This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IFEOHijack Trojan or False Positive (Debugger)

Hello Sophos Malware Community,


Doing a scan today I came across this.


Registry Key: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\cmd.exe, No Action By User, [6465], [250074],1.0.7587
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\cmd.exe, No Action By User, [6465], [250074],1.0.7587


Trying to determine if its a real risk or not and asking for some advice?



This thread was automatically locked due to age.
  • Hello Eric Bancroft,

    RiskWare.IFEOHijack is a name Malwarebytes uses, isn't it?

    Normally I'd expect the key to be under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ though this is where the name comes from). Do you have more details, e.g. contents of this key?


  • I will skip the details but the reference to IFEO and "Debugger" tells me you are dealing with a network worm and banking trojan called TrickBot, this is pretty much the most advanced worm in the world at the moment. It has various methods of spreading in a network and wont stop until it is removed. Its ultimate goal is to inject malicious code into the users browser so they can steal money from the users bank account. Basically anybody infected with TrickBot who logs into their online banking can expect to see money leaving their account pretty quickly. I also heard reference to people logging into Amazon and seeing items appearing in their shopping basket.

    Make sure Sophos is installed, you are following best practice (everything is turned on) and that Sophos is updating correctly.

    Which Sophos product are you using? if you have any of the Intercept X products make sure our Deep Learning feature is enabled, it is great at killing TrickBot.

  • Hi Christian

    Ah guilty as charged it is Malwarebytes that found this. I ran Sophos Anti-Virus and it did not find this and wanted to determine if its a threat that Sophos AV missed and also if there was any data on this or is it a false alarm. I wanted to be sure. No other data on the reg keys except that it is indeed in a strange place of the windows reg. Windows 8.1 Pro to be exact and in a production environment.