This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IFEOHijack Trojan or False Positive (Debugger)

Hello Sophos Malware Community,

Doing a scan today I came across this.

Registry Key: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\cmd.exe, No Action By User, [6465], [250074],1.0.7587
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\cmd.exe, No Action By User, [6465], [250074],1.0.7587

Trying to determine if its a real risk or not and asking for some advice?

Thanks

This thread was automatically locked due to age.

Parents

0 QC over 5 years ago

Hello Eric Bancroft,

RiskWare.IFEOHijack is a name Malwarebytes uses, isn't it?

Normally I'd expect the key to be under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ though this is where the name comes from). Do you have more details, e.g. contents of this key?

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 5 years ago

Hello Eric Bancroft,

RiskWare.IFEOHijack is a name Malwarebytes uses, isn't it?

Normally I'd expect the key to be under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ though this is where the name comes from). Do you have more details, e.g. contents of this key?

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Eric Bancroft over 5 years ago in reply to QC

Hi Christian

Ah guilty as charged it is Malwarebytes that found this. I ran Sophos Anti-Virus and it did not find this and wanted to determine if its a threat that Sophos AV missed and also if there was any data on this or is it a false alarm. I wanted to be sure. No other data on the reg keys except that it is indeed in a strange place of the windows reg. Windows 8.1 Pro to be exact and in a production environment.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel