RiskWare.IFEOHijack.KMS

Short bio

RiskWare.IFEOHijack.KMS is Malwarebytes detection name for a number of debugger values in the Windows registry added by software that allows the illegal use of Microsoft products.

Type and source of infection

When an executable is listed under the IMAGE FILE EXECUTION OPTIONS key and it has a debugger value set, Windows always checks under that key what the valuedata is and launches that “debugger” instead of the executable. By setting a debugger for an executable, you basically intercept any calls to that executable and run another executable instead.

The debugger settings flagged by RiskWare.IFEOHijack.KMS are made by software that allows the illegal use of Microsoft products.

Protection

RiskWare.IFEOHijack.KMS is a “removal only” detection name. That means users must make the call themselves whether or not to remove the program flagged by Malwarebytes. If users wish to keep the program, they may add it to exclusions.

Remediation

Malwarebytes can detect and remove RiskWare.IFEOHijack.KMS without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Add an exclusion

When RiskWare.IFEOHijack.KMS is detected on your computer, Malwarebytes for Windows does not know if it was authorized. Optimization software, malware, and Potentially Unwanted Programs (PUPs) are known to make these types of changes, hence they are regarded as riskware.

To have Malwarebytes for Windows ignore RiskWare.IFEOHijack.KMS, you must add RiskWare.IFEOHijack to the Allow list. Here’s how to do it.

  1. When RiskWare.IFEOHijack.KMS appears in the list of Scan results.
  2. Uncheck the entry or entries related to RiskWare.IFEOHijack.KMS.
  3. Then click on Next.
  4. You will see a prompt giving you several options.
  5. Choosing Always ignore will add RiskWare.IFEOHijack to the Allow List.
  6. You can remove them there when you decide they should no longer be ignored.
  7. When RiskWare.IFEOHijack.KMS is on the Allow list it will no longer show up in your Scan results.

Traces/IOCs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe|VerifierDlls={debugger}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe|VerifierDlls={debugger}

Select your language