wijllie

itunes.exe, false positive in registry?

17 posts in this topic

Got a "Security.Hijack" result for an entry in the registry about itunes.exe.

I guess this is a false positive since I downloaded it strait from Apple ?

Attached a zip with scan result with /developer.

Regards, Wijllie

Share this post


Link to post
Share on other sites

Is the ZIP added, can't see an attachement here?

Share this post


Link to post
Share on other sites

strange I attached the zip in the first post and since it seems I can't attach it in a second one I will make a new topic later, this topic can be deleted.

Share this post


Link to post
Share on other sites

You should be able to attach fine. It has to be in zip format for it to accept it. You can also just copy and paste the developers log into the post.

Share this post


Link to post
Share on other sites

There you go, diodn't notice the "attach this file BUTTON first time ;-)

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Databaseversie: v2012.08.03.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Pierre :: P [administrator]

Realtime bescherming: Ingeschakeld

3/08/2012 14:25:55

mbam-log-2012-08-03 (18-24-33).txt

Scantype: Volledige scan (C:\|X:\|)

Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM | P2P

Uitgeschakelde scanopties:

Objecten gescand: 567277

Verstreken tijd: 3 uur/uren, 28 minuut/minuten,

Geheugenprocessen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\itunes.exe (Security.Hijack) -> Geen actie ondernomen.

Registerwaarden gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

(einde)

mbam-log-2012-08-03 (18-32-46).zip

Share this post


Link to post
Share on other sites

Seems not to be from itunes itself but from TuneUp Utilitys 2012 which has his hand on something...

So I guess I can leave or delete the entry...?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\itunes.exe]

"Debugger"="\"C:\\Program Files\\TuneUp Utilities 2012\\TUAutoReactivator32.exe\""

Also I've seen other same entry's of that TU debugger line in that directory, wonder what it does?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\googleupdater.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javaws.exe

and a lot more but only the itunes.exe came out as a "Security.Hijack"...

itunes.zip

Share this post


Link to post
Share on other sites

This key forces tuneup utilities to load with those programs. You can scan with us and add them to the ignore list from our results. We are looking into this to see what can be done.

Share this post


Link to post
Share on other sites

Thx. Got also a statement from Tuneup support team that it should be excluded in your software because it's a legit proces.

Share this post


Link to post
Share on other sites

wijllie,

Thx. Got also a statement from Tuneup support team that it should be excluded in your software because it's a legit proces.

This key has nothing to do with a legit process here though. What this key does here is, when you launch itunes.exe, it will launch TUAutoReactivator32.exe instead. So unsure what the purpose of the TUAutoReactivator32.exe is, but this is a weird way of handling things.

For every executable you want to run, Windows always looks under the Image File Execution Options key and looks if the name of the executable you want to run is present there. If so, then it looks if there's a debugger value set for it. If thats the case, then it runs the executable defined in the debugger instead of the executable you were trying to launch.

Can you test what you get when you try to launch itunes.exe?

Also, in case you uninstall TuneUp Utilities and this debugger stays present there - you would never be able to run itunes.exe, because it will throw an error this file doesn't exist as long as the debugger is present there.

That's why, if this key is set by tuneup utilities, then I assume the user also understands why this key was set, so they can ignore it in the scan.

In case the user is not aware of this and complain they cannot run certain applications anymore, then it's good mbam detects this and fixes this.

That's why we won't exclude this from detection.

Share this post


Link to post
Share on other sites

wijllie,

This key has nothing to do with a legit process here though. What this key does here is, when you launch itunes.exe, it will launch TUAutoReactivator32.exe instead. So unsure what the purpose of the TUAutoReactivator32.exe is, but this is a weird way of handling things.

For every executable you want to run, Windows always looks under the Image File Execution Options key and looks if the name of the executable you want to run is present there. If so, then it looks if there's a debugger value set for it. If thats the case, then it runs the executable defined in the debugger instead of the executable you were trying to launch.

Can you test what you get when you try to launch itunes.exe?

