CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
edit:
October 28th, @03:53PM
| reply to RavonTUS
Re: Do you trust the uninstaller?
Hi all, we actually now have an easier fix for this one.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download AproposFix from here:
»swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and postthe entire contents of the log.txt file in the aproposfix folder.
Edit: Removed request for a HijackThis log...that pest doesn't appear on HJT logs. All I need is the log.txt file from the aproposfix folder
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
MeJon
@reachone.net |  Thanks for the link to aproposfix.exe. It worked perfectly! You saved the day. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| said by MeJon :
Thanks for the link to aproposfix.exe. It worked perfectly! You saved the day.
Glad to hear it! We can all thank Swandog46 from SpywareInfo (and other forums) for developing that tool 
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
Suleman84
join:2005-11-20
| reply to CalamityJane
Log of AproposFix v1
Log of AproposFix v1
************
Running from directory:
D:\Documents and Settings\Hassan\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CoVT2AB2YS83]
@="uzxaYlmghhghhihC8mXOTZghhgxjhC.3x4C8hYeYZKSnmhJXObKXYhYnMSaYOIiYeY"
"Device"="\\\\.\\WS2rint"
"DriverPath"="D:\\WINDOWS\\system32\\drivers\\s3gmusic.sys"
"DriverName"="AFDus12"
"HideUninstallerName"="D:\\Program Files\\Anamaker\\mssppsrv.exe"
"UninstallerPath"="D:\\WINDOWS\\system32\\httlesvr.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{A358FFD6-A981-4FCB-9C7C-45526A234504}"
"UninstallerParams"="/CTUN"
"HDll"="D:\\WINDOWS\\system32\\hpoevent.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X8b4310f-3d38-0ecf-8894-f9c320d81d8d}"
"PageFiltering"=dword:00000001
"ClientName"="D:\\Program Files\\Anamaker\\minlanui.exe"
************
Removing hidden service:
Service AFDus12 removed.
Removing hidden folder:
Deletion of folder Anamaker succeeded!
Deleting files:
Deletion of file D:\WINDOWS\system32\drivers\s3gmusic.sys succeeded!
Deletion of file D:\WINDOWS\system32\safm1500.exe succeeded!
Deletion of file D:\WINDOWS\system32\hpoevent.dll succeeded!
Deletion of file D:\WINDOWS\system32\httlesvr.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CoVT2AB2YS83]
[-HKEY_LOCAL_MACHINE\Software\CoVT2AB2YS83]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A358FFD6-A981-4FCB-9C7C-45526A234504}]
Done! |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Looks good Suleman84! Did that solve the problem? |
|
pvravi
@70.137.x.x | Worked like a charm for me. Thanks to all the people who made this possible and a pox on the apropos makers! |
|
TimSoh
@rr.com
| reply to CalamityJane
Re: Do you trust the uninstaller?
Muuuuaaaahhhhhhhh. Thanks. Everything looks good so far.
Log of AproposFix v1
************
Running from directory:
C:\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\C1iXoAy6INtm]
@="19oaUZEFFEFFGFS703MMIEFFEUHFoafVgokF6C67w0LKFv5 9w56F9v0_u1B7G6C6"
"Device"="\\\\.\\Atmp440"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\vdm_cnxt.sys"
"DriverName"="nvWICH"
"HideUninstallerName"="C:\\Program Files\\Qlproxio\\tskneth.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\forefilt.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C69A390E-D08C-47A4-97CA-01B18C4B309D}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\skecntra.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X3d2ea7f-fc84-6950-36fe-06342511e895}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
************
Removing hidden service:
Service nvWICH removed.
Removing hidden folder:
Deletion of folder Qlproxio succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\vdm_cnxt.sys succeeded!
Deletion of file C:\WINDOWS\system32\zipga256.exe succeeded!
Deletion of file C:\WINDOWS\system32\skecntra.dll succeeded!
Deletion of file C:\WINDOWS\system32\forefilt.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\C1iXoAy6INtm]
[-HKEY_LOCAL_MACHINE\Software\C1iXoAy6INtm]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C69A390E-D08C-47A4-97CA-01B18C4B309D}]
Done!
Finished! |
|
Nopedidnt work
|  My network tech ran this and it blew away his his whole harddrive - had to totally reformat and to a fresh install of his XP SP2 OS. |
|
factorx691
join:2005-11-23
Ocoee, FL
| reply to CalamityJane
WOW! I didn't even have a clue what was wrong with my computer, I just couldn't view the device manager the other day. Followed this forum ran that program and all in safe mode and bam right after restart device manager worked. A++++++++ Forum topic, thanks a lot! |
|
Brittney0356
@tds.net | reply to CalamityJane
I ran the Aproposfix, but I don't understand the part about posting the contents of the log into the folder. I mean, I found the log and copied it, but where do I paste it? Any help would be greatly appreciated!
