Malware Appears on New York Times Homepage

By
Rob
September 10, 2009Posted in: Malware
I have already seen this trojan three times in the past week, it is called “Windows Police Pro”. To remove it perform the following actions (appx. 20 minutes):

* Turn off System Restore
* Ctrl Alt Delete – end task Windows Police Pro.exe, also
svchast.exe or svchasts.exe if they are running
o If you can’t open task manager, run FixExe.reg
* Navigate to the Windows Police Pro folder within program files and
delete the entire folder
* Download Malware Bytes here
<http://dw.com.com/redir?edId=3&siteId=4&oId=3001-8022_4-10804572&ontId=8022_4&spi=3426e77389633e655850b415cc3640d6&lop=txt&pid=11102549&mfgId=6290020&merId=6290020&pguid=qf7KTAoPjF0AAEIGeqEAAAEr&destUrl=http%3a%2f%2fsoftware-files.download.com%2fsd%2fda0BZEbQkGOVDsTmrswO8tb-0gEwKNG-rq3Fk9783HJsdPVgE9pMw_9oifebezAdxZfBihT197GCE-0KGRJcM7QZyYHRWyCi%2fsoftware%2f11102549%2f10804572%2f3%2fmbam-setup.exe%3flop%3dlink%26ptype%3d1901%26ontid%3d8022%26siteId%3d4%26edId%3d3%26spi%3d3426e77389633e655850b415cc3640d6%26pid%3d11102549%26psid%3d10804572>,
install, update and run a quick scan
* Remove all found viruses when it is finished
* Check for the presence of C:\WINDOWS\system32\dddesot.dll and/or
C:\WINDOWS\svchasts.exe, delete if they are there
* Reboot computer
* Turn on System Restore

It is really important that you get rid of this trojan as quickly as possible because a more insidious (and much more difficult to remove) virus I have been seeing a lot of is using this easy-to-remove scareware as its vehicle for getting onto computers. I guess this is more of Matryoshka doll rather than a trojan horse, in that the visible trojan is masking itself as the real virus. After you have removed the virus, make sure that there is no autorun.inf in root C (remember, right-click > Explore). If there is an autorun file, run the attached batch script (it’s from Trend Micro).

Questions?

P.S. Did you know that if a virus is blocking you from running programs (regedit, task manager, add/remove programs, etc.) you can typically run them through command.com?

Start > Run > command.com > OK
Type regedit to open… well, you know. appwiz.cpl to open add/remove programs, etc. I found this out recently and it has been extremely helpful.

fixtm.reg



REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-


FixExe.reg



REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

Batch file

<@echo off
:: SET_NO_DRIVE_OTORUN
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x0ff /f

:: GET_DRIVES
for /f "tokens=1 delims=:" %%j in ('reg query hklm\system\mounteddevices ^| findstr \DosDevices\') do (
echo %%j >> drives
)

:: REMOVE_\DosDevices\_PREFIX
for /f "tokens=3 delims=\" %%j in (drives) do (
echo %%j >> drives.txt
)
del /q /f drives > nul

:: REMOVE_SPACE
for /f "tokens=1 delims= " %%j in (drives.txt) do (
echo %%j: >> drives
)
del /q /f drives.txt > nul

:: CHECK_DRIVE_TYPE
for /f %%j in (drives) do (
fsutil fsinfo drivetype %%j | findstr "Fixed " >> fdtype
fsutil fsinfo drivetype %%j | findstr "Removable " >> frtype
)
del /q /f drives > nul

:: GET_FDRIVES
for /f "tokens=1* delims= " %%j in (fdtype frtype) do (
echo %%j >> dtype
)
del /q /f fdtype > nul
del /q /f frtype > nul

:: REMOVE_SPACE1
for /f "tokens=1 delims= " %%j in (dtype) do (
echo %%j >> drives
)
del /q /f dtype > nul

:: DEL_DRIVE_A_FROM_LIST
sort drives >> sort
type sort | findstr "A" > nul
if errorlevel 0 for /f "tokens=1 skip=1" %%j in (sort) do (
echo %%j >> sorted
)
del /q /f drives > nul
del /q /f sort > nul

:: CREATE_OTORUN_FOLDER
for /f %%j in (sorted) do (
md %%j\AUTORUN.INF
attrib +s +h +r /d /s %%j\AUTORUN.INF
)
del /q /f sorted > nul

echo Press any key to close this window..
pause > nul>

Tags:

About the Author

I am a software developer/IT professional helping businesses save money through informed purchase consulting; website development and marketing; and process automation.