Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trouble with About:blank

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trouble with About:blank

Unread postby Kathandbrian » November 1st, 2005, 1:33 pm

Would you please check this Hijack log file for me?

Logfile of HijackThis v1.99.1
Scan saved at 6:28: PM, on 01/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TELES\skyDSL\tskyclnt.exe
C:\Program Files\TechniSat DVB\bin\Server4PC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TELES\skyDSL\Proxy\craxy.exe
C:\Program Files\TELES\skyDSL\tskymtpc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:8080;http=127.0.0.1:8080;https=127.0.0.1:8080
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\PROGRA~1\FreshDevices\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [skyDSLClient] C:\Program Files\TELES\skyDSL\tskyclnt.exe -q
O4 - Global Startup: Server4PC.lnk = C:\Program Files\TechniSat DVB\bin\Server4PC.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: skyDSL++ - {F7522CA2-3DDA-11d3-8560-0060977792B1} - C:\Program Files\TELES\skyDSL\sky2sky.exe
O9 - Extra button: skyDSL- - - {F7522CA8-3DDA-11d3-8560-0060977792B1} - C:\Program Files\TELES\skyDSL\sky2fon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{14E5DD4F-DE8B-44F2-84BA-4AA10C7888C5}: NameServer = 194.179.1.100 194.179.1.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{14E5DD4F-DE8B-44F2-84BA-4AA10C7888C5}: NameServer = 194.179.1.100 194.179.1.101
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: skyDSL proxy (tntcraxy) - Unknown owner - C:\Program Files\TELES\skyDSL\Proxy\craxy.exe" service (file missing)
Kathandbrian
Active Member
 
Posts: 2
Joined: November 1st, 2005, 1:25 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » November 4th, 2005, 11:56 am

Your log looks very clean.

BUT

O17 - HKLM\System\CCS\Services\Tcpip\..\{14E5DD4F-DE8B-44F2-84BA-4AA10C7888C5}: NameServer = 194.179.1.100 194.179.1.101

The IP's on that (which are supposted to be your DNS servers) are nowhere near your own IP.

It might be to do with your proxy software you have installed, or might be your hijack.

can you advise what the DNS setting should be from your ISP's information (as provided when it was set up) or from thier website.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » November 4th, 2005, 12:01 pm

those DNS Ip's are from spain

minerva.ttd.net = [ 213.0.184.68 ]
Domain Name................ ttd.net
Creation Date............ 16/10/1997
Expiry Date.............. 15/10/2006
Last Update Date......... 17/11/2004
Organization Contact Id.... PROP-1230-00091872
Organization Name........ TELEFONICA S.A.
Organization Org......... TELEFONICA S.A.
Organization Street...... GRAN VIA 28
Organization City........ MADRID
Organization State....... MADRID
Organization PC.......... 28013
Organization Country..... ES
Organization Phone....... 34.915844500
Organization Fax......... 34.915844509
Organization e-mail...... propiedad.industrial@telefonica.es
Administrative Contact Id.. 1052-00136019
Administrative Name...... JUAN GRAGERA GALLARDO
Administrative Org....... TELEFONICA S.A.
Administrative Street.... GRAN VIA 28
Administrative City...... MADRID
Administrative State..... MADRID
Administrative PC........ E-28013
Administrative Country... ES
Administrative Phone..... 34.91.584.46.80
Administrative Fax....... 34.91.584.46.89
Administrative e-mail.... propiedad.industrial@telefonica.es
Technical Contact Id....... 1180-00022321
Technical Name........... JOSE IGNACIO GARCIA ZAMORANO
Technical Org............ TELEFONICA DATA ESPAA
Technical Street......... ALMANSA 105
Technical City........... MADRID
Technical State.......... MADRID
Technical PC............. 28040
Technical Country........ ES
Technical Phone.......... 34 914566351
Technical Fax............ 34 914567600
Technical e-mail......... DNSADMIN@TTD.NET
Domain servers in listed order:
Name Server............. minerva.ttd.net
Name Server............. artemis.ttd.net
Interdomain's WHOIS database is provided by Interdomain for information
purposes only proving information about or related to a domain name
registration record.
Interdomain makes this information available "as is " and does not guarantee
its accuracy.

============

The IP you used for here - is the proxy in Germany.

So are you in spain, so I can elliminate that from the problems.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » November 4th, 2005, 12:02 pm

Just notice your flag - so you are in spain.

So they look legit.

Try turning off your proxy server - to see if that solves your issues.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Kathandbrian » November 5th, 2005, 2:41 pm

Thanks for the check. Yes I am in Spain. I cannot turn off the proxy server due to my connection. I connect to the internet using a GPRS mobile phone - my proxy server. I receive data via a satelite connection which acts as my ISP which is SkyDsl - a German company, hence the German email address.

My request to you was started because I was "infested" with the About: blank malware. I used the Remove programme to take it out, but was advised to seek further advise to remove variants etc. i was having serious problems with Windows update not connecting and Windows not shutting down. Thought this malware may have been the cause. I have now done a complete re install and all is okay - I hope!!
Kathandbrian
Active Member
 
Posts: 2
Joined: November 1st, 2005, 1:25 pm

Unread postby ChrisRLG » November 5th, 2005, 6:28 pm

Thank you for the update.

I will move this to the archives now.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware