Hello!
I get above result “Nasty” on HijackThis log file analysis. Waht can i do? Am i infected?
Regards,
Robert
Have a look HERE in the HijackThis section.
O1 - Hosts: localhost 127.0.0.1
127.0.0.1 is your localhost and therefor not harmfull at all.
Either you used a bad analyzer or did not read the instructions on how to use it well.
Thanks!
“My” Analyzer:
http://www.hijackthis.de/de
Hijackthis reports this, because it is written in a wrong way
This is wrong:
O1 - Hosts: localhost 127.0.0.1
It should be:
O1 - Hosts: 127.0.0.1 localhost
I just wonder why it is there and what put it there, it shouldn’t need to be there certainly not for avast. There is no 01 - Hosts: entry in my HJT log, so it would be interesting to find what put it there and why.
Waht can i do? Am i infected?
I do not think so, but you could post your whole Hijackthis log.
@DavidR
Avast has bolcked some actions during surfing:
Ms06-001 wmf exploit
Adan-078
after this i scanned system with HjT and recived after analysis this entry as “nasty”.
So i posted this here.
Hi Rol,
Please download FixWareout from
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure “Run fixit” is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
polonus
@ ranman:
Logfile of HijackThis v1.99.1
Scan saved at 16:59:11, on 7.8.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\brsvc01a.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\brss01a.exe
D:\WINDOWS\System32\SCardSvr.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
D:\WINDOWS\system32\Smartscaps.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Program Files\Commander Pro\UPServ.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Commander Pro\UPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
D:\WINDOWS\system32\Linksts.exe
D:\PROGRA~1\Genius\GNETMOUS.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\Thunderbird\thunderbird.exe
D:\Program Files\OpenOffice.org 2.0\program\soffice.exe
D:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
D:\Program Files\hijack\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM..\Run: [ATICCC] “D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [IAAnotif] D:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM..\Run: [mouseElf] D:\PROGRA~1\Genius\GNETMOUS.EXE
O4 - HKLM..\Run: [Siemens SmartSync - ScheduleSync] D:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Enterra Icon Keeper] “D:\Program Files\Enterra\Icon Keeper\IcnKeepr.exe” ssp /s
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “D:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [NBJ] “D:\Program Files\Ahead\Nero BackItUp\NBJ.exe”
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip..{D5A07179-38A1-4CCA-907D-A4104853EC55}: NameServer = 193.189.160.11,193.189.160.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\system32\brsvc01a.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - D:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - D:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPSmart - Unknown owner - D:\Program Files\Commander Pro\UPServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
I ran your log through my own analyzer and nothing bad or suspicious is found.
However, you may have a look at this one:
o4 - hklm..\run: [asus probe] c:\program files\asus\probe\asusprob.exe
Loads the Asus motherboard probe when Windows starts
It is not needed for the system to work.
It is your choice to leave it there or not.
Hi Ro!
Thanks for posting it, and Eddy for the analysis. Stay free of malware, and welcome to the forum, manually fix the hostfile just to make sure from here: http://jayloden.com/HostFix.exe
Do the urls: 193.109.160.11 & 193.109.160.12 have a familiar ring, else you should fix this entry.
polonus
THANK YOU, lad’s!
@Eddy:
o4 - hklm..\run: [asus probe] c:\program files\asus\probe\asusprob.exe
My calculator is squeezed into small case, and it tends to owerheating (with original P4 Cooler - I got case open all time). So with this prog i can monitor Proc. temperature. If it rises, i have to blow dust out of the cooler …
@polonus:
193.109.160.11 & 193.109.160.12 - DNS servers from my DSL provider.
i fixed my Host file - thanks!
Nov is my HJT log clean.
Thanks again & best regards from Slovenija,
Robert.
Polonus those are the DNS servers his ISP uses… I know cause i am on the same ISP 
Cheers,
Mikey
EDIT: Malo si me prehitel Robert
avast’s Web Shield looks like it intercepted this exploit, although you didn’t say its location (usually an internet address). The pop-up warning should have basically given you the Abort Conection option, this stops the infected file/item being downloaded, so it doesn’t get on to your hard drive.
Example of Web Shield warning pop-up:
Czesc Ro!
Everything seems OK now, no problems anymore, as Miha says.
pozdravi (= po polsku: pozdrawiam)
polonus
Hvala / Dziękują
Lep pozdrav / Pozdrowienie
Hope, my polish is acceptable
http://www.poltran.com/pl.php4