RavonTUS
join:2003-10-15
Indianapolis, IN
|  Do you trust the uninstaller?
Greetings,
I recently had the pleasure of self-inflicting myself with spyware. It seems to be a very good one. I have tried all my standard stuff - Spybot, Adaware, and Ewido - and still cannot get rid of it.
I finally ran Rootkit Reveal and found it. I followed the registry entries until I found the company who was kind enough to install the spyware program for me.
adchannel.contextplus.net
Oh, not to name names or anything.
I visit their site and e-mailed them with an unused email account and asked them for an uninstall program. To my surprise, they did send me one.
So, here is the big question...Do I trust their uninstall program? Will it be kind and removing its self? On the other hand, will it simply replace the current bug with another one, or even better give me more of what I do not want!?!?
What would you do?
-Ravon |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | I would think you will get more ads, they make money off ads, they make nothing if they remove their ads from your pc.
--
Best RegardsVampirefo |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
 ·Comcast
| reply to RavonTUS
said by RavonTUS  :What would you do? Wait on the calvary and while waiting read a somewhat recent post by miekiemoes as it was being removed.
This post---> »Had bad problems with Virus |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
edit:
October 28th, @03:53PM
| reply to RavonTUS
Hi all, we actually now have an easier fix for this one.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download AproposFix from here:
»swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and postthe entire contents of the log.txt file in the aproposfix folder.
Edit: Removed request for a HijackThis log...that pest doesn't appear on HJT logs. All I need is the log.txt file from the aproposfix folder
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·Clearwire Wireless
·RoadRunner Cable
| reply to RavonTUS
said by RavonTUS :So, here is the big question...Do I trust their uninstall program? Here's an incomplete list of what the "Uninstaller" does.
[ Changes to registry ]
* Creates key "HKLM\Software\AutoLoader\x3uJ1RMQWRMK".
* Sets value "x85fZPOPWCY5fV"="" in key "HKLM\Software\AutoLoader\x3uJ1RMQWRMK".
* Creates key "HKLM\Software\AutoLoader\x3u51RMQWRMK".
* Sets value "x85fZPOPWCY5fV"="" in key "HKLM\Software\AutoLoader\x3u51RMQWRMK".
[ Process/window information ]
* Enumerates running processes.
* Enumerates running processes several parses....
Here's the Jotti scan results
MD5 3e532491eff52adf0c7f2befd94d80a3
Packers detected: -
Scanner results
AntiVir Found Trojan/Dldr.Apropo.R
ArcaVir Found nothing
Avast Found Win32:Apropo-2
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found Adware/Apropos
Kaspersky Anti-Virus Found not-a-virus:AdWare.Apropos.q
NOD32 Found nothing
Norman Virus Control Found W32/Apropos.O
UNA Found nothing
VBA32 Found AdWare.Apropos.q
The "Uninstaller" has URL's as detected by Filealyzer
»download.contextplus.net/repermission/
»envolo.peopleonpage.com:80/servlets/auto
»envolo.peopleonpage.com:80/servlets/auto
»download.contextplus.net/apropos···ller.exe
»download.contextplus.net/apropos···ller.exe
»download.contextplus.net/shared/···ller.exe
»download.contextplus.net/shared/···ller.exe
»download.contextplus.net/
»envolo.peopleonpage.com:80/servlets/auto
»node2.ocslab.com/test/apropos/cl···ller.exe
»node2.ocslab.com/test/apropos/cl···ller.exe
»node2.ocslab.com/test/shared/Aut···ller.exe
»node2.ocslab.com/test/shared/Msv···ller.exe
»download.contextplus.net/
»node2.ocslab.com/apropos/client/···ller.exe
»node2.ocslab.com/apropos/client/···ller.exe
»node2.ocslab.com/shared/AutoUpda···ller.exe
»node2.ocslab.com/shared/Msvcp60Installer.exe
These URL's point to 4 different file downloads
"Msvcp60installer.Exe" * access denied when checking file properties
"a.exe" * access denied when checking file properties
"Aproposclientinstaller.Exe"
"Autoupdateinstaller.Exe"
Either these people have a serious problem with properly naming Exe's or this "Uninstaller" in reality is an "Installer" |
|
MeJon
@reachone.net |  reply to CalamityJane
Thanks for the link to aproposfix.exe. It worked perfectly! You saved the day. |
|
IIIBradIII
Comm M-E-L Instr
join:2000-09-28
Greer, SC | reply to SnowyOne
Why is this sort of trickery and lies not illegal?!! |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to MeJon
said by MeJon :
Thanks for the link to aproposfix.exe. It worked perfectly! You saved the day.
