apopos spyware keeps coming back after removal

[phishhead]

hey guys got a strange one. my very good co-worker's sister keeps getting this pop up from ms antispyware that it finds and deletes this. I've tried cwshredder, ms anti-spyware, spybot. finds it then deletes it. did it in safemode without LAN connection.
but after awhile comes right back. I've did a search to del manually, but the services, dll, or files are not in the system or in the registry to del.

anyone got a magic pill that will work on it.

[cash_site]

I can order the blue magic pills over the weekend Phish...

This doesnt look good:

"A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system."

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run autoupdater , delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run autoupdater "c:\program files\autoupdate\autoupdate.exe", delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\autoloaderaproposclient, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\autoloadertw011aklknla, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\autoupdater, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\pm7r36p, delete it and reboot the machine immediately.


unregister these dlls
cxtpls.dll
proxystub.dll

dude, there are heaps more files and crap etc in c:\windwos and system etc etc....

Really looks like a format job... hey, at least you get more time at home

[Curio]

http://esd.element5.com/publisher/50...r/FixAprop.exe

Removal tool from Symantec - may work.

Otherwise post HijackThis log and we have the technology to help you.

[tarun]

Why not use System Restore?

[lynchknot]

Reformat. Like everyone always tells me. Unless it's just a cookie - those always come back just by visiting this one message board I go to.

**edit - that's a browser helper object. Yeah, you can use Hijack this or maybe winpatrol will remove it and keep an eye on it. Winpatrol and other like (registry watchers) - won't allow a BHO unless I allow it.

I'm not sure why I'm unable to get to this site but it shows how to: http://66.102.7.104/search?q=cache:M...&hl=en&start=7

Quote:

Apropos.bho manual removal:
Delete registry values:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB}
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows CurrentVersion \ Explorer \ Browser Helper Objects \ {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB}'

Delete directories:
\APROPOSCLIENT

Quote:

Full name: Apropos.bho

Type: Adware

Related files: APROPOSPLUGIN.DLL

Severity scale: Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 Apropos.bho severity scale is 23 (23 / 100)

Apropos.bho description: Apropos.bho is a browser helper object, variant of the PeopleOnPage software.
Apropos Ads may be displayed in a variety of formats including:
-- Pop-Up or Pop-Under Windows which will appear as windows on top of or beneath other windows on the computer screen.
-- Sliding Skyscraper Windows which will appear as sliding images displayed over POP! content.

Download URL: h**p://www.peopleonpage.com/download.html-don't go there!

Apropos.bho properties:
• Changes browser settings
• Hides from the user
• Stays resident in background