Malware Appears on New York Times Homepage
I have already seen this trojan three times in the past week, it is called “Windows Police Pro”. To remove it perform the following actions (appx. 20 minutes):
- Turn off System Restore
- Ctrl Alt Delete – end task Windows Police Pro.exe, also
svchast.exe or svchasts.exe if they are running - Navigate to the Windows Police Pro folder within program files and
delete the entire folder - Download Malware Bytes here
Download.com link,
install, update and run a quick scan - Remove all found viruses when it is finished
- Check for the presence of C:\WINDOWS\system32\dddesot.dll and/or
C:\WINDOWS\svchasts.exe, delete if they are there - Reboot computer
- Turn on System Restore
o If you can’t open task manager, run FixExe.reg
It is really important that you get rid of this trojan as quickly as possible because a more insidious (and much more difficult to remove) virus I have been seeing a lot of is using this easy-to-remove scareware as its vehicle for getting onto computers. I guess this is more of Matryoshka doll rather than a trojan horse, in that the visible trojan is masking itself as the real virus. After you have removed the virus, make sure that there is no autorun.inf in root C (remember, right-click > Explore). If there is an autorun file, run the attached batch script (it’s from Trend Micro).
Questions?
P.S. Did you know that if a virus is blocking you from running programs (regedit, task manager, add/remove programs, etc.) you can typically run them through command.com?
Start > Run > command.com > OK
Type regedit to open… well, you know. appwiz.cpl to open add/remove programs, etc. I found this out recently and it has been extremely helpful.
Type regedit to open… well, you know. appwiz.cpl to open add/remove programs, etc. I found this out recently and it has been extremely helpful.
REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=-
REGEDIT4 [HKEY_CLASSES_ROOT\exefile\shell\open\command]@="\"%1\" %*"
Batch file
@echo off
:: SET_NO_DRIVE_OTORUN
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x0ff /f
:: GET_DRIVES
for /f "tokens=1 delims=:" %%j in ('reg query hklm\system\mounteddevices ^| findstr \DosDevices\') do (
echo %%j >> drives
)
:: REMOVE_\DosDevices\_PREFIX
for /f "tokens=3 delims=\" %%j in (drives) do (
echo %%j >> drives.txt
)
del /q /f drives > nul
:: REMOVE_SPACE
for /f "tokens=1 delims= " %%j in (drives.txt) do (
echo %%j: >> drives
)
del /q /f drives.txt > nul
:: CHECK_DRIVE_TYPE
for /f %%j in (drives) do (
fsutil fsinfo drivetype %%j | findstr "Fixed " >> fdtype
fsutil fsinfo drivetype %%j | findstr "Removable " >> frtype
)
del /q /f drives > nul
:: GET_FDRIVES
for /f "tokens=1* delims= " %%j in (fdtype frtype) do (
echo %%j >> dtype
)
del /q /f fdtype > nul
del /q /f frtype > nul
:: REMOVE_SPACE1
for /f "tokens=1 delims= " %%j in (dtype) do (
echo %%j >> drives
)
del /q /f dtype > nul
:: DEL_DRIVE_A_FROM_LIST
sort drives >> sort
type sort | findstr "A" > nul
if errorlevel 0 for /f "tokens=1 skip=1" %%j in (sort) do (
echo %%j >> sorted
)
del /q /f drives > nul
del /q /f sort > nul
:: CREATE_OTORUN_FOLDER
for /f %%j in (sorted) do (
md %%j\AUTORUN.INF
attrib +s +h +r /d /s %%j\AUTORUN.INF
)
del /q /f sorted > nul
echo Press any key to close this window..
pause > nul>

