I’m a new user to Avast and downloaded it because my machine has been experiencing many lockups lately. I also have a reccuring problem with my Yahoo (and other) search engines being hijacked. The first page of results is obviously not the true results, and points to address http://61.131.54.618.cc/search.php.
I have tried Spybot and Ad-aware to repair this, but it still persists. When I ran Avast it found 2 files noted as Win32 trojan-gen {other}. I followed the recomendation and placed the files in the Chest. Is this all that needs to be done? Should there be some method of “cleaning” the virus, like any registry effects, etc?
Since your system was already infected prior to installing avast, there may be other malware on your system.
I would recommend a visit to Eddy’s Website click the “HiJackThis Section” and also the “Malware removal instructions and applications” section, and follow the directions there and get back to us if you need more help…
Hijackthis should help remove these browser hijacks.
I’ll try this out. Can you please confirm that just moving the files to the Chest is enough ? No cleaning ? I tried the stand alone cleaner and locked up twice while scanning shared memory.
Under normal circumstances moving the file to the chest is enough, in the chest, it can’t be activated.
However if this has been on your system for some time there may be registry entries, these entries on there own can’t do anything if the file they call/use has been moved to the chest. So moving to the chest is effective, it should be used to give you time to investigate and if moving to file to the chest has no harmful effect (valid file recognised incorrectly) after a period of time you can also delete it from the chest.
Me I would want to get rid of the registry entries as well, which is why I suggested using hijackthis.
Here is the result from HiJackThis. I used both Ad-aware and spybot and rebooted before running it. Please let me know what else I can do.
Thanks…
Logfile of HijackThis v1.99.1
Scan saved at 11:18:06 AM, on 2/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL
Also using taskmanager (alt + ctrl + del) kill this proccess, (E_S5I2A1.EXE)
then delete this file,
C:\WINDOWS\SYSTEM[b]E_S5I2A1.EXE
[/b]
After this reboot, update your windows fully (www.windowsupdate.com), then redo and repost another hijackthis log.
Thanks for the examination. Being somewhat of a novice, I am a bit nervous about removing things without knowing what they are. Should I back any of this up in a directory before trying to remove them ?
For example, isn’t systray.exe part of windows ?? Is c:\program files\netzero\exec.exe regrun part of my netzero or just some phony file stuck in there?
Ahh your using windows 98, erm, best ignore that bit until eddy replys (the writter of the hijackthis log analyzer i used).
c:\program files\netzero\exec.exe regrun part of my netzero or just some phony file stuck in there?
Hmm, i have never heard of/used netzero myself, but if you feel it is legitimate, then leave it on there
But the rest should be fine to remove/delete.
Hijackthis automaticly makes a backup of what you fix with it, but if you feel you want to make a backup of the file i suggested to delete then do so (its your system not mine remember :))
BTW, the ‘E_S5I2A1.EXE’ file is just a malware BHO/toolbar, but as i said, if you want to make a backup, then do so
systray.exe is indeed part of Windows.
On a 98(se) system the file should be in x:%systemroot%\system\
My HJT log analyzer doesn’t say to remove or fix it.
It say to fix: o4 - hklm..\run: [systemtray] systray.exe (which is a registry key)
I personally have checked ALL entries in the databases for the HJT log analyzer,
but I am a human just like you (hwoever reads this) and ofcourse I could have made a mistake.
Sofar however, noone reported any problems after fixing that registry key.
But as I said, it can be a mistake from me.
So if some who has 98(se) on his/her system and read this, please check the registry for this key (or use HijackThis to do so) and let me know if you have this key there or not.
I’ve jsut checked my old (but clean) w98SE box and do have the following registry entry…
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
name:SystemTray
value:“SysTray.Exe”
I removed all recommended items. I’m posting the new HijackThis log below.
By the way, I see the note from garyb about systray.exe. Should I reinstall this, and can it be done with the backup in HijackThis?
Logfile of HijackThis v1.99.1
Scan saved at 9:37:59 PM, on 2/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
I have checked my old Win98 downstairs, it seems ‘o4 - hklm..\run: [systemtray] systray.exe’ is a legitimate start up item, from what i can find out about it, it shows dates and time etc (i think its the taskbar).
So looks like you are going to need to bring ‘o4 - hklm..\run: [systemtray] systray.exe’, luckily this is easily done, to do it:
Open hijackthis > click ‘view list of back ups’, check/select ‘o4 - hklm..\run: [systemtray] systray.exe’ from the list and press restore, it will then be back in its place.
OK, about your log, its clean IMHO
However i can’t see any active firewall on your system, do you use a hardware one?, if not Zonealarm and kerio are some good firewall suggestions.
You guys were right on the mark with your help…and I sincerely appreciate it. The replacement search page from the hijacker is gone and things look back to normal.
No, I don’t have a firewall…but I will look into getting one. And I started looking into the Windows update but wasn’t sure if I was looking in the right place. I don’t want to apply a patch that wasn’t meant for Win98 SE, particularly if there isn’t any real support for it anymore.
In any case, thanks again for all your help…and I’ve learned a few things as well.
