Malware Appears on New York Times Homepage

Malware Appears on New York Times Homepage

Malware Appears on New York Times Homepage
I have already seen this trojan three times in the past week, it is called “Windows Police Pro”. To remove it perform the following actions (appx. 20 minutes):

  1. Turn off System Restore
  2. Ctrl Alt Delete – end task Windows Police Pro.exe, also
    svchast.exe or svchasts.exe if they are running
  3. o If you can’t open task manager, run FixExe.reg

  4. Navigate to the Windows Police Pro folder within program files and
    delete the entire folder
  5. Download Malware Bytes here
    ,
    install, update and run a quick scan
  6. Remove all found viruses when it is finished
  7. Check for the presence of C:\WINDOWS\system32\dddesot.dll and/or
    C:\WINDOWS\svchasts.exe, delete if they are there
  8. Reboot computer
  9. Turn on System Restore
It is really important that you get rid of this trojan as quickly as possible because a more insidious (and much more difficult to remove) virus I have been seeing a lot of is using this easy-to-remove scareware as its vehicle for getting onto computers. I guess this is more of Matryoshka doll rather than a trojan horse, in that the visible trojan is masking itself as the real virus. After you have removed the virus, make sure that there is no autorun.inf in root C (remember, right-click > Explore). If there is an autorun file, run the attached batch script (it’s from Trend Micro).

Questions?

P.S. Did you know that if a virus is blocking you from running programs (regedit, task manager, add/remove programs, etc.) you can typically run them through command.com?

Start > Run > command.com > OK
Type regedit to open… well, you know. appwiz.cpl to open add/remove programs, etc. I found this out recently and it has been extremely helpful.
fixtm.reg
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
FixExe.reg
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]@="\"%1\" %*"

Batch file

@echo off
:: SET_NO_DRIVE_OTORUN
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x0ff /f

:: GET_DRIVES
for /f "tokens=1 delims=:" %%j in ('reg query hklm\system\mounteddevices ^| findstr \DosDevices\') do (
echo %%j >> drives
)

:: REMOVE_\DosDevices\_PREFIX
for /f "tokens=3 delims=\" %%j in (drives) do (
echo %%j >> drives.txt
)
del /q /f drives > nul

:: REMOVE_SPACE
for /f "tokens=1 delims= " %%j in (drives.txt) do (
echo %%j: >> drives
)
del /q /f drives.txt > nul

:: CHECK_DRIVE_TYPE
for /f %%j in (drives) do (
fsutil fsinfo drivetype %%j | findstr "Fixed " >> fdtype
fsutil fsinfo drivetype %%j | findstr "Removable " >> frtype
)
del /q /f drives > nul

:: GET_FDRIVES
for /f "tokens=1* delims= " %%j in (fdtype frtype) do (
echo %%j >> dtype
)
del /q /f fdtype > nul
del /q /f frtype > nul

:: REMOVE_SPACE1
for /f "tokens=1 delims= " %%j in (dtype) do (
echo %%j >> drives
)
del /q /f dtype > nul

:: DEL_DRIVE_A_FROM_LIST
sort drives >> sort
type sort | findstr "A" > nul
if errorlevel 0 for /f "tokens=1 skip=1" %%j in (sort) do (
echo %%j >> sorted
)
del /q /f drives > nul
del /q /f sort > nul

:: CREATE_OTORUN_FOLDER
for /f %%j in (sorted) do (
md %%j\AUTORUN.INF
attrib +s +h +r /d /s %%j\AUTORUN.INF
)
del /q /f sorted > nul

echo Press any key to close this window..
pause > nul>

About the Author

Rob McVey

I am a software developer/IT professional helping businesses save money through informed purchase consulting; website development and marketing; and process automation.