Appropos media stubborn

[Snowball]

I ran the MS Antispyware. It detected and offered to
remove it. However, it keeps coming back eg.
HKEY_LOCAL_MACHINE/SOFTWARE/Apprps

I tried to delete this with regedit and keep hitting
refresh and it comes back right away. SO clearly it is
not removed.

How do I find out which is the program name to delete
from the silesystem/registry? Thx


-- snowball

 

[Alan]

Try the following tool from Symantec:
http://securityresponse.symantec.com/avcenter/FixAprop.exe
..

If you have either Norton or McAfee installed (AV), they
can detect and remove this as well. Spybot
(http://www.download.com/3001-8022_4-10401314.html?idl=n)
and Ad-Aware (http://www.download.com/3000-2144-
10045910.html) can also detect and remove Apropos, and I
think that ewido (http://www.download.com/Ewido-Security-
Suite/3000-8022_4-10326287.html) can also detect and
remove Apropos. Make certain to downlaod all the updates
for the apps and boot into Safe Mode (press F8 before
initial Windows screen during boot/reboot, press F8 again
to get to advanced option menu, and select the Safe Mode
option that only states Safe Mode). Now run a full
system scan with each app, making certain to remove what
it finds before running a scan with the other apps. When
installing ewido remove the check mark next to ewido
guard and the auto-update feature. Updates for ewido are
provided daily, so update often.

The problem when trying to remove this malware is that it
uses registered .dll files that must first be
deregistered before you can remove it, otherwise the
removal WILL fail. This is why many apps fail to remove
these types of infections.

One more thing. If you are running XP, delete the entire
contents of c:\windows\prefetch just to be safe. YOu
might have to do this in Safe Mode.

Alan

 

[Snowball]

Thx Alan.

I ran the tool in safemode. When I restarted I don't find
the symptoms of an Ad popping up when I close IE.

However, I see that HKLM/software/apprps still exists in
the registry. When I remove it and hit refresh after a
few seconds it comes back.

I don't know if this means the spyware is still on the
machine but its functionality is disabled? Who puts this
key back? Is it MS AntiSpyware trying to stomp over this
key to confuse or disable the spyware?

Any details on exactly what are the files that this
spyware installs and how they work (eg. service, startup
command etc would help me to manually verify that this
has been indeed successfully removed).

Thx

-- snow

 

[Guest]

I have the same problem!

Did you ever find a solution that worked??

Thanks,

Jonny