We can slip it in. The Rogue AV whitelists some files so you can go online to pay them for their scam. Renaming it to iexplore.exe with arguments to run our standard battery of tools allows me to fix the hijack, remove the malware, and stop any rootkits in one move, instead of chasing my tail with tools re-inserting themselves into reg after reboot & downloaders re-downloading the code because I couldn't wipe them out due to policy restrictions the virus made. I've tried using CreateProcess myself. Here's the code I used. If you can tell me where I'm going wrong it'd be greatly appreciated.
Code:
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si,0,sizeof(si));
si.cb = sizeof(si);
si.lpReserved = NULL;
si.lpTitle = NULL;
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_MINIMIZE;
BOOL res = CreateProcess(NULL,"C:\\Windows\\System32\\calc.123",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);
if(res == FALSE) {
char sBuffer[100];
sprintf(sBuffer,"Error Code: %d", GetLastError());
MessageBox(NULL, sBuffer, "FAILED TO EXECUTE PE CODE!",
MB_ICONEXCLAMATION | MB_OK);
}
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);