Spyware.Apropos.C....The NEW bugger on the Block!

Discussion in 'malware problems & news' started by mrs.biggo, Nov 4, 2005.

Thread Status:
Not open for further replies.
  1. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30
    :eek: Has anyone found any information on removal of this bugger that is worth trying? I am running NIS 2006, Ad-AwareSE, Spyblaster, TMAS as well as using CWShredder and NOTHING is gobbling up this thing! NIS keeps flashing a Security Risk Alert at me...I then scan it...it finds NOTHING...so now I just ignore it every 30 minutes. Needless to say this is getting very obnoxious! Then I run a daily complete scan at 1:00am..and again it finds NOTHING! Does anyone have any suggestions? :doubt:

    When I run the Security Risk Scan, it runs under these:

    C:\WINDOWS\SYSTEM32\RMOUSERV.EXE (5 files)
    C:\PROGRAM FILES\UNIGSPOT\WINGENERICS.DLL (5 files)
    C:\PROGRAM FILES\UNIGSPOT\WinGenerics.dll (5 files)

    I have also tried to locate and remove them manually, but of course I am unable to locate them! GRRRRR !!!
    Symantec Security Response tells me to run a full system scan in safe mode. Evidently, NIS 2006 is incapable of running in Safe Mode. I darn near crashed my machine. Any suggestions would be most appreciated.
     
    Last edited: Nov 4, 2005
  2. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Perhaps you could dwl a free AV such as Avast and try that in safe mode. That might help.
     
  3. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30
    :cool: Thanks beetlejuice...I'll try anything! But I've always thought that Ad-Aware was the best. Avast won't interfere with anything else I'm running, will it?
     
  4. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    No it shouldn`t. Just make sure that the AV of NIS is not running when you use Avast.
     
  5. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30
    ;) Thanks BJ ! I'll let you know how it goes.
     
  6. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    OK great. There`s a few more tricks that might work if that doesn`t. Oops, I think I forgot to mention to do a scan in safe mode too. :oops:
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    wilders no loger does hijackthis logs, but i can still give you instructions on how to remove this infection

    a spyware expert, Swandog46, has developed a removal tool for it

    use it like this:

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download AproposFix from here:
    http://swandog46.geekstogo.com/aproposfix.exe

    Save it to your desktop but do NOT run it yet.

    Then please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.


    Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

    When the tool is finished, please reboot back into normal mode
     
  8. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30
    Originally Posted by beetlejuice69
    Perhaps you could dwl a free AV such as Avast and try that in safe mode. That might help.

    Thanks bj..I wasn't sure which site is best to download it from (I googled it)..if you could help I'd appreciate it! :p

    mrs.b
     
  9. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30

    Thanks a bunch illukka ! I followed your instructions, and apparently I have another problem. At the command prompt, it says to hit any key...I did and my cursor froze! I waited for almost 10 minutes to see cuz swandog69 says it may take a while to finish, but it never started. Looks like I need to get into a Performance and Maintenance site first to fix this one now!

    Thanks again!:doubt:
     
  10. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30
    illukka....should I remove the Fix from my machine until I find a solution to my new problem...or can I leave it as is?

    thanks again
     
  11. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    it is not dangerous, but if it failed you can delete it

    meanwhile i'd like to see your hijackthis log

    post it on some of these hijack-forums that i frequent:
    http://forums.tomcoyote.org/index.php
    http://spywarewarrior.com/index.php
    http://forums.subratam.org/index.php?act=idx
    http://www.5starsupport.com/ipboard/index.php

    follow the instructions here:
    http://www.tomcoyote.org/hjt/

    then post the log to one of the forums i listed, once posted you may PM me the link to it so i can take a look
    make your hjt threads title something like "hjt log requested by illukka"
    include in your message a link to this thread too
     
  12. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30
    Thanks illukka! I'll PM you within the next 24hrs!
     
  13. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Hi again mrs.b, If you`re still interested you can get Avast here...http://www.avast.com/eng/programs.html
     
  14. mrs.biggo

    mrs.biggo Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    30
    :D Thanks BJ ! Always interested in ANYTHING that will help. I'll keep you posted! Between you and illukka, a solution can't be too far away!
     
  15. Windows XP is definitely affected by this spyware. It uses random names for the executable files, as well as in the registry, so it is impossible to tell you exactly which files need to be deleted. The key to getting rid of this very nasty spyware is to find ALL hidden files and delete them. This is much easier said than done. However, a methodical approach and perseverance will win the day.

    Symantec has a description of the spyware and instructions for manual removal at: http://securityresponse.symantec.com/avcentre/venc/data/spyware.apropos.c.html However, this isn’t all there is to the story and the following is my experience with all the other things that Symantec doesn’t mention.

    1. Find all hidden file names:
    a. Defrag the hard drive – When finished check the report. There will be a list of files “that cannot be defragmented”. This list should be carefully noted as it lists the hidden folder/file names & their locations that you will need to delete.
    b. Go online and purchase a copy of PC Tools Registry Mechanic, or something similar. You can download this particular software and pay for it online. That way you can get it immediately. Run the program. After it has scanned your hard drive open the “scan” report. This will list all executables that should be running on your computer.
    c. Go to http://www.f-secure.com/blacklight/rootkit.shtml and download this free software. Run it. It will list the names of all hidden executables.
    d. Compare lists from b & c and note the names of all executables that are on list c, but not on list b. These are the file names that you will need to find and delete.
    e. Other hidden files that MUST be deleted are: ace.dll & WinGenerics.dll

    2. Re-boot your computer in SafeMode, so you can find and delete the folders, files and executables that you have identified.
    a. Search your c:\ drive for all the files names you have identified. Note their locations, find them and delete them. Remove the entire directory and/or folder where the file is hidden.

