RiskWare.IFEOHijack is a detection for malware which makes Windows launch alternative executable instead of the original one

RiskWare.IFEOHijack is a generic detection name used by Malwarebytes in order to indicate behavior which is typical to malware on Windows operating systems. A debugger is set under the Image File Execution Options registry key (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\) which is related to a particular application, for example, Google Chrome or Mozilla Firefox. Due to the set debugger, when users try to launch a relevant app, they will launch an alternative executable instead and, if the security software is installed, RiskWare.IFEOHijack detection will follow.
While such behavior may be an indication of a false positive (for example, it is known that Avast's Cleanup – Background & startup programs feature alters the key to put applications to sleep),[1] many viruses may engage in these actions, and Malwarebytes flags them as RiskWare.IFEOHijack. Therefore, if you encountered such detection by your security software, it should be investigated further to make sure no malware like banking trojan TrickBot is involved.[2]
| Name | RiskWare.IFEOHijack |
|---|---|
| Type | Riskware, malware |
| Possible false-positive | Some legitimate applications, such as Avast anti-virus or AVG TuneUP, might be using Image File Execution options registry for genuine processes on the machine |
| Possible related malware | There are many malware families that may be marked as RiskWare.IFEOHijack, including a variety of potentially unwanted programs and malware, such as banking trojan TrickBot |
| Related Registry modification | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ |
| Infiltration | Malware may be installed on the host system in various different ways, including spam emails, exploits, web injects, drive-by downloads, software cracks, adware bundles, etc. |
| Potential risks | Users infected with malware may be victims of money theft and identity fraud; some other infections may be less threatening and not engage in data harvesting but rather induce a variety of pop-up ads and other commercial content |
| Termination | Once you are sure that RiskWare.IFEOHijack is malicious, you should take action and delete it with security applications like FortectIntego, SpyHunterCombo Cleaner, or another reputable anti-malware. If the detection is a false-positive, you should add it to Malwarebytes exception list |
The usage of the debugger may cause several issues after RiskWare.IFEOHijack removal. It was reported by Microsoft researchers[3] that users might get ERROR_FILE_NOT_FOUND error when trying to run the target application the registry of which was modified. As a result, the target app will no longer work correctly until the path to the debugger is corrected, or debugger uninstalled.
Additionally, when the File Execution Options key is modified by malware, it can be set to do multiple malicious tasks:[3]
Evil can be done with the Image File Execution Options key. Malware can install themselves as the “debugger” for a frequently-run program (such as Explorer) and thereby inject themselves into the execution sequence.
Note that the ability to use the Image File Execution Options key for evil purposes is not a security hole. To modify the key in the first place requires administrator permissions. Consequently, anybody who can exploit this feature already owns your machine.
This immediately points to the conclusion that those that are infected with RiskWare.IFEOHijack virus most likely installed a malicious application themselves without knowing it, and the required permissions were granted for malware to cause the changes in the first place.
For a full RiskWare.IFEOHijack removal, you should immediately access Safe Mode with Networking and scan the machine with anti-malware software, such as FortectIntego, SpyHunterCombo Cleaner, or MalwarebytesMalwarebytes. The security application should be able to eliminate the core malware files, and all the installed components/modules automatically and also fix the Windows registry issues. For further instructions, please check our removal guide below.

Protect your machine from online threats by being attentive online
As mentioned above, it is highly likely that malware that triggered the alarm of the security application was installed by the computer owned due to a lack of knowledge when it comes to safe online behavior or simple negligence. Regardless of what the reason is, it is vital to make sure that optimal precautionary measures are applied in order to prevent malware from entering the machine and stealing sensitive data, installing other threats, or performing other malicious actions before the damage can be caused.
Security researchers from novirus.uk[4] warn users that they should always be careful when it comes to online behavior. Here are some general security tips you could follow to prevent malware infections in the future:
- Never allow email attachments to execute macro commands unless you are completely sure that the email is genuine and you were supposed to receive such an email;
- Update your operating system along with all the installed programs as soon as security patches are released;
- Protect all your accounts with strong passwords that are never reused (or use a password managing program);
- Never download pirated software or hacking tools/cracks/keygens from torrent/warez sites;
- Avoid using default Remote Desktop TCP port 3389 and disconnect the connection as soon as it is not needed;
- Be aware that adware bundles may include applications that can compromise your online security and computer safety – proceed with each freeware app installation carefully, always picking Advanced/Custom settings and removing all optional programs on the way;
- Scan all unknown executables and other files with tools like Virus Total;
- Install reputable ant-malware software that can protect you from malicious online content as well.
Get rid of RiskWare.IFEOHijack virus if it is not a false-positive
While there is a chance that RiskWare.IFEOHijack is indeed a false-positive – its presence on the device always requires taking actions. If you are sure that the file is safe (for example, an element from Avast anti-malware suite may be causing the false-positive detection due to the modification of the precisely same registry key), you should add it to Malwarebyte's exception list as follows:
- Click on Settings on the left pane and then Exclusions at the top
- Select Add Exclusion
- Pick Exclude a File or Folder and then Next
- Click on Select Files or Select Folder
- Locate the file/folder in question and then click OK

However, you need to remove RiskWare.IFEOHijack virus if it is connected to malware infection. To get a better indication for that, you should scan your machine with other security software in Safe Mode with Networking – we explain how to access it below. RiskWare.IFEOHijack removal should prevent personal information compromise or a complete takeover of your machine by malicious actors.
Was this guide helpful?
Be the first to comment