O1 - Hosts: localhost 127.0.0.1

[Ro!]

Hello!

I get above result "Nasty" on HijackThis log file analysis. Waht can i do? Am i infected?

Regards,
Robert

[Eddy]

Have a look HERE in the HijackThis section.

O1 - Hosts: localhost 127.0.0.1

127.0.0.1 is your localhost and therefor not harmfull at all.
Either you used a bad analyzer or did not read the instructions on how to use it well.

[Ro!]

Thanks!

"My" Analyzer:
http://www.hijackthis.de/de

[raman]

Hijackthis reports this, because it is written in a wrong way

This is wrong:

O1 - Hosts: localhost 127.0.0.1

It should be:

O1 - Hosts: 127.0.0.1 localhost

[DavidR]

I just wonder why it is there and what put it there, it shouldn't need to be there certainly not for avast. There is no 01 - Hosts: entry in my HJT log, so it would be interesting to find what put it there and why.

[Ro!]

Waht can i do? Am i infected?

[raman]

I do not think so, but you could post your whole Hijackthis log.

[Ro!]

@DavidR

Avast has bolcked some actions  during surfing:
Ms06-001 wmf exploit
Adan-078

after this i scanned system with HjT and recived after analysis this entry as "nasty".
So i posted this here.

[polonus]

Hi Rol,

Please download FixWareout from
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

polonus

[Ro!]

@ ranman:

Logfile of HijackThis v1.99.1
Scan saved at 16:59:11, on 7.8.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\brsvc01a.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\brss01a.exe
D:\WINDOWS\System32\SCardSvr.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
D:\WINDOWS\system32\Smartscaps.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Program Files\Commander Pro\UPServ.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Commander Pro\UPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
D:\WINDOWS\system32\Linksts.exe
D:\PROGRA~1\Genius\GNETMOUS.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\Thunderbird\thunderbird.exe
D:\Program Files\OpenOffice.org 2.0\program\soffice.exe
D:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
D:\Program Files\hijack\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IAAnotif] D:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [mouseElf] D:\PROGRA~1\Genius\GNETMOUS.EXE
O4 - HKLM\..\Run: [Siemens SmartSync - ScheduleSync] D:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Enterra Icon Keeper] "D:\Program Files\Enterra\Icon Keeper\IcnKeepr.exe" ssp /s
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5A07179-38A1-4CCA-907D-A4104853EC55}: NameServer = 193.189.160.11,193.189.160.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\system32\brsvc01a.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - D:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - D:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPSmart - Unknown owner - D:\Program Files\Commander Pro\UPServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Eddy]

I ran your log through my own analyzer and nothing bad or suspicious is found.

However, you may have a look at this one:
o4 - hklm\..\run: [asus probe] c:\program files\asus\probe\asusprob.exe
Loads the Asus motherboard probe when Windows starts

It is not needed for the system to work.
It is your choice to leave it there or not.

[polonus]

Hi Ro!

Thanks for posting it, and Eddy for the analysis. Stay free of malware, and welcome to the forum, manually fix the hostfile just to make sure from here: http://jayloden.com/HostFix.exe
Do the urls: 193.109.160.11 & 193.109.160.12 have a familiar ring, else you should fix this entry.

polonus

[Ro!]

THANK YOU, lad's!

@Eddy:    
o4 - hklm\..\run: [asus probe] c:\program files\asus\probe\asusprob.exe
My calculator is squeezed into small case, and it tends to owerheating (with original P4 Cooler - I got case open all time). So with this prog i can monitor Proc. temperature. If it rises, i have to blow dust out of the cooler ....

@polonus:
193.109.160.11 & 193.109.160.12 - DNS servers from my DSL provider.
i fixed my Host file - thanks!
Nov is my HJT log clean.

Thanks again & best regards from Slovenija,
Robert.

[..::ReVaN::..]

Polonus those are the DNS servers his ISP uses.... I know cause i am on the same ISP


Cheers,

Mikey

EDIT: Malo si me prehitel Robert

[DavidR]

@DavidR

Avast has bolcked some actions  during surfing:
Ms06-001 wmf exploit
Adan-078

avast's Web Shield looks like it intercepted this exploit, although you didn't say its location (usually an internet address). The pop-up warning should have basically given you the Abort Conection option, this stops the infected file/item being downloaded, so it doesn't get on to your hard drive.

Example of Web Shield warning pop-up: