Content

Adware-Apropos

Type
Program
SubType
Adware
Discovery Date
02/23/2005
Minimum DAT
4342 (03/24/2004)
Updated DAT
5200 (01/04/2008)
Minimum Engine
5.1.00
Description Added
04/15/2004
Description Modified
03/17/2005 1:44 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

The application downloads many DLL and executable files that help in displaying both anonymous and identifiable ads.

The executable contacts the following sites to download auto-update files and ads.

It also injects a DLL file into the process space of many other programs such as explorer.exe and IExplore.exe. One of the downloaded files uses the icon of Iexplorer.exe.

Installation

Registry Changes

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run\sFoQ3mj: "mcdml.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run\AutoUpdater:"C:\Program Files\AutoUpdate\AutoUpdate.exe ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\AproposClient\UninstallString: ""C:\Program Files\CxtPls\uninstaller.exe ""
  • HKEY_USERS\ S-1-5-21-854245398-1383384898-842925246500\Software\Microsoft\Windows\CurrentVersion\Run\do74RgH4j: "lsaps.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5AB638-D76C-415B-A8F2-F3CEAC502212}\LocalServer32\: "C:\Program Files\CxtPls\CxtPls.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32\: "C:\Program Files\CxtPls\proxystub.dll"

File Changes

The following files is/are added to the %Program Files%\CxtPls directory:

  • ace.dll (581,632 bytes) - detected as Adware-Apropos
  • AI_11-02-2005.log
  • atl.dll (74,810 bytes)
  • CxtPls.dll (90,112 bytes) - detected as Adware-Apropos
  • CxtPls.exe (716,800 bytes) - detected as Adware-Apropos
  • data.bin (116,873)
  • libexpat.dll (143,360 bytes) - detected as Adware-Apropos
  • ProxyStub.dll (28,762) - detected as Adware-Apropos
  • uninstaller.exe(167,936 bytes) - detected as Adware-Apropos
  • WinGenerics.dll (573,440 bytes)

The following files is/are added to the %Program Files%\AutoUpdate directory:

  • AutoUpdate.exe
  •  libexpat.dll

The following files is/are added to the %windir%\system32 directory:

  • auto_update_uninstall.exe
  • auto_update_uninstall.log
  • lsaps.exe
  • mcdml.exe

Note: %windir is the windows directory of the system. By Default it is C:\windows in XP.

Symptoms

Various “Spyware warning” pop up ads are shown while internet browsing. Any search keyword is hijacked and relevant ads are shown according to the search keyword.

Few older versions of program are seen to make following changes to registry to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "AutoLoaderAproposClient" = "C:\WINDOWS\System32\Cache\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.FHB
    /ShowLegalNote=nonbranded"

Aliases

Aliases

    N/A