I ran the MS Antispyware. It detected and offered to
remove it. However, it keeps coming back eg.
HKEY_LOCAL_MACHINE/SOFTWARE/Apprps

I tried to delete this with regedit and keep hitting
refresh and it comes back right away. SO clearly it is
not removed.

How do I find out which is the program name to delete
from the silesystem/registry? Thx


-- snowball

Try the following tool from Symantec:
http://securityresponse.symantec.com...r/FixAprop.exe
..

If you have either Norton or McAfee installed (AV), they
can detect and remove this as well. Spybot
(http://www.download.com/3001-8022_4-10401314.html?idl=n)
and Ad-Aware (http://www.download.com/3000-2144-
10045910.html) can also detect and remove Apropos, and I
think that ewido (http://www.download.com/Ewido-Security-
Suite/3000-8022_4-10326287.html) can also detect and
remove Apropos. Make certain to downlaod all the updates
for the apps and boot into Safe Mode (press F8 before
initial Windows screen during boot/reboot, press F8 again
to get to advanced option menu, and select the Safe Mode
option that only states Safe Mode). Now run a full
system scan with each app, making certain to remove what
it finds before running a scan with the other apps. When
installing ewido remove the check mark next to ewido
guard and the auto-update feature. Updates for ewido are
provided daily, so update often.

The problem when trying to remove this malware is that it
uses registered .dll files that must first be
deregistered before you can remove it, otherwise the
removal WILL fail. This is why many apps fail to remove
these types of infections.

One more thing. If you are running XP, delete the entire
contents of c:\windows\prefetch just to be safe. YOu
might have to do this in Safe Mode.

Alan

>-----Original Message-----
>I ran the MS Antispyware. It detected and offered to
>remove it. However, it keeps coming back eg.
>HKEY_LOCAL_MACHINE/SOFTWARE/Apprps
>
>I tried to delete this with regedit and keep hitting
>refresh and it comes back right away. SO clearly it is
>not removed.
>
>How do I find out which is the program name to delete
>from the silesystem/registry? Thx
>
>
>-- snowball
>.
>

Thx Alan.

I ran the tool in safemode. When I restarted I don't find
the symptoms of an Ad popping up when I close IE.

However, I see that HKLM/software/apprps still exists in
the registry. When I remove it and hit refresh after a
few seconds it comes back.

I don't know if this means the spyware is still on the
machine but its functionality is disabled? Who puts this
key back? Is it MS AntiSpyware trying to stomp over this
key to confuse or disable the spyware?

Any details on exactly what are the files that this
spyware installs and how they work (eg. service, startup
command etc would help me to manually verify that this
has been indeed successfully removed).

Thx

-- snow

>-----Original Message-----
>Try the following tool from Symantec:
>http://securityresponse.symantec.com...er/FixAprop.ex
e
>..
>
>If you have either Norton or McAfee installed (AV), they
>can detect and remove this as well. Spybot
>(http://www.download.com/3001-8022_4-10401314.html?
idl=n)
>and Ad-Aware (http://www.download.com/3000-2144-
>10045910.html) can also detect and remove Apropos, and I
>think that ewido (http://www.download.com/Ewido-Security-
>Suite/3000-8022_4-10326287.html) can also detect and
>remove Apropos. Make certain to downlaod all the
updates
>for the apps and boot into Safe Mode (press F8 before
>initial Windows screen during boot/reboot, press F8
again
>to get to advanced option menu, and select the Safe Mode
>option that only states Safe Mode). Now run a full
>system scan with each app, making certain to remove what
>it finds before running a scan with the other apps.
When
>installing ewido remove the check mark next to ewido
>guard and the auto-update feature. Updates for ewido
are
>provided daily, so update often.
>
>The problem when trying to remove this malware is that
it
>uses registered .dll files that must first be
>deregistered before you can remove it, otherwise the
>removal WILL fail. This is why many apps fail to remove
>these types of infections.
>
>One more thing. If you are running XP, delete the
entire
>contents of c:\windows\prefetch just to be safe. YOu
>might have to do this in Safe Mode.
>
>Alan
>
>>-----Original Message-----
>>I ran the MS Antispyware. It detected and offered to
>>remove it. However, it keeps coming back eg.
>>HKEY_LOCAL_MACHINE/SOFTWARE/Apprps
>>
>>I tried to delete this with regedit and keep hitting
>>refresh and it comes back right away. SO clearly it is
>>not removed.
>>
>>How do I find out which is the program name to delete
>>from the silesystem/registry? Thx
>>
>>
>>-- snowball
>>.
>>
>.
>

I have the same problem!

Did you ever find a solution that worked??

Thanks,

Jonny

"Snowball" wrote:

> Thx Alan.
>
> I ran the tool in safemode. When I restarted I don't find
> the symptoms of an Ad popping up when I close IE.
>
> However, I see that HKLM/software/apprps still exists in
> the registry. When I remove it and hit refresh after a
> few seconds it comes back.
>
> I don't know if this means the spyware is still on the
> machine but its functionality is disabled? Who puts this
> key back? Is it MS AntiSpyware trying to stomp over this
> key to confuse or disable the spyware?
>
> Any details on exactly what are the files that this
> spyware installs and how they work (eg. service, startup
> command etc would help me to manually verify that this
> has been indeed successfully removed).
>
> Thx
>
> -- snow
>
> >-----Original Message-----
> >Try the following tool from Symantec:
> >http://securityresponse.symantec.com...er/FixAprop.ex
> e
> >..
> >
> >If you have either Norton or McAfee installed (AV), they
> >can detect and remove this as well. Spybot
> >(http://www.download.com/3001-8022_4-10401314.html?
> idl=n)
> >and Ad-Aware (http://www.download.com/3000-2144-
> >10045910.html) can also detect and remove Apropos, and I
> >think that ewido (http://www.download.com/Ewido-Security-
> >Suite/3000-8022_4-10326287.html) can also detect and
> >remove Apropos. Make certain to downlaod all the
> updates
> >for the apps and boot into Safe Mode (press F8 before
> >initial Windows screen during boot/reboot, press F8
> again
> >to get to advanced option menu, and select the Safe Mode
> >option that only states Safe Mode). Now run a full
> >system scan with each app, making certain to remove what
> >it finds before running a scan with the other apps.
> When
> >installing ewido remove the check mark next to ewido
> >guard and the auto-update feature. Updates for ewido
> are
> >provided daily, so update often.
> >
> >The problem when trying to remove this malware is that
> it
> >uses registered .dll files that must first be
> >deregistered before you can remove it, otherwise the
> >removal WILL fail. This is why many apps fail to remove
> >these types of infections.
> >
> >One more thing. If you are running XP, delete the
> entire
> >contents of c:\windows\prefetch just to be safe. YOu
> >might have to do this in Safe Mode.
> >
> >Alan
> >
> >>-----Original Message-----
> >>I ran the MS Antispyware. It detected and offered to
> >>remove it. However, it keeps coming back eg.
> >>HKEY_LOCAL_MACHINE/SOFTWARE/Apprps
> >>
> >>I tried to delete this with regedit and keep hitting
> >>refresh and it comes back right away. SO clearly it is
> >>not removed.
> >>
> >>How do I find out which is the program name to delete
> >>from the silesystem/registry? Thx
> >>
> >>
> >>-- snowball
> >>.
> >>
> >.
> >
>