Important Autoruns question: IE Image Hijack!

[ehmen]

Hi, I've seen in my Autoruns that Internet explorer is listed in Image Hijacks, though I don't see any other program listed anywhere that could be hijacking it (like it seems should be the case from here in the Image Hijack section).
In fact when I go to the registry entry listed below, there's only one value:
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

Would anyone know how I could find out why IE is considered to be Image Hijacked?

Thank you very much!

[Dwarden]

that's afaik default entry, Autoruns don't show only bad things , it shows everything including the usual ...

[ehmen]

You're saying everyone has IE listed in their Autoruns as being Image Hijacked?

[essexboy]

Nope it is the wording of that tab ...  If you could expand it, it would say "these are the main areas where you would be likely to see a hijacked item "

[ehmen]

Nope it is the wording of that tab ...  If you could expand it, it would say "these are the main areas where you would be likely to see a hijacked item "

I'm not sure I understand, what should I expand?

[essexboy]

Nope basically that is what that tab means...  My own wording

[ehmen]

So is there a way for me to find out why IE is listed as Image Hijacked?

[essexboy]

It is not hijacked ...

[ehmen]

...is there a way for me to find out why IE is listed as Image Hijacked?

It is not hijacked ...

That's good.

[ehmen]

Do you know why it's listed as such?

[essexboy]

All that is saying is this is the place to look for hijacks that is all not that you have one

[ehmen]

All that is saying is this is the place to look for hijacks that is all not that you have one

By telling me IE is hijacked that's how they show that this is the tab to look for Image Hijacks? I don't understand.

[essexboy]

If you do not know the purpose of a tool then it would be best not to use it

[ehmen]

If you do not know the purpose of a tool then it would be best not to use it

http://www.howtogeek.com/school/sysinternals-pro/lesson6/all/

Image Hijack

If you read our second lesson about Process Explorer, you would have learned that you can replace Task Manager with Process Explorer, but you probably had no idea how this actually happens, much less that malware can and does use the same technique to hijack applications on your computer.

You can  set a number of  settings in the registry that control how  things are loaded, including hijacking all executables and running them through another process, or even assigning a “debugger” to any executable — even if that application is not a debugger.

Essentially, you can assign values in the registry so that if you try to load notepad.exe, it will load calc.exe instead. Or any application can be swapped out and replaced with another application. This is one of the ways that malware blocks you from loading MalwareBytes or other anti-malware tools.



You can see it for yourself — on the left-hand side is the name of the executable, and on the right-hand side the “Debugger” key is set to the instance of Process Explorer that is running off my desktop. But you can change that to anything you want on either side and it will work. It would probably make a great prank that almost nobody would ever be able to figure out.



If you see anything in the Image Hijacks tab other than the values for Process Explorer, you should immediately disable them.

Please enlighten me on what I'm missing.

[essexboy]

The original screenshot tells you that IE will be the programme to open html files... as expected