Malware Appears on New York Times Homepage

Malware Appears on New York Times Homepage

Malware Appears on New York Times Homepage
I have already seen this trojan three times in the past week, it is called “Windows Police Pro”. To remove it perform the following actions (appx. 20 minutes):

  1. Turn off System Restore
  2. Ctrl Alt Delete – end task Windows Police Pro.exe, also
    svchast.exe or svchasts.exe if they are running
  3. o If you can’t open task manager, run FixExe.reg

  4. Navigate to the Windows Police Pro folder within program files and
    delete the entire folder
  5. Download Malware Bytes here
    install, update and run a quick scan
  6. Remove all found viruses when it is finished
  7. Check for the presence of C:\WINDOWS\system32\dddesot.dll and/or
    C:\WINDOWS\svchasts.exe, delete if they are there
  8. Reboot computer
  9. Turn on System Restore
It is really important that you get rid of this trojan as quickly as possible because a more insidious (and much more difficult to remove) virus I have been seeing a lot of is using this easy-to-remove scareware as its vehicle for getting onto computers. I guess this is more of Matryoshka doll rather than a trojan horse, in that the visible trojan is masking itself as the real virus. After you have removed the virus, make sure that there is no autorun.inf in root C (remember, right-click > Explore). If there is an autorun file, run the attached batch script (it’s from Trend Micro).


P.S. Did you know that if a virus is blocking you from running programs (regedit, task manager, add/remove programs, etc.) you can typically run them through

Start > Run > > OK
Type regedit to open… well, you know. appwiz.cpl to open add/remove programs, etc. I found this out recently and it has been extremely helpful.
[HKEY_CLASSES_ROOT\exefile\shell\open\command]@="\"%1\" %*"

Batch file

@echo off
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x0ff /f

for /f "tokens=1 delims=:" %%j in ('reg query hklm\system\mounteddevices ^| findstr \DosDevices\') do (
echo %%j >> drives

:: REMOVE_\DosDevices\_PREFIX
for /f "tokens=3 delims=\" %%j in (drives) do (
echo %%j >> drives.txt
del /q /f drives > nul

for /f "tokens=1 delims= " %%j in (drives.txt) do (
echo %%j: >> drives
del /q /f drives.txt > nul

for /f %%j in (drives) do (
fsutil fsinfo drivetype %%j | findstr "Fixed " >> fdtype
fsutil fsinfo drivetype %%j | findstr "Removable " >> frtype
del /q /f drives > nul

for /f "tokens=1* delims= " %%j in (fdtype frtype) do (
echo %%j >> dtype
del /q /f fdtype > nul
del /q /f frtype > nul

for /f "tokens=1 delims= " %%j in (dtype) do (
echo %%j >> drives
del /q /f dtype > nul

sort drives >> sort
type sort | findstr "A" > nul
if errorlevel 0 for /f "tokens=1 skip=1" %%j in (sort) do (
echo %%j >> sorted
del /q /f drives > nul
del /q /f sort > nul

for /f %%j in (sorted) do (
attrib +s +h +r /d /s %%j\AUTORUN.INF
del /q /f sorted > nul

echo Press any key to close this window..
pause > nul>

About the Author

Rob McVey

I am a software developer/IT professional helping businesses save money through informed purchase consulting; website development and marketing; and process automation.