problem uninstalling isearch trojan - Page 2

Zanevalon · 04-07-2005, 03:59 PM

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Extractor

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmtmgsgy
<NO NAME> REG_SZ {c38a3092-a148-44b1-8f1f-ec8836e306c4}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SM_ContextDefrag
<NO NAME> REG_SZ {E07111B5-44B3-4DD6-B77E-1FA21F1F3A37}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
<NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

greyknight17 · 04-08-2005, 08:02 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ and delete fmtmgsgy

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Boot into Safe Mode. Check and fix this in HijackThis:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vimira.exe

Delete this file -> C:\WINDOWS\System32\vimira.exe

Restart and post a new HjiackThis log and FindQoologic log. Also try running remv3 and rkfiles.bat again. I want to see if anything changed since then.

~~Lobos~~ · 05-08-2005, 02:28 AM

Due to lack of activity im closing the thread

04-08-2005, 08:02 AM	#22 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\ and delete fmtmgsgy* If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Boot into Safe Mode. Check and fix this in HijackThis: O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vimira.exe Delete this file -> C:\WINDOWS\System32\vimira.exe Restart and post a new HjiackThis log and FindQoologic log. Also try running remv3 and rkfiles.bat again. I want to see if anything changed since then. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-07-2005, 03:59 PM	#21 (permalink)
Zanevalon Registered User Join Date: Mar 2005 Location: Bronx, NY Posts: 21 OS: XP, 7	PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»» ! REG.EXE VERSION 3.0 HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers <NO NAME> REG_SZ HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Extractor HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\fmtmgsgy <NO NAME> REG_SZ {c38a3092-a148-44b1-8f1f-ec8836e306c4} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Offline Files <NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Open With <NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Open With EncryptionMenu <NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\SM_ContextDefrag <NO NAME> REG_SZ {E07111B5-44B3-4DD6-B77E-1FA21F1F3A37} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu <NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Washer <NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\WinRAR <NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Yahoo! Mail <NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499} HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} <NO NAME> REG_SZ Start Menu Pin »»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

05-08-2005, 02:28 AM	#23 (permalink)
~~Lobos~~ Troubled Join Date: Apr 2004 Location: California Posts: 943 OS: Windows XP	Due to lack of activity im closing the thread