aprps

[citrus \(nara\)]

When I run the microsoft anti spyware, I get the following
message

infected registry keys/values detected
hkey_local-_machine\software\aprps
hkey_local-_machine\software\aprps\client partner id
wb.ver2

I exercise the option to remove and MS antispyware
confirms removal of this spyware.

However, the entries are still found in the registry when
I run regedit.

'aprps' again appears when the system shuts down at random
on its own.

The question is,

is it safe to rename the aprps folder (key)? or even
better delete it?.

Why does MS antispyware not delete it from the registry if
it is a serious threat to the system.

Thanks,

citrus (screen name)

 

[Bill Sanderson]

Shut down the system and restart in safe mode.

Do full, deep scans, with Microsoft Antispyware, and also scan with your
updated antivirus application, if possible. Scan until a complete scan
comes through clean with each product.

Microsoft Antispyware should be able to remove this, I believe, but it may
need safe mode to do the job properly.

You might also, before you restart in safe mode, do Tools, suspected spyware
report in Microsoft Antispyware, to report this difficulty cleaning
directly, if possible.

 

[AndyManchesta]

This is Apropos-Media and should be removed I cannot
comment on why MSAS isnt removing this but it may be
because the files are running on your system but even so
they should be shut down by MSAS before deleteing the
infected folders unless its not detecting all of them.

If you feel confident using Regedit, Reboot into safe mode
(Reboot and keep tapping F8 then choose safe mode from
the list) and then delete the folder from the software
area's of both HKLM & HKCU and also the run commands. If
you prefer to not use regedit then Download Ewido
Security Suite and update in normal mode and run it in
safe mode with MSAS

Really delete any of these folders if found(Right click
the folders and choose delete):

HKEY_CURRENT_USER\software\apropos
HKEY_CURRENT_USER\software\pop\apropos
HKEY_CURRENT_USER\software\aprps\
HKEY_CURRENT_USER\software\envolo\
HKEY_LOCAL_MACHINE\software\apropos
HKEY_LOCAL_MACHINE\software\pop\
HKEY_LOCAL_MACHINE\software\aprps\
HKEY_LOCAL_MACHINE\software\envolo\

Then take out the run commands if found :

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\run\

&

HKEY_CURRENT_USER\software\microsoft\windows\currentversio
n\run\

Left click run to open the values in the right pane and
right click any of these if found and choose delete(As
you can see we are dealing with random named entries so
maybe Ewido in safe mode will make things easier for you)

apropos
autoloaderaproposclient
autoloadertw011aklknla
autoupdater
mv7dizbww.exe
nr1beo9r.exe
ororoxid
pf8g35x
pm7r36p
z
zga.exe
s7ov3pe
dw79rfk4e
hww4rgb9s
ko0prxdqp

There's alot more than this such as BHO and IE toolbar
entries but I think Ewido will find these easily enough
and also the above entries if they exist

Download Ewido Security Suite in normal mode:

http://www.ewido.net/en/download/

Install ewido.
During the installation, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
Launch ewido
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe
mode.

Download Ccleaner and install to remove temp and unused
files

http://www.ccleaner.com/ccdownload.asp

Then boot into safe mode and run Ewido on a complete scan
also MSAS and then use Ccleaner and choose Run Cleaner to
remove any junk left in temp folders then reboot back to
normal mode.

Let us know if you have any problems

Andy

 

[Jacques]

Perhaps something like "clean this at next boot" could be valuable. Spybot
has it for some spy which can't be remove and this is the way chkdsk works
in order to avoid conflict with other progs.

 

[Bill Sanderson]

This functionality is already there, I believe--some cleaning operations
will suggest a restart, and further cleaning happens on the restart. It's
been awhile since I've seen this, but I believe it is in there. The whole
safe mode thing is clearly not optimal operation--I'm glad that it works,
but it is silly--try cleaning, and if it doesnt work, go to the forum and
ask for the secret password and then we'll REALLY clean it!

This is not how the product is intended to work, I'm quite certain.

--