So why am I writing this?
Because the adware isn't gone. One particular variety of adware, which I've found through research is known as Apropos, ProPro and various other things and often involves the contextplus.net domain, has been escaping all the anti-spyware software that I have been able to get my hands on.
HijackThis, Ewido, TrackQoo, WinPFind, AdAware, Spybot Search & Destroy, Microsoft Anti-Spyware, CounterSpy, XoftSpy, and Process Explorer have failed to help me either remove the problem or identify the root cause of the problem. I have searched various forums and even attempted to Google the registry keys that I believe are involved in the infestation due to their ability to recreate themselves and the complete lack of documentation indicating that they belong to any known application from any sort of reputable software publisher.
The registry keys that I identified as part of the problem are:
I have been unable to locate in these keys any values with data pointing to any executable files or DLLs anywhere on the system. Repeated websearches for executables or DLLs that are invovled in Apropos/propro/contextplus infections have yielded many results, but none of these files appear to match anything that is located anywhere on the system that is infected. I have attempted to KillBox these files in their exact locations as I have found from the various forums that discuss this piece of malware, but KillBox tells me it cannot kill what isn't there. I have searched for the files on the hard disk and they do not appear.
I'm lost on this one. The ads that come up, constant streams of popups for all kinds of products, all point to contextplus.net. Every single one of them is hosted on one of contextplus's servers, as evidenced by the IP addresses from which they come. They all point to contextplus.net in one way or another. Yet none of the published characteristics of an Apropos/propro/contextplus infection can be found on this system.
The users who dropped it off are of no help. They insist that the system remained online and completely untouched (by them) for a week. It worked fine before they left for a week, but upon their return this was the condition that it was in.
Is this a new variant, or has somebody seen this before? Please help. I'll give you logs if it will assist you.