Glad to hear it! We can all thank Swandog46 from SpywareInfo (and other forums) for developing that tool 
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
CyberWoolf
@choiceone.net
| reply to RavonTUS
THANK YOU THANK YOU THANK YOU!!!!!!!!!!!!!
I have been plagued by this stupid thing for a couple weeks now. I found this after searching and searching and now I am rid of the stupid spyware! I ran about 4 different spyware removal programs and 2 anti-virus progs. Thank you so much! |
|
Suleman84
join:2005-11-20
| reply to CalamityJane
Log of AproposFix v1
Log of AproposFix v1
************
Running from directory:
D:\Documents and Settings\Hassan\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CoVT2AB2YS83]
@="uzxaYlmghhghhihC8mXOTZghhgxjhC.3x4C8hYeYZKSnmhJXObKXYhYnMSaYOIiYeY"
"Device"="\\\\.\\WS2rint"
"DriverPath"="D:\\WINDOWS\\system32\\drivers\\s3gmusic.sys"
"DriverName"="AFDus12"
"HideUninstallerName"="D:\\Program Files\\Anamaker\\mssppsrv.exe"
"UninstallerPath"="D:\\WINDOWS\\system32\\httlesvr.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{A358FFD6-A981-4FCB-9C7C-45526A234504}"
"UninstallerParams"="/CTUN"
"HDll"="D:\\WINDOWS\\system32\\hpoevent.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X8b4310f-3d38-0ecf-8894-f9c320d81d8d}"
"PageFiltering"=dword:00000001
"ClientName"="D:\\Program Files\\Anamaker\\minlanui.exe"
************
Removing hidden service:
Service AFDus12 removed.
Removing hidden folder:
Deletion of folder Anamaker succeeded!
Deleting files:
Deletion of file D:\WINDOWS\system32\drivers\s3gmusic.sys succeeded!
Deletion of file D:\WINDOWS\system32\safm1500.exe succeeded!
Deletion of file D:\WINDOWS\system32\hpoevent.dll succeeded!
Deletion of file D:\WINDOWS\system32\httlesvr.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CoVT2AB2YS83]
[-HKEY_LOCAL_MACHINE\Software\CoVT2AB2YS83]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A358FFD6-A981-4FCB-9C7C-45526A234504}]
Done! |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Looks good Suleman84! Did that solve the problem? |
|
pvravi
@70.137.x.x | Worked like a charm for me. Thanks to all the people who made this possible and a pox on the apropos makers! |
|
TimSoh
@rr.com
| reply to CalamityJane
Re: Do you trust the uninstaller?
Muuuuaaaahhhhhhhh. Thanks. Everything looks good so far.
Log of AproposFix v1
************
Running from directory:
C:\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\C1iXoAy6INtm]
@="19oaUZEFFEFFGFS703MMIEFFEUHFoafVgokF6C67w0LKFv5 9w56F9v0_u1B7G6C6"
"Device"="\\\\.\\Atmp440"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\vdm_cnxt.sys"
"DriverName"="nvWICH"
"HideUninstallerName"="C:\\Program Files\\Qlproxio\\tskneth.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\forefilt.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C69A390E-D08C-47A4-97CA-01B18C4B309D}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\skecntra.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X3d2ea7f-fc84-6950-36fe-06342511e895}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
************
Removing hidden service:
Service nvWICH removed.
Removing hidden folder:
Deletion of folder Qlproxio succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\vdm_cnxt.sys succeeded!
Deletion of file C:\WINDOWS\system32\zipga256.exe succeeded!
Deletion of file C:\WINDOWS\system32\skecntra.dll succeeded!
Deletion of file C:\WINDOWS\system32\forefilt.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\C1iXoAy6INtm]
[-HKEY_LOCAL_MACHINE\Software\C1iXoAy6INtm]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C69A390E-D08C-47A4-97CA-01B18C4B309D}]
Done!
Finished! |
|
Nopedidnt work
|  My network tech ran this and it blew away his his whole harddrive - had to totally reformat and to a fresh install of his XP SP2 OS. |
|
dragon101
| reply to RavonTUS
yeay finall i can see my hardware manager and the friggen spyware is GONE yeay here is the text from the uninstaller
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\chad.CHADS\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\C2PinAF8KMqD]
@="oVGgHIBabbabbcb:PTCDRVabbaqdb6w\\r.62bSYSTEMhgbDRIVERSbCTPIPNATcSYS"
"Device"="\\\\.\\Pptcdrv"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\ctpipnat.sys"
"DriverName"="Avg2hib"
"HideUninstallerName"="C:\\Program Files\\Xliinace\\dllwuweb.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\defatelc.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{5101F53E-C90D-44DE-8A68-3F1195BBD89B}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\mscnvcpl.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X0f9f9c4-1198-2f70-f3ab-1efd6d26f785}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
************
Removing hidden service:
Service Avg2hib removed.
Removing hidden folder:
Deletion of folder Xliinace succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\ctpipnat.sys succeeded!
Deletion of file C:\WINDOWS\system32\cdokbddv.exe succeeded!
Deletion of file C:\WINDOWS\system32\mscnvcpl.dll succeeded!
Deletion of file C:\WINDOWS\system32\defatelc.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\C2PinAF8KMqD]
[-HKEY_LOCAL_MACHINE\Software\C2PinAF8KMqD]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5101F53E-C90D-44DE-8A68-3F1195BBD89B}]
Done!
Finished!
seems like thay had tons of folder names for this so it was hard to find THANK YOU FOR THE HELP |
|
Zev0
Old Sarge
Premium
join:2001-08-21
Phoenix, AZ
| reply to CyberWoolf
said by CyberWoolf :
THANK YOU THANK YOU THANK YOU!!!!!!!!!!!!!
I have been plagued by this stupid thing for a couple weeks now. I found this after searching and searching and now I am rid of the stupid spyware! I ran about 4 different spyware removal programs and 2 anti-virus progs. Thank you so much!
Good reason for making a weekly drive image. That way when you get it, you just go back a week and its gone.
--
What are you doing today, that will matter in 20 years? |
|
mike1965
Geek4rent
join:2002-09-23
Marion, IL
| reply to RavonTUS
yes this is a awesome fix...it is bad news when the guy who is usually fixing others PC gets him self infected (ME) LOL...ok ok so I was prolly a few places I should not have been....I went nuts..had no device manager, had no network connections showing, and when you entered a web addy in the address bar there was like a 30 second delay....finally figured out what was causing the problem...ran this fix...rebooted and it is fix.....preatty nasty when spy bots and adaware or anything else will not detect it....anyhow got a new tool for my tool box now 
--
Free computer help »geek4rent.us/phpbb/ |
|
stayloa
@ac.uk
| Thank you SO much! This fix has finally killed the blasted spyware on my computer! Hardly anything could detect it, and those that did couldn't delete it! Ive spent weeks trying to kill it, but the last straw came when my device manager became blank! Thanks so much for the fix!
Heres my log:
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\Stayloa\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CqSQEAB9Me68]
@="5LHQLNMZaaZaabaTRAS9SDZaaZpca5v q\\51aRXRSDLgfaCQHUDQRaF9FLBCbRXR"
"Device"="\\\\.\\usbtate"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\gagmcd.sys"
"DriverName"="Wmirmon"
"HideUninstallerName"="C:\\Program Files\\Weswatch\\jgpxsdrv.exe"
"HDll"="C:\\WINDOWS\\system32\\nconl386.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{X49728d1-461c-2952-3978-ce63eae4cf1d}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Weswatch\\logfdisk.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\modngine.exe"
"Version"="2.0.128"
"LastAURestoreMsgTS"="2005:11:20-16:40:20:312"
************
Removing hidden service:
Service Wmirmon removed.
Removing hidden folder:
Deletion of folder Weswatch succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\gagmcd.sys succeeded!
Deletion of file C:\WINDOWS\system32\modngine.exe succeeded!
Deletion of file C:\WINDOWS\system32\nconl386.dll succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CqSQEAB9Me68]
[-HKEY_LOCAL_MACHINE\Software\CqSQEAB9Me68]
Done!
Finished! |
|
factorx691
join:2005-11-23
Ocoee, FL
| reply to CalamityJane
WOW! I didn't even have a clue what was wrong with my computer, I just couldn't view the device manager the other day. Followed this forum ran that program and all in safe mode and bam right after restart device manager worked. A++++++++ Forum topic, thanks a lot! |
|
Brittney0356
@tds.net | reply to CalamityJane
I ran the Aproposfix, but I don't understand the part about posting the contents of the log into the folder. I mean, I found the log and copied it, but where do I paste it? Any help would be greatly appreciated!
Brittney |
|
