Security Corner

Sep 16 2009   6:03PM GMT

Hacking Skills Help Save a Client’s PC

Ken Harthun Ken Harthun Profile: Ken Harthun

A client recently called about his home PC saying that there were all kinds of pop-ups telling him he was infected. Naturally, the pop-ups promised to remove the “infection” for $49.95, a typical scareware tactic. I figured this would be a simple job, probably WinAntivirus Pro or some variant of it, and I would be in and out in less than an hour. I was wrong; he had deeper problems.

When I booted his PC, I was confronted by multiple command windows all with the title “desote.exe.” I was able to get to a web page and determine that this file is related to Windows Police PRO, a WinAntivirus Pro variant. I was also able to download MalwareBytes’ Antimalware. It wouldn’t install; desote.exe popped in every time I tried to run MBAM installer. I decided to try a manual removal to get the PC to where I could run MBAM and clean things up later, so I deleted desote.exe, dbsinit.exe and a couple other related files. That was a mistake; Windows lost its ability to run .exe files.

I knew I’d probably have to hack it, so I fell back on an old trick: When .exe files won’t run, change the extension to .com. This worked. I was able to install MBAM, run it, and get the system cleaned up. Turns out that the malware changes the registry key HKCR\exefile\shell\open\command from the (Default) entry of [“%1” %*] to [c:\windows\desote.exe “%1” %*]; since desote.exe was missing, Windows didn’t know what shell to run .exe files with. Besides that, MBAM found rootkit components that would have been difficult to remove manually.

Hacker skills are valuable for us white hats.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • SAPjava74
    Kinda follows the tactic I used in [A href=""]If no one is answering the front door - try the back door[/A]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: