SandBoxer Description:
Sandboxer is a nightmare to detect and remove.
It uses random file names, which it changes from
time to time. It uses random text for registry
entries, and changes this text, too. It is
fault-tolerant, repairing itself when part of
itself is deleted. It sets its file attributes to
"system" and "hidden" to make
detection and removal harder. And it works as a
trickler, downloading more adware, spyware, porn
dialers, and the like.
Alias: memorywatcher, Adware-MemWatcher,
Backdoor.VB.nb, Backdoor.VB.oq, Peper Trojan
SandBoxer Automatic Removal:
Using Spyware Doctor
to
remove SandBoxer AUTOMATICALLY.
Sponsored Links:
SandBoxer Manual Removal:
If you must attempt this manually, here are some
hints.
Using RegEdit, in HKEY_LOCAL_MACHINE\Software
find all Keys having 14 random characters, and
beginning with a digit (such as 4#D3LTM36@@M2#)
and remove these.
Remove the comparable string value at HKLM\software\microsoft\windows\currentversion\run\
(ie., any value that has 14 random characters,
and beginning with a digit (such as
4#D3LTM36@@M2#)
Using Spyware Doctor's Running Processes tab, find
the two files that have identical MD5 values, are
225,336 bytes in size, and that are located in
your Windows System32 directory. These are
running, and need to be deleted. Note their
names. Kill them using Task Manager
(Ctrl-Alt-Del). Delete them on disk, and any
other files in the System32 directory that have a
size of 225,336 bytes. There should be six such
files, each with names such as:
C:\WINNT\System32\HPHipm09.exe C:\WINNT\system32\Yjjq5g.exe
C:\WINNT\system32\Ovc7J0i.exe C:\WINNT\system32\Uflmw.exe
These files are marked "system" and
"hidden", so you will need to ensure
that Windows Explorer can see such files if you
are to delete them manually.
An uninstaller is available at http://www.memorywatcher.com/uninst.exe
which does not appear to remove any directories
or files, but which does remove the registry
entries.
Note that SandBoxer renames its files while
you work away on them... so you may need to do
your work quickly.
- Kill these running processes with Task
Manager:
memorywatcher.exe
programfilesdir+\memorywatcher\uninst.exe
programfilesdir+\memorywatcher\upgradememorywatcher.exe
programfilesdir+\memorywatcher\wowex32.exe
regrepair.exe
systemroot+\idjqqk.exe
systemroot+\system32\bvu9v35.exe
systemroot+\system32\gnsdk.exe
systemroot+\system32\lbk7.exe
systemroot+\system32\mxjqzl.exe
systemroot+\system32\ocn67i0.exe
systemroot+\system32\ojz1.exe
systemroot+\system32\pusy6.exe
systemroot+\system32\pwbm74i.exe
systemroot+\system32\tgjog.exe
systemroot+\system32\tpws.exe
systemroot+\system32\unj36t.exe
systemroot+\system32\xjpvq9t0.exe
systemroot+\system32\yfk8.exe
systemroot+\system32\yubxk.exe
systemroot+\system32\zpuwldj.exe
systemroot+\ymcjqxfa.exe
- Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\od-asia4,
delete it and reboot the machine
immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\2swzkn82r5k47c,
delete it and reboot the machine
immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\3z6f4j35#h46s9,
delete it and reboot the machine
immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\4s2nsla3qs#366,
delete it and reboot the machine
immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\idjqqk,
delete it and reboot the machine
immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ymcjqxfa,
delete it and reboot the machine
immediately.
- Unregister these DLLs with Regsvr32, then reboot:
portsdb.dll
- Remove these registry items (if present)
with RegEdit:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\od-asia4
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\memorywatcher
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\2swzkn82r5k47c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\3z6f4j35#h46s9
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\4s2nsla3qs#366
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\idjqqk
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ymcjqxfa
- Remove these files (if present) with Windows
Explorer:
krwh5.y12
memorywatcher.exe
portsdb.dll
programfilesdir+\memorywatcher\trayicon.ocx
programfilesdir+\memorywatcher\uninst.exe
programfilesdir+\memorywatcher\upgradememorywatcher.exe
programfilesdir+\memorywatcher\wowex32.exe
regrepair.exe
systemroot+\idjqqk.exe
systemroot+\system32\bvu9v35.exe
systemroot+\system32\gnsdk.exe
systemroot+\system32\lbk7.exe
systemroot+\system32\mxjqzl.exe
systemroot+\system32\ocn67i0.exe
systemroot+\system32\ojz1.exe
systemroot+\system32\pusy6.exe
systemroot+\system32\pwbm74i.exe
systemroot+\system32\tgjog.exe
systemroot+\system32\tpws.exe
systemroot+\system32\unj36t.exe
systemroot+\system32\xjpvq9t0.exe
systemroot+\system32\yfk8.exe
systemroot+\system32\yubxk.exe
systemroot+\system32\zpuwldj.exe
systemroot+\ymcjqxfa.exe
Using Spyware Doctor
to
remove SandBoxer AUTOMATICALLY.
More
Removal Instructions for Emerging Adware Spyware
| 
