Limited Time!
Totally FREE Web Design!
Click here!

Parasite: AproposMedia

This record last updated Tue Sep 20 2005 00:34:14

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

AproposMedia is adware that opens pop-up advertisements based on URL tracking.

Variants

AproposMedia/POP is the advert-showing part of the ‘PeopleOnPage’ program (peopleonpage.com), an Internet Explorer sidebar which claims to show a list of other users of the current site.

AproposMedia/SysAI and AproposMedia/CxtPls are newer, standalone parasites, targetted at adintelligence.net and contextplus.net.

Also known as

Envolo after the name of the updater component included in PeopleOnPage. Trend anti-virus classifies the SysAI variant as Adv.Apropos.D.

Distribution

AproposMedia/POP was bundled with Grokster around June 2003, and it installed by pop-up ActiveX drive-by download.

AproposMedia/CxtPls is installed by the WildMedia parasite.

What it does

Advertising

Yes. Opens pop-up adverts (which themselves may spawn other pop-ups) at regular intervals when Internet Explorer is in use.

Privacy violation

Yes. With the POP variant, the complete URLs of all pages visited are sent to the controlling server with a unique tracking ID, when the PeopleOnPage sidebar is open. With the other variants, the URLs are sent all the time.

Security issues

Yes. Includes an updater component which can silently download and execute arbitrary code from its controlling server.

Stability problems

None known.

Removal

Go to the Control Panel’s Add/Remove Programs feature. Select and remove ‘AM Server’ and ‘POP’ for the POP variant, or ‘SysAI’ (SysAI variant) or CtxPls (CxtPls variant; yes, it’s spelled like that). These entries seem often to be missing, necessitating manual removal.

Manual removal

POP variant

Open the registry, by clicking ‘Start’, choosing ‘Run’ and entering ‘regedit’. Open the ‘CLSID’ key inside ‘HKEY_CLASSES_ROOT’ and delete the following subkeys:

{645FD3BC-C314-4F7A-9D2E-64D62A0FDD78}
{65C8C1F5-230E-4DC9-9A0D-F3159A5E7778}
{8023A3E7-AB95-4C23-8313-0BE9842CC70E}
{976C4E11-B9C5-4B2B-97EF-F7D06BA4242F}
{B3BE5046-8197-48FB-B89F-7C767316D03C}

Next, open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the ‘AutoUpdater’ and ‘POP’ entries.

You can also delete HKEY_CLASSES_ROOT\POP.Server[.1], HKEY_CLASSES_ROOT\POPAd.Server[.1], HKEY_LOCAL_MACHINE\Software\POP and HKEY_CURRENT_USER\Software\POP to clean up.

SysAI and CxtPls variants

Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘AutoUpdater’ entry. There is also one other entry that must be deleted. Its name will be a nonsensical string of eight random alphanumeric characters, and its value will be a single EXE filename, which is semi-random.

If you are not sure you have the right entry, open the System folder (inside the Windows folder, called ‘System32’ under Windows NT/2000/XP/2003) and load the EXE file it refers to into a text editor. The guilty file will have the string ‘WinGenerics’ inside it somewhere.

Now open the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and there should be a similar eight-character random entry pointing to another semi-random EXE in the System folder. Delete this too.

You can also delete the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Envolo, HKEY_LOCAL_MACHINE\SOFTWARE\AutoUpdate and HKEY_CURRENT_USER\Software\Apropos to clean up.

SysAI variant

Open a Command Prompt window (from Start->Programs->Accessories) and enter the following commands:

cd %WinDir%\System
regsvr32 /u "C:\Program Files\SysAI\AproposPlugin.dll"

CxtPls variant

Open a Command Prompt window (from Start->Programs->Accessories) and enter the following commands:

cd %WinDir%\System
regsvr32 /u "C:\Program Files\CxtPls\CxtPls.dll"

All variants

Restart the computer and you should be able to delete the ‘AutoUpdate’ folder in ‘Program Files’ (on the C: drive, even if your Program Files are normally elsewhere), along with the folder ‘POP’ (POP variant), ‘SysAI’ (SysAI variant) or ‘CxtPls’ (CxtPls variant).

In the System folder you can also delete the two semi-randomly-named EXE files referred to by the registry entries of the SysAI and CxtPls variants, and, if you have them, auto_update_uninstall.exe and auto_update_uninstall.log.