 

Hi,

This doesn't seem to be a false positive.

None of these are keys created by Windows. What this key actually means is, to give an example from one of the above ones, let's use:

RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE|DEBUGGER, Keine Aktion durch Benutzer, [638], [249279],1.0.3829

In this case, Itunes.exe is set as subkey under the HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS key.

Itunes.exe, as we all know, is a legitimate application. But the goal of this key is different. What this key does is - if being set - when you launch Itunes.exe, Windows always looks if there's a debugger created for it. In this case, there is, as above key is created. So INSTEAD of Itunes.exe it will launch, it will launch what is under the debugger instead. This can be anything, but in a lot of cases, created by malware. So it will launch the malware instead of Itunes.exe

This key unfortunately doesn't show to what program the debugger is set, but it is strongly suggested you have malwarebytes remove this.

There are however some cases where a legitimate program is set as a debugger, for example TuneUp Utilities that does this. More info about this here: 

So above are no false positives, that's why I still suggest that you have malwarebytes remove them.

 

Link to post
Share on other sites

  • 1 month later...

I am running Windows 10 Pro.

I want to add my experience to this discussion. Several days ago Malwarebytes identified the four registry keys in the attached file (The same ones I have seen elsewhere in this thread) as "Malware". So I quarantined them per the recommendation.

That evening I attempted to open I-Tunes to load a new AudiioBook on to my I-Pod was greeted with an error message from I-Tunes informing me that the intallation was damaged and need to be reinstalled.

I did this and restored I-Tunes. I suspected that the culprit was disabling these keys so I ran a scan in Malwarebytes. The same four keys  were back and were Identified by Malwarebytes as bad boys.. This time I refused to quarantine and I-tunes is happy.

If these keys are in fact malware, how does their removal break I-Tunes.

- dollardog

 

I might add that I-Tunes for windows has undergone several updates in recent months one of which broke the battery charge level icon and most recently restored its functionality.

 

 

 

 

 

Malware I-tunest.txt

Link to post
Share on other sites

  • Staff

Hi,

iTunes doesn't create the HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE by default. 

So can you get an export of that key, so I can check what is the valuedata under the debugger value? That way, I'll have a better idea what might be creating these.

Thanks!

Link to post
Share on other sites

  • Staff

Yes, that might be the culprit - this is the "TuneUp Utilities" that Avast/AVG is using.

Here's an older thread about this (about tuneup utilities itself): 

This still isn't a false positive and we warn the user correctly here. If you want to have this managed by Avast Cleanup Premium still, then I suggest you add an exclusion for that key in Malwarebytes. :)

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.