Mysterious case of the executable hijack

I got a message from my friend Paul today asking for help with an infection. He was using the latest version of Firefox at the time and was positive he did not click on any odd links or downloaded anything malicious. Naturally, I advised him to run Malwarebytes Anti-Malware and had him send me the log. One specific entry popped out at me.

Memory Processes Infected:
c:UsersPaulAppDataLocalojx.exe (Trojan.ExeShell.Gen) -> 3508 -> No action taken.

I picked up the phone and called Bruce Harrison, our VP of Research, and asked for an explanation. The result had shocked me. I was told that this was an executable hijack that is used with FakeAlert, a Trojan we see almost daily in our research center.

What exactly does that mean? Well, when the infection is able to penetrate your computer, it hijacks all executables to run the malicious file instead of their intended targets. For example, you try to open Skype and the malicious file starts instead.

It does this in two ways. First, it modifies each shortcut itself to point to the malware. Secondly, it modifies the .exe shell in the registry so that once again instead of starting the correct executable, it starts the malicious file.

Luckily, Malwarebytes Anti-Malware was able to patch Paul up, but we both wanted to know how this had happened. Bruce advised us to check the installed Java version. It was in fact outdated by several versions. I advised Paul to update to the latest version and he now has a healthy computer!

By Marcin Kleczynski

CEO of Malwarebytes, click About Me at the top of the page to learn more!

11 replies on “Mysterious case of the executable hijack”

In order to help hide itself, it runs the malicious executable which then calls the program you expected in many cases.

Thats cool. My computers been acting funny too but I cant find nothing. Ive tried the flash scan as a trial but anytime I try to reinstall malwarebytes it automatically sets the activecare icon in the task bar and says my trial has expired and its annoying to see that down there. It makes me wonder if its even working in free mode so I un-installed it. Its kind of frustrating because I know how good the program is and really like it. Im just having alot slower performance and for no reason. Im only a self taught user so I know what I know only based on trial and error but theres no reason for things to be so slow. Thank you

You could just re-allocate the .exe file allocation back to the windows default through regedit. That would enable you to run a Malware scan and then the fake alert would be removed.

Might not be a bad idea to incorporate that in MBAM scans and daily database downloads (so it’s refreshed every time and can’t be hacked). Scan critical file associations and see if they’ve been changed from the default. Good warning system for Zero day’s that have escaped heuristics.

Take a look too at the toolset that comes with SuperAntiSpyware. It includes a manual reset for issues like this.

Leave a Reply