Image File Execution Options (IFEO) Malware

Recently, we had some odd behavior on our server. We kept getting a prompt to enter in a password when we tried to log in to our application.

Here is an example of what we came across:

If I clicked Cancel, the program would go away. If I entered in a password, such as ‘asdf’, I would get this:

We already had Malwarebytes installed on the server but it did not catch this winlogo.exe. I ran across another post that suggested that the IFEO registry settings were being hijacked.

Sure enough, there were five entries where the registry had c:\windows\fonts\winlogo.exe referenced in them.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{name of the executable}

Here’s and example:

Checked the task manager, and sure enough, there was winlogo running.

Here are the steps that I ran to remove it:

  1. Kill winlogo.exe in the task scheduler.
  2. Delete the c:\windows\fonts\winlogo.exe
  3. Open the registry and browse to the IFEO setting above.
  4. Look through each of the keys in the IFEO and determine if any of them have been replaced by winlogo.exe.
  5. Right click each registry setting that was changed, in this case it was taskmgr.exe, and select Permissions.
  6. Edit the Permissions to give your user (or administrator if you are that) Full Control over the registry setting.
  7. Now at this point you can either delete the registry setting or have it point to the correct location of the original executable.
  8. Restart your computer.

Hope that helps someone, it took a bit to figure out what was causing this issue.

-TG

Leave a Reply