Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Apropos/Propro ContextPlus - Possible New Variant


  • This topic is locked This topic is locked

#1
meighnot

meighnot

    Member

  • Member
  • PipPip
  • 71 posts
Three days ago a Windows XP Home box was dropped off at my house because of virus, spyware and adware infestation. The infestation included many known variants of viruses and other malware currently in the wild, which took several sweeps with spyware/adware removal software as well as anti-virus software to remove. Everything eventually came off, and the various tools that I used have been reporting a clean system for the last 24 hours.

So why am I writing this?

Because the adware isn't gone. One particular variety of adware, which I've found through research is known as Apropos, ProPro and various other things and often involves the contextplus.net domain, has been escaping all the anti-spyware software that I have been able to get my hands on.

HijackThis, Ewido, TrackQoo, WinPFind, AdAware, Spybot Search & Destroy, Microsoft Anti-Spyware, CounterSpy, XoftSpy, and Process Explorer have failed to help me either remove the problem or identify the root cause of the problem. I have searched various forums and even attempted to Google the registry keys that I believe are involved in the infestation due to their ability to recreate themselves and the complete lack of documentation indicating that they belong to any known application from any sort of reputable software publisher.

The registry keys that I identified as part of the problem are:

HKLM\Software\Aprps
HKLM\Software\Cxt<random string>
HKCR\*\shellex\fngmgngy

I have been unable to locate in these keys any values with data pointing to any executable files or DLLs anywhere on the system. Repeated websearches for executables or DLLs that are invovled in Apropos/propro/contextplus infections have yielded many results, but none of these files appear to match anything that is located anywhere on the system that is infected. I have attempted to KillBox these files in their exact locations as I have found from the various forums that discuss this piece of malware, but KillBox tells me it cannot kill what isn't there. I have searched for the files on the hard disk and they do not appear.

I'm lost on this one. The ads that come up, constant streams of popups for all kinds of products, all point to contextplus.net. Every single one of them is hosted on one of contextplus's servers, as evidenced by the IP addresses from which they come. They all point to contextplus.net in one way or another. Yet none of the published characteristics of an Apropos/propro/contextplus infection can be found on this system.

The users who dropped it off are of no help. They insist that the system remained online and completely untouched (by them) for a week. It worked fine before they left for a week, but upon their return this was the condition that it was in.

Is this a new variant, or has somebody seen this before? Please help. I'll give you logs if it will assist you.
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Please visit this page and scroll down to Step 5. Follow the instructions there to download a tool called Hijackthis and post a log here as a reply to this post.

http://www.geekstogo..._Log-t2852.html
  • 0

#3
meighnot

meighnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Hi, thanks for your reply.

I've been working on this problem in the meantime and identified the registry keys that the Apropos/Propro was causing to be created although HijackThis did not list those keys in the scan that it did on the system.

The Hijack This log is posted, although the keys that recreate themselves and point to the contexplus.net domain that's been producing the ads are not in it. That was the original problem, since I'm pretty experienced with the removal of malware (do it every day at work). Software like Ewido, AdAware, Spybot Search & Destroy, TrojanHunter, AVG, Trend Micro Anti-spyware and Microsoft Anti-Spyware would report that there were no threats found, HijackThis didn't identify the registry keys that pointed to the domain the ads were coming from, and the popups persisted.

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:16:23 AM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost 6.0\bin\dbserv.exe
C:\Program Files\Norton Ghost 6.0\bin\rteng6.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Ghost 6.0\ngserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\UltraEdit32\UEDIT32.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\MWEST~1.PEN\LOCALS~1\Temp\Rar$EX01.333\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NGDatabase (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Norton Ghost 6.0\bin\dbserv.exe
O23 - Service: NGServer - Symantec New Zealand Limited - C:\Program Files\Norton Ghost 6.0\ngserver.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



It took a manual search of the registry to find the keys, which I also found would regenerate themselves after a reboot even in safe-mode.

HKLM\Software\aprps
HKLM\Software\cXt<random string> (where the random string changed each time the key regenerated itself)
HKCR\*\shellex\fngmgngy

I deleted those keys, ran RegMon, set it to run at boot, and found that those keys were being created by a running process called dpckssvc.exe. After searcing for dpckssvc.exe I found that the process was not running from its own executable, but was being spawned by explorer.exe at boot time.
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's take a closer look with a couple other tools.

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.



=============



Download PFind.zip and unzip the contents to its own permanent folder.

Reboot your computer into Safe Mode

Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt along with the log from Silent Runners.
  • 0

#5
meighnot

meighnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Hi again.

I think things are shaping up. Since I had suspicion from RegMon's indication that those Apropos registry keys were being created by a process called dpckssvc.exe, I rooted around and found out that the process wasn't an actual file on the system, it was being spawned temporarily and apparently by explorer.exe. I've got another machine here running XP SP2 (like the infected one) and I wiped out the registry keys I identified using regedit, killed the dpckssvc.exe process with Process Explorer and then booted to the recovery console.

I copied explorer.exe from the good machine to a floppy, then transferred it from the floppy to the infected machine and rebooted. Everything came up normally in safe mode, and the registry keys had not been recreated (as they were initially, even in safe mode). Booted the machine normally and checked for those keys in the registry, and they are no longer there. The dpckssvc.exe process is no longer being spawned, and there are no more connections to contexplus.net showing up in netstat. Popup ads haven't come back, so it's definitely seeming to be problem solved.

Thanks for your time and help.

-Meighnot
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP