A client recently called about his home PC saying that there were all kinds of pop-ups telling him he was infected. Naturally, the pop-ups promised to remove the “infection” for $49.95, a typical scareware tactic. I figured this would be a simple job, probably WinAntivirus Pro or some variant of it, and I would be in and out in less than an hour. I was wrong; he had deeper problems.
When I booted his PC, I was confronted by multiple command windows all with the title “desote.exe.” I was able to get to a web page and determine that this file is related to Windows Police PRO, a WinAntivirus Pro variant. I was also able to download MalwareBytes’ Antimalware. It wouldn’t install; desote.exe popped in every time I tried to run MBAM installer. I decided to try a manual removal to get the PC to where I could run MBAM and clean things up later, so I deleted desote.exe, dbsinit.exe and a couple other related files. That was a mistake; Windows lost its ability to run .exe files.
I knew I’d probably have to hack it, so I fell back on an old trick: When .exe files won’t run, change the extension to .com. This worked. I was able to install MBAM, run it, and get the system cleaned up. Turns out that the malware changes the registry key HKCR\exefile\shell\open\command from the (Default) entry of [“%1” %*] to [c:\windows\desote.exe “%1” %*]; since desote.exe was missing, Windows didn’t know what shell to run .exe files with. Besides that, MBAM found rootkit components that would have been difficult to remove manually.
Hacker skills are valuable for us white hats.