Malware Appears on New York Times Homepage

Malware Appears on New York Times Homepage

Posted by Rob in: Malware
Malware Appears on New York Times Homepage

http://mediamemo.allthingsd.com/20090913/home-delivery-the-new-york-times-serves-up-some-malware/

I have already seen this trojan three times in the past week, it is called “Windows Police Pro”. To remove it perform the following actions (appx. 20 minutes):

  1. Turn off System Restore
  2. Ctrl Alt Delete – end task Windows Police Pro.exe, also
    svchast.exe or svchasts.exe if they are running

    3. o If you can’t open task manager, run FixExe.reg

  3. Navigate to the Windows Police Pro folder within program files and
    delete the entire folder
  4. Download Malware Bytes here
    Download.com link,
    install, update and run a quick scan
  5. Remove all found viruses when it is finished
  6. Check for the presence of C:\WINDOWS\system32\dddesot.dll and/or
    C:\WINDOWS\svchasts.exe, delete if they are there
  7. Reboot computer
  8. Turn on System Restore
It is really important that you get rid of this trojan as quickly as possible because a more insidious (and much more difficult to remove) virus I have been seeing a lot of is using this easy-to-remove scareware as its vehicle for getting onto computers. I guess this is more of Matryoshka doll rather than a trojan horse, in that the visible trojan is masking itself as the real virus. After you have removed the virus, make sure that there is no autorun.inf in root C (remember, right-click > Explore). If there is an autorun file, run the attached batch script (it’s from Trend Micro).

Questions?

P.S. Did you know that if a virus is blocking you from running programs (regedit, task manager, add/remove programs, etc.) you can typically run them through command.com?

Start > Run > command.com > OK
Type regedit to open… well, you know. appwiz.cpl to open add/remove programs, etc. I found this out recently and it has been extremely helpful.
fixtm.reg 
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
FixExe.reg 
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]@="\"%1\" %*"

Batch file

@echo off
:: SET_NO_DRIVE_OTORUN
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x0ff /f

:: GET_DRIVES
for /f "tokens=1 delims=:" %%j in ('reg query hklm\system\mounteddevices ^| findstr \DosDevices\') do (
echo %%j >> drives
)

:: REMOVE_\DosDevices\_PREFIX
for /f "tokens=3 delims=\" %%j in (drives) do (
echo %%j >> drives.txt
)
del /q /f drives > nul

:: REMOVE_SPACE
for /f "tokens=1 delims= " %%j in (drives.txt) do (
echo %%j: >> drives
)
del /q /f drives.txt > nul

:: CHECK_DRIVE_TYPE
for /f %%j in (drives) do (
fsutil fsinfo drivetype %%j | findstr "Fixed " >> fdtype
fsutil fsinfo drivetype %%j | findstr "Removable " >> frtype
)
del /q /f drives > nul

:: GET_FDRIVES
for /f "tokens=1* delims= " %%j in (fdtype frtype) do (
echo %%j >> dtype
)
del /q /f fdtype > nul
del /q /f frtype > nul

:: REMOVE_SPACE1
for /f "tokens=1 delims= " %%j in (dtype) do (
echo %%j >> drives
)
del /q /f dtype > nul

:: DEL_DRIVE_A_FROM_LIST
sort drives >> sort
type sort | findstr "A" > nul
if errorlevel 0 for /f "tokens=1 skip=1" %%j in (sort) do (
echo %%j >> sorted
)
del /q /f drives > nul
del /q /f sort > nul

:: CREATE_OTORUN_FOLDER
for /f %%j in (sorted) do (
md %%j\AUTORUN.INF
attrib +s +h +r /d /s %%j\AUTORUN.INF
)
del /q /f sorted > nul

echo Press any key to close this window..
pause > nul>

TwitterTechnorati FavoritesYahoo MailSlashdotRedditGoogle GmailHotmailYahoo BuzzStumbleUponShare
0

About the Author

Rob McVey

I am a software developer/IT professional helping businesses save money through informed purchase consulting; website development and marketing; and process automation.

Leave a Reply

CAPTCHA Image
*