funsec mailing list archives
Re: Adware with a rootkit - contextplus.net
From: "Wayne J. Hauber" <wjhauber () iastate edu>
Date: Tue, 13 Dec 2005 12:15:23 -0600
At 09:12 AM 11/17/2005, Calamity Jane wrote:
On Wed, 16 Nov 2005 13:08:20 -0600 "Wayne J. Hauber" <wjhauber () iastate edu> writes: > Are any of you familiar with contextplus.net? Yes, Spyware fighters in various Security Forums have been dealing with a lot of these for over a month. Swandog46 at the SpywareInfo & GeeksToGo forums has developed a removal tool called AproposFix that works very well. You can see it in use here (page 2 of this thread has the fix tool): http://www.dslreports.com/forum/remark,14628988 Here is another example: http://spywarewarrior.com/viewtopic.php?t=17401&highlight=aproposfix So far, no scanners I'm aware of can remove it, much less detect it. Samples of the installer for the "Apropos with Rootkit" have been submitted to various AntiMalware companies and Microsoft. If anyone needs it, let me know and I'll be happy to send you one. It is also posted here for download by AntiMalware Companies: (if you have access to that Forum) http://www.dslreports.com/forum/remark,14680386 One of our members contacted ContextPlus and they sent an uninstaller by email, however, because the uninstaller itself is detected by a number of AVs as infected with Adware/Apropos, we don't recommend it. I have copies of that too, if anyone wants to analyze it. Another Adware using a rootkit is CommonName. I suspect this will be more and more common.
I am starting to see more systems with Apropos at our school. Not too many but each one is a big time sink. I did not see your post until today and did not see the reference to removal tools. It looks like the apropos folks are a moving target... Do the removal tools still work?
I plan to alert some of the other computer consultants at our school this afternoon.
Here are a couple of the links I am sending them. ---------------In today's Security SIG meeting, I'll talk about Apropos, a nasty bit of adware/spyware that is protected by its own rootkit. The following links provide more details:
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=43002 http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453077888If you want to read pleas for help from frustrated system admins who were trying to remove Apropos, go to: www.sysinternals.com/forum. Search for any of the terms "apropos", "wingenerics" or "ace.dll".
Wayne Hauber (515) 294-9890 Information Technology Services IT Security and Policies 109 Durham Center, ISU, Ames, Iowa 50011wjhauber () iastate edu
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Adware with a rootkit - contextplus.net Wayne J. Hauber (Nov 16)
- <Possible follow-ups>
- Re: Adware with a rootkit - contextplus.net Calamity Jane (Nov 17)
- Re: Adware with a rootkit - contextplus.net Wayne J. Hauber (Dec 13)