Jump to content


Photo

itunes.exe, false positive in registry?


  • Please log in to reply
13 replies to this topic

#1 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 03 August 2012 - 11:37 AM

Got a "Security.Hijack" result for an entry in the registry about itunes.exe.
I guess this is a false positive since I downloaded it strait from Apple ?

Attached a zip with scan result with /developer.

Regards, Wijllie

#2 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 03 August 2012 - 11:40 AM

Is the ZIP added, can't see an attachement here?

#3 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,248 posts
  • Gender:Male

Posted 03 August 2012 - 12:32 PM

You have to hit attach to post. Nothing is here.
Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#4 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 04 August 2012 - 12:34 PM

strange I attached the zip in the first post and since it seems I can't attach it in a second one I will make a new topic later, this topic can be deleted.

#5 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,248 posts
  • Gender:Male

Posted 04 August 2012 - 01:46 PM

You should be able to attach fine. It has to be in zip format for it to accept it. You can also just copy and paste the developers log into the post.
Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#6 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 06 August 2012 - 06:00 AM

There you go, diodn't notice the "attach this file BUTTON first time ;-)



Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org
Databaseversie: v2012.08.03.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Pierre :: P [administrator]
Realtime bescherming: Ingeschakeld
3/08/2012 14:25:55
mbam-log-2012-08-03 (18-24-33).txt
Scantype: Volledige scan (C:\|X:\|)
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM | P2P
Uitgeschakelde scanopties:
Objecten gescand: 567277
Verstreken tijd: 3 uur/uren, 28 minuut/minuten,
Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels gedetecteerd: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\itunes.exe (Security.Hijack) -> Geen actie ondernomen.
Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Bestanden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
(einde)

Attached Files



#7 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,248 posts
  • Gender:Male

Posted 06 August 2012 - 06:08 AM

That key is not normally present on an itunes installation.

Can you export that registry key?

https://support.kasp...l?qid=208279061

Is some help if you need it.
Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#8 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 09 August 2012 - 09:50 AM

Seems not to be from itunes itself but from TuneUp Utilitys 2012 which has his hand on something...

So I guess I can leave or delete the entry...?


Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\itunes.exe]
"Debugger"="\"C:\\Program Files\\TuneUp Utilities 2012\\TUAutoReactivator32.exe\""


Also I've seen other same entry's of that TU debugger line in that directory, wonder what it does?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\googleupdater.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javaws.exe

and a lot more but only the itunes.exe came out as a "Security.Hijack"...

Attached Files



#9 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,248 posts
  • Gender:Male

Posted 10 August 2012 - 06:22 AM

This key forces tuneup utilities to load with those programs. You can scan with us and add them to the ignore list from our results. We are looking into this to see what can be done.
Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook

#10 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 13 August 2012 - 09:18 AM

Thx. Got also a statement from Tuneup support team that it should be excluded in your software because it's a legit proces.

#11 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 14 August 2012 - 06:39 AM

wijllie,

Thx. Got also a statement from Tuneup support team that it should be excluded in your software because it's a legit proces.

This key has nothing to do with a legit process here though. What this key does here is, when you launch itunes.exe, it will launch TUAutoReactivator32.exe instead. So unsure what the purpose of the TUAutoReactivator32.exe is, but this is a weird way of handling things.
For every executable you want to run, Windows always looks under the Image File Execution Options key and looks if the name of the executable you want to run is present there. If so, then it looks if there's a debugger value set for it. If thats the case, then it runs the executable defined in the debugger instead of the executable you were trying to launch.

Can you test what you get when you try to launch itunes.exe?
Also, in case you uninstall TuneUp Utilities and this debugger stays present there - you would never be able to run itunes.exe, because it will throw an error this file doesn't exist as long as the debugger is present there.
That's why, if this key is set by tuneup utilities, then I assume the user also understands why this key was set, so they can ignore it in the scan.
In case the user is not aware of this and complain they cannot run certain applications anymore, then it's good mbam detects this and fixes this.

That's why we won't exclude this from detection.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 14 August 2012 - 01:10 PM

wijllie,


This key has nothing to do with a legit process here though. What this key does here is, when you launch itunes.exe, it will launch TUAutoReactivator32.exe instead. So unsure what the purpose of the TUAutoReactivator32.exe is, but this is a weird way of handling things.
For every executable you want to run, Windows always looks under the Image File Execution Options key and looks if the name of the executable you want to run is present there. If so, then it looks if there's a debugger value set for it. If thats the case, then it runs the executable defined in the debugger instead of the executable you were trying to launch.

Can you test what you get when you try to launch itunes.exe?
Also, in case you uninstall TuneUp Utilities and this debugger stays present there - you would never be able to run itunes.exe, because it will throw an error this file doesn't exist as long as the debugger is present there.
That's why, if this key is set by tuneup utilities, then I assume the user also understands why this key was set, so they can ignore it in the scan.
In case the user is not aware of this and complain they cannot run certain applications anymore, then it's good mbam detects this and fixes this.

That's why we won't exclude this from detection.


I noticed itunes.exe but as stated before there are a lot other programs altered in that registery section.

The reactivator process imho is part of the live optimalisation from TuneUp Utilitys, The live optimalisation handles the priority status of programs so if a program needs it and the pc is too slow TU switches the priority of the process to high. Maybe a good thing would be to test install TU 2012 to understand what's it's all about, there is a free full use 15-days trial available here:
http://www.tune-up.com/

I use this program since 2006 and like it very very much, only the new 2012 version has now parts like optimalisation and economy/turbo modus which is probably to much interfering with other programs and settings... But it's not a mallware in any way.

Regards, Wijllie (wuif wuif! ;) )

#13 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 14 August 2012 - 02:08 PM

The reactivator process imho is part of the live optimalisation from TuneUp Utilitys, The live optimalisation handles the priority status of programs so if a program needs it and the pc is too slow TU switches the priority of the process to high. Maybe a good thing would be to test install TU 2012 to understand what's it's all about, there is a free full use 15-days trial available here

I just tested this and it's actually the Tune Up Program Deactivator doing this. It disables certain programs (actually blocks them - because it has set a debugger) so they can't run in the background. It will only enable them again once you actually launch the program again, which then triggers the TUAutoReactivator32.exe (since this is run first) and sets the program to enable again.
I believe the best option here is to "add to ignore" here in malwarebytes, because we still want to give our users protection for the malware that also sets debuggers for legitimate processes. That's why we can't remove detection for this. It's not common for legitimate programs either to create debuggers for legitimate processes. Hence why we call it a "Hijack" in Malwarebytes.

We don't break anything (not even in tuneup utilities) if people decide to delete this key with malwarebytes, because these extra keys aren't even present by default on a normal Windows install. TuneUp Utilities created these. As a matter of fact, when you tell Tuneup utilities to enable a certain program again (to run);, or you actually run the program again, Tuneup utilities also deletes that same key. :)

I use this program since 2006 and like it very very much, only the new 2012 version has now parts like optimalisation and economy/turbo modus which is probably to much interfering with other programs and settings... But it's not a mallware in any way.

We don't detect TuneUp utilities as malware either, we don't detect Tuneup Utilities at all. We detect the keys it sets under the Image File Execution Option key since this is a security Hijack, often (in 90% of the cases) abused by malware in order to have their malware process running instead when a legitimate program is launched.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 wijllie

wijllie

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 184 posts
  • Gender:Male
  • Location:Belgium

Posted 15 August 2012 - 04:17 AM

Thanks for the outstanding follow-up, all clear now :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users