Closed Sticky

Removing Desktop Hijacks for the Savvy User

I figured while I was bored at work I would write a tutorial for hijack removal for the Tech Savvy User. I used to have a library of Desktop Hijacks that I cleaned off people's PC's think of it as a biopsy when going to the doctor and realizing that you have an unknown bacteria infected strawberry under your arm, which looks like something from another planet, heh gross. But I did a lot of testing on these little guys looking at signatures and understand its programmatic intent, I eventually deleted everything just because it became useless to taking up tons of space on my machine, about 2GB of different hijacks, funny huh.

Removing Desktop Hijacks for the Savvy User

Most of us want to avoid rebooting into safe mode, its time consuming and utterly annoying. This guide will teach you to remove desktop hijacks while in normal mode. One best way to know you have a hijack, is that you cannot for the life of you open task manager, command prompt, or even launch other exes that will benefit the removal of this nuisance we call malware.
Most hijacks are installed under the following directories:

• %USERPROFILE%.\Application Data
• %USERPROFILE%.\Local Settings\Application Data
• C:\Documents and Settings\All Users\Application Data

These following directories usually contained saved variables or configurations for most of the applications you install on the machine, but who would want to look here for the infected program? The savvy user, of course. Others might think it would be installed in:

• C:\
• C:\Program Files
• C:\WINDOWS\System32

Denied! The creators of this malicious software are getting creative now-a-days but not smarter, why? Because we are able to rid our PCs of this nonsense.

I have studied length and width through my programming experience of how these programs work and can assure you that its nothing but a VB or C# application that has its own flaws, and poorly coded at that. However, browsing a site that had a malicious application piggy backing a named server was smart and removing any trace of its existence after it has been downloaded was a clever trick, but not hard to pull off. So reporting to the ‘bureau of no one cares anymore’ the site that infected you would be useless, but on the other hand the site did not infect you, you infected yourself.

Yep that’s right, any site can initiate the download, you would have to be permissive and let it download and you would actually have to install it. With browser security now-a-days, downloads aren’t automatically opened after completion and if it does, whose fault is this?

Nonetheless The goal of the malicious software as we all know is to phish information from your computer, or force you into insanity by manipulating you to click the ‘register now’ or ‘scan my PC’ button knowing nothing actually happens. Most people can point out just by the way the application looks and feels, the style and theme actually throw off what may actually be hiding in the background. But it’s too late! You have already installed it….

Now what!? Boot into safe mode? Wrong again. Stay in Normal mode just don’t freak out, the most you can do from this point on with this window is, do not try to close it out, it’s on a timer and global hooks. Any movement you make, application you run or attempt any removal, this baby will pop up again and he will do his best to annoy the hell out of you. Instead, just use your mouse to drag the window out of the way so you can see your working space. First step is complete. If your malicious software wants to open more windows, just drag them out of the way as well, so rather than repeatedly trying to close it, it will remain open for the time you are working on its removal process, the annoyance now becomes suppressed.

What is next? Locating the damned application. As stated above there will be three directories in which it may be found, this is where you come in. The only tools we have to our advantage in removing this is:

• Run…
• Windows Explorer
• Taskkill.exe

You said it, Taskkill.exe, an application that can be forced closed by the desktop hijack. But the best thing about most console based executables is that it is not a single instance application, just like we can open more than one command prompt, we can do the same for each console based exe. Each exe used with command prompt takes more than one valid argument in fact it can take many arguments and statements, that’s why Taskkill.exe is our friend, but we will not be using it in command prompt, as we already know, cmd.exe and or forcefully closed. Taskkill.exe is used within Run.

First we need to find out where our infection is, now don’t always be assured that you are looking for an actual name and that it may match the title of the infection, denied once again. To avoid the frustration of the programmers, cryptic names are used to avoid AV’s. Names such as:

• D5r8e4c5fg2.exe
• Dddyfer8305.exe
• Uf3j49fn99s02kle4.exe

These can also be found in cryptic folder names or even under folders named Temp, some folders may actually have acronyms or abbreviations for the name which include the title name from the infected program. These folders will sometimes be visible and sometimes be hidden as a system folder to you, so to be on the safe side, we need to show the hidden operating system files and show hidden files and folders before we look. Jump over to:

Tools > Folder Options > View Tab and make your selections.

Once the settings have been applied, we can now start looking. These will be the directories in which we will be searching for the infection:

• %USERPROFILE%.\Application Data
• %USERPROFILE%.\Local Settings\Application Data
• C:\Documents and Settings\All Users\Application Data

These as you can see apply to XP, however the layout may be different in Vista or 7. But typing the EnvVars (%USERPROFILE%) into Run will output the same results.

Let’s say you found the culprit but you cannot delete it, that’s ok, just right+click the filename and click rename, copy the filename, whilst the program is in use, you will not be able to delete or rename it, we just need the filename. With the filename copied, jump over to your Run… dialog and type in:

Taskkill.exe /F /IM d5r8e4c5fg2.exe

The switch statements used in taskkill.exe are as follows:

• /F – Force an image to close without prompting the user
• /IM – Image name in string format (Not the process ID, i.e. 5221)
• taskkill [/im ImageName] [/f][/t]

Now, there is a down side to this, as stated before, the infection will do its best to force taskkill.exe from running. If this is the case we know we can open Run… multiple times and run the taskkill.exe repeatedly (but usually only takes 3-4 tries) over until the infection has been forcefully closed. Once the infection has been forced closed, we can now delete the file that we copied the name earlier and delete the folder that it resided in.

Tip 1, this rarely happens, most infection that run in the tray next to the clock, if you place your mouse over the icon in tray, a tooltip will appear with the filename, its’ not always guaranteed that the name might be used while its running, I have seen very few programs display this information.

Tip 2, if you are infected immediately upon opening the file, it will usually take time for the all security settings to be disabled by the application, usually a restart or log off the computer initiates this effect. You might have luck opening task manager and killing the application.

Tip 3, most infections are poorly coded and will not disable any security settings on the computer; this will make life easier for you when removing it.

As most people would think, “Oh well we want something guaranteed to work once after we execute or open the application”, not even the repair or av utility you use will work the first time, if so then be my guest and restart into safe mode and do your business, meanwhile my infection has been forced closed and now I can delete it and run my scans.

This has always been a guaranteed fix for me and the people that I work with and will surely work for you if you take in account for it. No more booting into safe mode and wasting time.

Hope this helps the peeps out there as it helps me every day with the clients I work with s(^.-)-b
1 answer Last reply
More about removing desktop hijacks savvy user
  1. This topic has been closed by Mrface
Ask a new question

Read More

Security Desktops Windows XP