Brittney |
|
Schurke
@comcast.net
| reply to CalamityJane
I had the problem, that I wanted to install Alcohol 120% and always had the Internal error 25001.25005 and 25001.250061.
After spending hours of investigating I suddenly found out that my device manager was completely emtpy. Then I investigated some more hours until I found information about this aproposfix. I ran it in safe mode, restarted and everything works perfectly again!!
Thanks to the developer of this great tool.Thanks a lot.
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CtUgrAxohl52]
@="4.8\\7u3CDDCDDEDdYS4YtuCDDCSFDmYdTemiD4A45u.JIDt3y7u34Dy1y. q6tE4A4"
"Device"="\\\\.\\NICsIde"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\ipimkaud.sys"
"DriverName"="smwlver"
"HideUninstallerName"="C:\\Program Files\\Cominrar\\qedto_ie.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\evexml3r.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0284270D-7658-4584-B081-BAF0598DEB39}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\wpdbvm50.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X4b0d1b3-ccaa-3c9a-c85c-9bb191021cb2}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Cominrar\\dmbmpapi.exe"
************
Removing hidden service:
Service smwlver removed.
Removing hidden folder:
Deletion of folder Cominrar succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\ipimkaud.sys succeeded!
Deletion of file C:\WINDOWS\system32\cmulhost.exe succeeded!
Deletion of file C:\WINDOWS\system32\wpdbvm50.dll succeeded!
Deletion of file C:\WINDOWS\system32\evexml3r.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CtUgrAxohl52]
[-HKEY_LOCAL_MACHINE\Software\CtUgrAxohl52]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0284270D-7658-4584-B081-BAF0598DEB39}]
Done!
Finished! |
|
LNGship
@rr.com | reply to CalamityJane
1000 thank-yous to Swandog 46. I have my device manager back again with the full screen. All the best! |
|
vamps
@as9105.c
| reply to CalamityJane
All I can say is massive thanks...worked a treat.
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\James\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CqXloAxofS65]
@="ZWSKZKThiihiiji38eaPnVhiihxkiD:4y5D9iZfZaLToniKYPcLYZiUaMaWVYajZfZ"
"Device"="\\\\.\\MRxti2o"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\ntftport.sys"
"DriverName"="spldsdm"
"HideUninstallerName"="C:\\Program Files\\Hipnero\\irmstcln.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\shadivx.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{46C70C10-D287-4E45-A8B9-0CF3A8D7B719}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\qapbdlv1.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xbbc7a89-27dd-04bb-000a-1f4b14ec79f1}"
"PageFiltering"=dword:00000002
"CrMnTmt"=dword:0036ee80
************
Removing hidden service:
Service spldsdm removed.
Removing hidden folder:
Deletion of folder Hipnero succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\ntftport.sys succeeded!
Deletion of file C:\WINDOWS\system32\conmshta.exe succeeded!
Deletion of file C:\WINDOWS\system32\qapbdlv1.dll succeeded!
Deletion of file C:\WINDOWS\system32\shadivx.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CqXloAxofS65]
[-HKEY_LOCAL_MACHINE\Software\CqXloAxofS65]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{46C70C10-D287-4E45-A8B9-0CF3A8D7B719}]
Done!
Finished! |
|
Ktulu07
| Worked like a charm. Thanks very much
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\Administrator.THEONENESS\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CyXR7AB3KUE5]
"Device"="\\\\.\\bastsvc"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\nik1btxx.sys"
"DriverName"="PDFSDDD"
"UninstallerPath"="C:\\WINDOWS\\system32\\ahqtheme.exe"
"HDll"="C:\\WINDOWS\\system32\\typuname.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.ANT2"
"InstallationId"="{X5ccc894-532d-7dbd-03c6-b7d897a23f14}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Lognikon\\finbatt.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\wiadimap.exe"
"Version"="2.0.128"
"HideUninstallerName"="C:\\Program Files\\Lognikon\\jdbupnp.exe"
"LastAURestoreMsgTS"="2005:11:18-13:48:18:109"
--
[HKEY_LOCAL_MACHINE\Software\Aprps]
[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"PartnerId"="WB.VER2"
************
Removing hidden service:
Service PDFSDDD removed.
Removing hidden folder:
Deletion of folder Lognikon succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\nik1btxx.sys succeeded!
Deletion of file C:\WINDOWS\system32\wiadimap.exe succeeded!
Deletion of file C:\WINDOWS\system32\typuname.dll succeeded!
Deletion of file C:\WINDOWS\system32\ahqtheme.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CyXR7AB3KUE5]
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\CyXR7AB3KUE5]
[-HKEY_LOCAL_MACHINE\Software\Aprps]
Done!