Also, in case you uninstall TuneUp Utilities and this debugger stays present there - you would never be able to run itunes.exe, because it will throw an error this file doesn't exist as long as the debugger is present there.

That's why, if this key is set by tuneup utilities, then I assume the user also understands why this key was set, so they can ignore it in the scan.

In case the user is not aware of this and complain they cannot run certain applications anymore, then it's good mbam detects this and fixes this.

That's why we won't exclude this from detection.

I noticed itunes.exe but as stated before there are a lot other programs altered in that registery section.

The reactivator process imho is part of the live optimalisation from TuneUp Utilitys, The live optimalisation handles the priority status of programs so if a program needs it and the pc is too slow TU switches the priority of the process to high. Maybe a good thing would be to test install TU 2012 to understand what's it's all about, there is a free full use 15-days trial available here:

http://www.tune-up.com/

I use this program since 2006 and like it very very much, only the new 2012 version has now parts like optimalisation and economy/turbo modus which is probably to much interfering with other programs and settings... But it's not a mallware in any way.

Regards, Wijllie (wuif wuif! ;) )

Share this post


Link to post
Share on other sites
The reactivator process imho is part of the live optimalisation from TuneUp Utilitys, The live optimalisation handles the priority status of programs so if a program needs it and the pc is too slow TU switches the priority of the process to high. Maybe a good thing would be to test install TU 2012 to understand what's it's all about, there is a free full use 15-days trial available here

I just tested this and it's actually the Tune Up Program Deactivator doing this. It disables certain programs (actually blocks them - because it has set a debugger) so they can't run in the background. It will only enable them again once you actually launch the program again, which then triggers the TUAutoReactivator32.exe (since this is run first) and sets the program to enable again.

I believe the best option here is to "add to ignore" here in malwarebytes, because we still want to give our users protection for the malware that also sets debuggers for legitimate processes. That's why we can't remove detection for this. It's not common for legitimate programs either to create debuggers for legitimate processes. Hence why we call it a "Hijack" in Malwarebytes.

We don't break anything (not even in tuneup utilities) if people decide to delete this key with malwarebytes, because these extra keys aren't even present by default on a normal Windows install. TuneUp Utilities created these. As a matter of fact, when you tell Tuneup utilities to enable a certain program again (to run);, or you actually run the program again, Tuneup utilities also deletes that same key. :)

I use this program since 2006 and like it very very much, only the new 2012 version has now parts like optimalisation and economy/turbo modus which is probably to much interfering with other programs and settings... But it's not a mallware in any way.

We don't detect TuneUp utilities as malware either, we don't detect Tuneup Utilities at all. We detect the keys it sets under the Image File Execution Option key since this is a security Hijack, often (in 90% of the cases) abused by malware in order to have their malware process running instead when a legitimate program is launched.

Share this post


Link to post
Share on other sites

Thanks for the outstanding follow-up, all clear now :)

Share this post


Link to post
Share on other sites

When I graded my iPhone 5s to IOS 8.1.1 iTunes was no longer able to make backups.  In fact the upgrade failed because iTunes was not able to restore the backup that it had just made.  I narrowed it down to MalwareBytes.  If I shut MB down I can backup/restore all day but with it running iTunes can't make backups or restore from previously made backups.

 

Anyone else having this problem?  IOS 8.1.1 iTunes 12.0.1.26 Windows XP and Windows 7-32 SP1 (can't backup my iPad either).

Share this post


Link to post
Share on other sites

one more thing....Malwarebytes doesn't long any malware detection, it just seems to block the action.

Share this post


Link to post
Share on other sites

wb5rue:

 

This is wijllie's thread that is two years old.

 

If you have an issue, please start your own thread.  In addition, this sub-forum is for reporting a condition where Malwarebytes' Anti-Malware (MBAM) detects a legitimate file where it should not be doing so.  If you have an issue with the MBAM product then you should post in the MBAM product support sub-forum Malwarebytes Anti-Malware Help

 

Please reference: Please read before reporting a false positive
 
Post #2

If you are not a member of Staff or Experts group please do not reply to other users posts in either the File or Web Blocking forums.

 
Thank you for understanding.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.