Re: Adware with a rootkit - contextplus.net

["Wayne J. Hauber" <wjhauber () iastate edu>]

At 09:12 AM 11/17/2005, Calamity Jane wrote:

> On Wed, 16 Nov 2005 13:08:20 -0600 "Wayne J. Hauber"
> <wjhauber () iastate edu> writes:
> > Are any of you familiar with contextplus.net?
>
> Yes, Spyware fighters in various Security Forums have been dealing with a
> lot of these for over a month.
> Swandog46 at the SpywareInfo & GeeksToGo forums has developed a removal
> tool called AproposFix that works very well.
> You can see it in use here (page 2 of this thread has the fix tool):
> http://www.dslreports.com/forum/remark,14628988
>
> Here is another example:
> http://spywarewarrior.com/viewtopic.php?t=17401&highlight=aproposfix
>
> So far, no scanners I'm aware of can remove it, much less detect it.
> Samples of the installer for the "Apropos with Rootkit"  have been
> submitted to various AntiMalware companies and Microsoft.  If anyone
> needs it, let me know and I'll be happy to send you one.
>
> It is also posted here for download by AntiMalware Companies: (if you
> have access to that Forum)
> http://www.dslreports.com/forum/remark,14680386
>
> One of our members contacted  ContextPlus and they sent an uninstaller by
> email, however, because the uninstaller itself is detected by a number of
> AVs as infected with Adware/Apropos, we don't recommend it.  I have
> copies of that too, if anyone wants to analyze it.
>
> Another Adware using a rootkit is CommonName.  I suspect this will be
> more and more common.

I am starting to see more systems with Apropos at our school. Not too 
many but each one is a big time sink. I did not see your post until 
today and did not see the reference to removal tools. It looks like 
the apropos folks are a moving target... Do the removal tools still work?

I plan to alert some of the other computer consultants at our school 
this afternoon.

Here are a couple of the links I am sending them.

---------------
In today's Security SIG meeting, I'll talk about Apropos, a nasty bit 
of adware/spyware that is protected by its own rootkit. The following 
links provide more details:

http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=43002

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453077888

If you want to read pleas for help from frustrated system admins who 
were trying to remove Apropos, go to: www.sysinternals.com/forum. 
Search for any of the terms "apropos", "wingenerics" or "ace.dll".





Wayne Hauber (515) 294-9890
Information Technology Services
IT Security and Policies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu  

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.