    Note: if you remove a folder that is NOT spyware, you WILL remove the program files and make that program non-useable. This is not my responsibility, so go easy. If this does happen Windows XP may not run properly and you may have to reinstall Windows. This did happen to me as I got a bit exuberant in my file removal, but running the Windows XP install CD corrected all problems and I did not lose my settings or internet configurations. I also had to reinstall my Norton antivirus as some files were deleted by accident, as well.

    3. Click Start> Run. Type regedit Click o.k. This will take you into your registry.

    a. Go to HKEY_LOCAL_MACHINE\SOFTWARE\
    b. Search ‘contextplus.net’
    c. In the right pane, delete the following values if present
    i. AutoUpdater =”…”
    ii. ClientName=”…”
    iii. Device= “…”
    iv. DrivePath= Note the ‘.sys’ file that is named & also delete it from the c:\ drive
    v. HDll=Note the ‘.dll’ file that is named & also delete it from the c:\ drive
    vi. Installation ID=”…”
    vii. Legal Note= ‘http://adchannel.contextplus.net’ This is the web address that your information is being sent to.
    viii. PageFiltering=”…”
    ix. PartnerID=”…”
    x. ServerAddress= “adchannel.contextplus.net”
    xi. Version=”2.0.106”
    d. Do another Full Search of the registry for ‘contextplus.net’ and delete any other places that come up. The Symantec instructions do not tell you to do this, but I found a few more items to delete when I did this extra search.

    4. Exit the registry and finish deleting any noted file names from the c:\ drive that you found in the registry.
    5. Reboot your computer in Normal Mode.
    6. Remove any files in : c:\windows\temp and \temporary internet files; also, c:\Documents and Settings\Username\Local Settings\Temp (do this for all user accounts)
    7. Run Registry Mechanic Again and fix all errors
    8. Run Blacklight again to make sure there are no more hidden files.

    This should correct the problem. It took me many days to finally clear this Spyware from my system. I now run Norton Internet Security and Microsoft AntiSpyware to try and avoid future problem. I also scan my Registry with the Registry Mechanic on every re-boot. I never want this to happen again.
     
  16. Zartab

    Zartab Guest

    Try following these steps . It resolved most of the times. All the best !

    This can be caused by the Apropos.C malware.

    Step 1:

    There may be a conflict with a program called Context Plus.
    Go to Add/Remove programs and remove it.
    Restart the computer and test.

    Step 2:

    Download one (or both) of the files to remove Apropos to your Desktop.
    <http://www.reesecomputing.com/downloads/files/AproposFix.exe>
    <http://www.reesecomputing.com/downloads/files/AproposUninstaller.exe>
     
  17. newfie

    newfie Registered Member

    Joined:
    Nov 30, 2005
    Posts:
    1
    I vouch what illukka posted here about getting rid of apropos.c spyware because I did what this post instructed me to do. As a result, it worked GREAT!
     
  18. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O

    these instructions point to an unauthorised download site (of aproposfix)
    i have informed the author of aproposfix of its existence


    aproposfix is a very difficult infection. it would always be best to post your hijackthis log into one of the HJT forums to clean it up.
    there is always the possibility that something goes wrong. and aproposfix cannot be held responsible for it

    use at your ownn risk if you do it without supervision

    edited: the unauthorised download mirror has been removed by request of aproposfixes author.
    the other apropos related file seems to be symantec's apropos uninstaller
    http://securityresponse.symantec.com/avcenter/venc/data/spyware.apropos.html
     
    Last edited: Nov 30, 2005
  19. TXFalcon

    TXFalcon Guest

    look for a file in Windows\system32\drivers called lvskssrv.sys and get rid of it in safe mode!!!!!!
     
  20. zizi

    zizi Guest

    I am new to the blog and was searching for something to remove apropos.C and I found your site. I have to say that I also tried this method and it worked very well. Thank you so much. I actually did the Symantec and after using the tool I still had problems. After using your wonderful tool my computer is running much better and no more problems yet.

    After I ran the program it said to post two txt files. Should I post them on some website and can someone recommend one?

    Thank you for your time
    Azizi
     
  21. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    recommended sites for malware cleaning help:
    http://asap.maddoktor2.com/
     
  22. shades2

    shades2 Guest

    F-Secure Blacklight Beta should get rid of this. It is a free download.

    Follow the instructions here for removal.

    http://www.f-secure.com/sw-desc/apropos.shtml

    It renames the files once you boot into safe mode.

    It's worked for me. This is a most dangerous piece of spyware.

    The hidden directories and files then show up once it's no longer able to stealth itself via the kernel. They make for some interesting reading with a hex-editor and lead us that much closer to the people writing this software...
     
  23. controler

    controler Guest

    Last edited by a moderator: Dec 15, 2005
  24. Mr Revenge

    Mr Revenge Guest

  25. Mr. Revenge

    Mr. Revenge Guest

Loading...
Thread Status:
Not open for further replies.