RiskWare.IFEOHijack

Short bio

RiskWare.IFEOHijack is a generic detection for programs that set a debugger for other executables by using the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\
{name of the intercepted executable}

When an executable is listed under the IMAGE FILE EXECUTION OPTIONS key and it has a debugger value set, Windows always checks under that key what the valuedata is and launches that “debugger” instead of the executable.

Some legitimate programs that use this method have been whitelisted.

Type and source of infection

RiskWare.IFEOHijack could be a flag for more serious problems. By setting a debugger for an executable, you basically intercept any calls to that executable and run another executable instead. The debugger is often set for taskmanager.exe.

The debugger setting flagged by RiskWare.IFEOHijack can be made by legitimate substitutes for the Windows Task Manager, but it can also be done by malware that doesn’t want the user to find a suspicious process in the list shown by the Task Manager.

Aftermath

The presence of RiskWare.IFEOHijack should be grounds for an investigation. Users should look at the intercepted executable and the executable set as a debugger to see whether there’s reason to take further action. The Malwarebytes log will tell you which executable was intercepted, and by looking in the registry, you can see the executable set as a debugger.

find debugger

Protection

RiskWare.IFEOHijack is a “removal only” detection name. That means users must make the call themselves whether or not to remove the program flagged by Malwarebytes. If users wish to keep the program, they may add it to exclusions.

Remediation

Malwarebytes can detect and remove RiskWare.IFEOHijack without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Add an exclusion

When RiskWare.IFEOHijack is detected on your computer, Malwarebytes for Windows does not know if it was authorized. Optimization software, malware, and Potentially Unwanted Programs (PUPs) are known to make these types of changes, hence they are regarded as riskware.

To have Malwarebytes for Windows ignore Riskware, you must add the detection as an exclusion.

  1. Open Malwarebytes for Windows.
  2. Click Settings, then click theProtection tab.
  3. Scroll down to the bottom.
  4. Turn off Automatically quarantine detected malware. Turning this setting off prevents Malwarebytes for Windows from quarantining the Riskware automatically.
  5. Go to the Dashboard, then click Scan Now.
  6. When the Threat Scan Results appear, uncheck the box next to the detected PUM you want to keep.
  7. Click Next.
  8. On the Remaining Items window, click Ignore Always to add the exclude the detected PUM(s).
  9. Turn on Automatically quarantine detected malware.To find this setting, click Settings > Protection.

When RiskWare.IFEOHijack is excluded, Malwarebytes for Windows does not detect RiskWare.IFEOHijack during scans or Real-Time Protection.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/23/19
Scan Time: 1:09 PM
Log File: 7b575d06-c596-11e9-a4f2-00ffdcc6fdfc.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.12151
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: METALLICA-PC\Metallica

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 236215
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 6 min, 51 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE, Delete-on-Reboot, [6321], [250029],1.0.12151
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE, Delete-on-Reboot, [6321], [250029],1.0.12151

Registry Value: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE|DEBUGGER, Delete-on-Reboot, [6321], [250029],1.0.12151
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE|DEBUGGER, Delete-on-Reboot, [6321], [250029],1.0.12151

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Related blog content

An Introduction to Image File Execution Options

How to avoid potentially unwanted programs

Select your language