Finished! |
|
grateful guest
@rr.com
| thank you so much, i have been trying to fix this problem the entire day.... the world could definitely use more people like you
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\Josh\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CpPiEAH8dl9D]
@="5xz8GLKghhghhih2UaZ2MXghhgwjhC.3x4C8hYeYZKSnmhJXObKXYhGMVJGYaViYeY"
"Device"="\\\\.\\MoutMgr"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\agpdasup.sys"
"DriverName"="PDFSafe"
"HideUninstallerName"="C:\\Program Files\\Halreal\\iyusrv32.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\nbtntvwr.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{238E64E5-5F97-4A0C-9CD4-32997B9FA557}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\paumsnap.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X93c43e1-85af-5cca-f475-8ceb4c34f7ad}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Halreal\\cnvinfax.exe"
************
Removing hidden service:
Service PDFSafe removed.
Removing hidden folder: |
|
BarneyBadAss
Badasses Fight For Freedom
Premium
join:2004-05-07
00001 | The real question is how do you know you are infected in the 1st place?
--
---Barney |
|
LeopB
@insightbb.com
| reply to CalamityJane
Wonderful thing! I installed, fallow the instruction and the computer was more responsive/faster and everything seem to work again!
I was looking for bunch of files that looked strange and dubious like "Cocrefox" and could not find any help from searching google,not a single link! Or traces that those words exist in the internet very strange. When I was looking in my registry my computer would crashed. My comp ran very, very slow and that is what made me suspicious, the lag and strange character would appear when typing, very scary wile working on Illustrator. The key was that I could not find the Device Manager and that search lead me to this place. I always new I had something, I ran Avg, HighJackThis,SpyPatrol, PestPatrol, SpySweeper, Spybot, AdAware,.... None of them could find the malware
Thank YOU, Thank You! For the fix
Kevin
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CyTO8AHseUE9]
@="YxCpifmJKKJKKLKsppy17BJKKJZMKtfkaltpKBHBC\\5QPK A1E\\ABK EGx5 3ULBHB"
"Device"="\\\\.\\VSSbios"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\dvxamdk7.sys"
"DriverName"="BatSLIP"
"HideUninstallerName"="C:\\Program Files\\Cocrefox\\hasscp32.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\amsaffic.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{2E9B9B9C-D692-4E74-BAD7-8B3E4E3B96BF}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\cabcp32r.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xb0664e2-8b61-607c-4098-b061006ac7ab}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Cocrefox\\gptsbcli.exe"
************
Removing hidden service:
Service BatSLIP removed.
Removing hidden folder:
Deletion of folder Cocrefox succeeded!
Deleting files:
Deletion of file C:\WINDOWS\system32\drivers\dvxamdk7.sys succeeded!
Deletion of file C:\WINDOWS\system32\mourpubw.exe succeeded!
Deletion of file C:\WINDOWS\system32\cabcp32r.dll succeeded!
Deletion of file C:\WINDOWS\system32\amsaffic.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CyTO8AHseUE9]
[-HKEY_LOCAL_MACHINE\Software\CyTO8AHseUE9]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E9B9B9C-D692-4E74-BAD7-8B3E4E3B96BF}]
Done! |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Glad it worked for you, Kevin. Your fix log looks just fine. It did, indeed, find and remove the malware. |
|
ddhamm
join:2005-11-29
Decatur, GA
| I sure hope you can help me. I have been trying to get my computer back to normal for weeks. I did all the Hijack this stuff that could be done. I used the aproposfix.exe tool and here is my log:
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\Owner\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\CpPX6AHsIV9D]
@="g92L72LSTTSTTUTu8yEXM03STTSiVT.ottzTKQKL6EZYT5JAN6JKT2L2895DJUKQK"
"Device"="\\\\.\\OgSm1uYb"
"DriverPath"="C:\\WINNT\\system32\\drivers\\ataghdlr.sys"
"DriverName"="Ahatfat"
"HideUninstallerName"="C:\\Program Files\\Xerpport\\mqlbexec.exe"
"HDll"="C:\\WINNT\\system32\\lic2dvaa.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.SAV2"
"InstallationId"="{Xfe0052b-ad07-78ac-5074-95524ab47659}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Xerpport\\cmpnfmsp.exe"
"AutoUpdater"="C:\\WINNT\\system32\\cewmcd32.exe"
"Version"="2.0.106"
"LastAURestoreMsgTS"="2005:11:15-07:18:09:171"
Does this mean those popups and other problems will be gone?
Thanks!!
DD |
|
ddhamm
join:2005-11-29
Decatur, GA
| OOOPS here is the rest of my log:
************
Removing hidden service:
Service Ahatfat removed.
Removing hidden folder:
Deletion of folder Xerpport succeeded!
Deleting files:
Deletion of file C:\WINNT\system32\drivers\ataghdlr.sys succeeded!
Deletion of file C:\WINNT\system32\cewmcd32.exe succeeded!
Deletion of file C:\WINNT\system32\lic2dvaa.dll succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\CpPX6AHsIV9D]
[-HKEY_LOCAL_MACHINE\Software\CpPX6AHsIV9D]
Done!
Finished!
Thanks, DD |
|
