The Emsi Software malware research team has discoverd a new outbreak for the Adware.Win32.WindowsPolicePro.

WindowsPolicePro is a rogue security program that:

• Show False warning messages.
• Show Misleading scan results.
• Show fake Windows Security Center.
• Show fake error svchost.exe.
• And it’s Browser Helper Objects

The main installer of this malware seem like packed with EXECryptor, and it extract several files to:

• %ProgramFiles%\Windows Police Pro\msvcm80.dll
• %ProgramFiles%\Windows Police Pro\msvcp80.dll
• %ProgramFiles%\Windows Police Pro\msvcr80.dll
• %ProgramFiles%\Windows Police Pro\windows Police Pro.exe
• %ProgramFiles%\Windows Police Pro\tmp\dbsinit.exe
• %ProgramFiles%\Windows Police Pro\tmp\wispex.html
• %ProgramFiles%\Windows Police Pro\tmp\images\i1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\i2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\i3.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\j1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\j2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\j3.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\jj1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\jj2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\jj3.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\l1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\l2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\l3.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\pix.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\t1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\t2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\up1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\up2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\w1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\w11.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\w2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\w3.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\w3.jpg
• %ProgramFiles%\Windows Police Pro\tmp\images\wt1.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\wt2.gif
• %ProgramFiles%\Windows Police Pro\tmp\images\wt3.gif
• %SystemRoot%\ppp3.dat
• %SystemRoot%\ppp4.dat
• %SystemRoot%\svchasts.exe
• %SystemRoot%\system32\bennuar.old
• %SystemRoot%\system32\dddesot.dll
• %SystemRoot%\system32\desote.exe
• %SystemRoot%\system32\sysnet.dat
• %UserProfile%\Desktop\PC_protect.exe
• %UserProfile%\Desktop\Windows Police Pro.lnk
• %UserProfile%\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk

And create new registry entries:

• HKEY_CURRENT_USER\software\Windows Police Pro
• HKEY_CURRENT_USER\software\Windows Police Pro\windows Police Pro
• HKEY_CURRENT_USER\software\Windows Police Pro\windows Police Pro\Registration
• HKEY_CURRENT_USER\software\Windows Police Pro\windows Police Pro\setdata
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPro2009_100
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}

This malware also try to connect to core2634.newdomainagain.com.

How to remove the infection of Adware.Win32.WindowsPolicePro?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine

Tags: Rogue, Windows Police Pro

This entry was posted on Tuesday, September 15th, 2009 at 11:38 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.