Also, *IN CASE* you uninstall Tuneup utilities and it forgets to remove the debugger value from your registry, you won't be able to run Firefox anymore if the debugger reference is still in the registry. This is unfortunately a method A LOT of malware uses in order to run its malware instead of the program you want to launch, by setting a debugger for the given program under the Image File Execution options key, Hence why we need to detect this, to warn the user. It's a bit of a weird approach by TuneUp uilities, but I can see why they want to do this. Unsure what TUAutoReactivator64.exe actually does, but I believe it has to do with the "TuneUp Program Deactivator" feature in Tuneup utilities. So, in your case, when you run Firefox, it will launch C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe instead. When a program is listed under the IMAGE FILE EXECUTION OPTIONS and it has a debugger value set, Windows always checks under that key what the valuedata is and launches that instead of the program. This means, there's a debugger set for firefox.exe. HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FIREFOX.EXE|Debugger, "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe" In your case, this is what has been set by Tuneup utilities: Let me first explain what this IMAGE FILE EXECUTION OPTIONS key means when it has a debugger set under this key.
0 Comments
Leave a Reply. |