RiskWare.IFEOHijack is a generic detection for programs that set a debugger for other executables by using the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{name of the intercepted executable}When an executable is listed under the IMAGE FILE EXECUTION OPTIONS key and it has a debugger value set, Windows always checks under that key what the valuedata is and launches that "debugger" instead of the executable.Some legitimate programs that use this method have been whitelisted.
RiskWare.IFEOHijack could be a flag for more serious problems. By setting a debugger for an executable, you basically intercept any calls to that executable and run another executable instead. The debugger is often set for taskmanager.exe.The debugger setting flagged by RiskWare.IFEOHijack can be made by legitimate substitutes for the Windows Task Manager, but it can also be done by malware that doesn't want the user to find a suspicious process in the list shown by the Task Manager.
The presence of RiskWare.IFEOHijack should be grounds for an investigation. Users should look at the intercepted executable and the executable set as a debugger to see whether there's reason to take further action. The Malwarebytes log will tell you which executable was intercepted, and by looking in the registry, you can see the executable set as a debugger.
RiskWare.IFEOHijack is a "removal only" detection name. That means users must make the call themselves whether or not to remove the program flagged by Malwarebytes. If users wish to keep the program, they may add it to exclusions.
Malwarebytes can detect and remove RiskWare.IFEOHijack without further user interaction.
When RiskWare.IFEOHijack is detected on your computer, Malwarebytes for Windows does not know if it was authorized. Optimization software, malware, and Potentially Unwanted Programs (PUPs) are known to make these types of changes, hence they are regarded as riskware.To have Malwarebytes for Windowsignore RiskWare.IFEOHijack, you must add RiskWare.IFEOHijack to the Allow list. Here’s how to do it.
A Malwarebytes log of removal will look similar to this:
Malwarebyteswww.malwarebytes.com-Log Details-Scan Date: 8/23/19Scan Time: 1:09 PMLog File: 7b575d06-c596-11e9-a4f2-00ffdcc6fdfc.json-Software Information-Version: 3.8.3.2965Components Version: 1.0.613Update Package Version: 1.0.12151License: Premium-System Information-OS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: METALLICA-PC\Metallica-Scan Summary-Scan Type: Threat ScanScan Initiated By: ManualResult: CompletedObjects Scanned: 236215Threats Detected: 4Threats Quarantined: 4Time Elapsed: 6 min, 51 sec-Scan Options-Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: DetectPUM: Detect-Scan Details-Process: 0(No malicious items detected)Module: 0(No malicious items detected)Registry Key: 2RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE, Delete-on-Reboot, [6321], [250029],1.0.12151RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE, Delete-on-Reboot, [6321], [250029],1.0.12151Registry Value: 2RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE|DEBUGGER, Delete-on-Reboot, [6321], [250029],1.0.12151RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINUPDATE.EXE|DEBUGGER, Delete-on-Reboot, [6321], [250029],1.0.12151Registry Data: 0(No malicious items detected)Data Stream: 0(No malicious items detected)Folder: 0(No malicious items detected)File: 0(No malicious items detected)Physical Sector: 0(No malicious items detected)WMI: 0(No malicious items detected)(end)
Select your language