Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions


MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Mojo » December 15th, 2005, 5:50 pm

Thank you Piney. SpyAxe wasn't in my programs [and the icon was gone from my desktop when I initially booted up]. I run Cleanmgr.exe and got rid of stuff from Temporary Files just like you said. Adaware revealed a cookie which it fixed OK. I've got into the habit of running Spybot after Adaware and when I did so it showed the entry Smitfraud-C which it couldn't get rid of. Finally, when I reboot I'm getting a window apparently from SpywareGuard telling me that my IE search page has been changed but in fact it hasn't. The Norton warning still comes up but as you suggested I'll leave this alone until I'm sure that the malware is cleared up. Here is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:27:08, on 15/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\McAfee\QuickClean\PlgUni.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Play_PC_Backup] C:\Program Files\PC Backup\pcbackup.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3232885125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - http://register.btinternet.com/template ... rol023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Regular Member
Posts: 50
Joined: July 4th, 2005, 7:34 am
Register to Remove

Unread postby Piney » December 15th, 2005, 9:51 pm

Darn it all, Mojo, I really had hoped everything would be clean.

Actually, it may be, except for NIS

I know you are getting tired of all these 'little fixes' ... just think positively!

Download: DelDomains.inf - Right-click and select: Save Target As
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Because this will remove all entries in both the Trusted Zone and the Restricted Zone, any program, tool, or settings that were previously used to set restrictions will need to be reset. For instance, if it's being used, IE-SPYADS will have to be reinstalled, and if Spybot's "Immunize" feature is used, you will need to reimmunize, if you're using SpywareBlaster open it and select to "Enable all protection" again.

Open your Norton Internet Security by double clicking on the icon on the task bar.
On the left side, click on Norton Antivirus
In the sub-categories, still in left pane, click on Reports.
On the right pane, click on View Quarantined Items
In each category select all, and delete. Files 'deleted' from quarantine are permanently removed from the hard drive.
Close Nortons

Open Adaware SE
Click on the 'Padlock' in the upper right corner
Right click on one item in the quarantine listings
Choose Delete all Archives
Answer yes then close AdAware

Open Spybot S&D
From the menu at the top, click Mode and then choose Advanced
From the menu that will appear on the left when you click the + next to Search & Destroy...
Click on Recovery
In the right pane will be a listing of all items placed there after a Spybot scan
Place a check next to each entry, then click on the Purge button at the top.
Answer yes, then close Spybot.

Click Start>>>> Control Panel >>>> Internet Options
Set your home page as http://www.google.com/ <<< you can change this once we see the next HJT scan
Click Apply and then OK
Close Control Panel

Right click on My Computer
choose Properties
Click on the System Restore tab
Put a check into the box that says, Turn off System Restore
Click Apply, then OK

Reboot normally
Repeat the System Restore, only this time remove the check in the box.
Click Apply, then OK

Reboot normally.

Now comes the big test.

Run a scan with Adaware and Spybot, and finally with HJT
Paste the HJT log here.

Let me know if everything is clear and clean. I have my fingers crossed for luck :)
Retired Graduate
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 16th, 2005, 7:04 pm

Thanks Piney. I'm having problems with downloading DelDomains.inf. I right click and Save Target As so that it appears on my desk top. But I can't install it. When I right click again there is no "install" on the menu. If I open in the usual way [left click] and then right click again there is no "install on the menu. Can you help with this. Mojo
Regular Member
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 16th, 2005, 7:23 pm

I"ve asked NonSuch for info.... I just downloaded and it has the 'Install' for me with the right click.

You might delete from your desktop, and redownload it again, to see if something interferred with the download
Retired Graduate
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 16th, 2005, 7:49 pm

I tried again and the same happens. I get the icon on my desk top but when I right click the menu doesn't include "Install". I can open the file [which contains text] and again when I right click the menu doesn't show "Install".
Regular Member
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 16th, 2005, 8:52 pm

I know this is all very frustrating for you, and I mainly wanted to get SpyAxe off your computer for your peace of mind.

from my mentor:
delete what he previously downloaded. Next, make sure that after he's downloaded DelDomains to his Desktop that it appears as an icon that looks like a notebook tablet with a gear overlaid on it. (If that's not what he sees, then something's off). He needs to right click on the icon, and a menu should then appear. The second item on that menu should be install.

If this doesn't work for him, it's no big disaster. Spybot S&D will have a corrected update sometime this week-end. It's not really an infection, it's just Spybot S&D seeing something incorrectly.
If the icon is not as described, then delete and retry. Or wait until Spybot does their update this weekend. There is nothing that appears to be dangerous to your computer, just worrisome for your peace of mind.

Please try it one more time, don't double click on it, just right click. Let me know either what happened this time, or if you decide to wait until Spybot updates.
Retired Graduate
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 17th, 2005, 5:50 am

No - the icon is not the same as you described. When I try to open it I get the message asking me what programme do I want to open it with. I can open open it using a text program [WordPad or Notepad]. However, when I right click [whether the file is open or closed] Install is not on the menu.

I'm happy to wait for the Spybot Update. I feel that Spyaxe has gone; it is clear that the problem I am having with the Norton protection program is something different and I will just have to work through the information you previously sent me which you found on the Web.

And so the only issue I have is that when I boot up I get this message telling me that my home page has been changed: and do I want to keep it or revert to original. It would be great if I could stop this happening.
Regular Member
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 17th, 2005, 6:02 am

The way deldomain is acting, it sounds as though the download was incomplete.

Mojo, did you change your homepage to Google as I suggested above?
My thought with that was to actually change your home page. Click apply. Click OK. and close out of Internet Options. This would to be to see if once again, you got the warning, and if you agree with SG, or accept or whichever you need to do, then the message would not appear with each startup.

I'll check with NonSuch, and see if there are any other suggestions. This may get fixed by the Spybot update too :)
Retired Graduate
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 17th, 2005, 7:09 am

Thanks Piney - we really are getting somewhere. I changed my home page as you suggested and when I rebooted I "accepted" when the SG messgage came up. I then rebooted and no longer got the message. Previously I was just scary about responding to the prompts as I thought the set up may have been a scam. This business can make you become a paranoid nervous wreck!
Regular Member
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 17th, 2005, 11:08 pm

wheeeeeeee Oh Happy Day!

We have a couple of things left to do, because you are now getting my "You appear to be ALL CLEAN" speech.

1. We need to re-hide those files again.

Click start >>> Control Panel >>> Folder Options and double click
Under the View tab scroll down to Hidden Files and Folders
Uncheck Show hidden files and folders
Check Hide extensions for known file types
Check Hide protected operating system files (Recommended}
Click Apply and click OK
Close out of Control Panel.

2. Since we 'just' created a new restore point, you really don't need to do this one :)

Right click on the My Computer Icon on your desktop
Choose Properties from the menu
Click on the System Restore tab
Put a checkmark/tick in the box next to Turn off System Restore on all drives
Click Apply and click OK
Reboot your computer

Again Right click on the My Computer Icon on your desktop
Choose Properties from the menu
Click on the System Restore tab
UNcheck the box
Click Apply and click OK
You now have a clean restore point.

NOTE: Symantec always gives the advice to "Turn OFF System Restore" before proceeding with instructions.
Current thought with malware fighters is: Leave it ON, in the event something goes wrong, you will at least be able to restore back. If it is off, you have no ability to restore back to before you began trying to clean.

3. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure -
This can be done by following these simple instructions:

*Open [B]Internet Explorer
and click on the Tools menu and then click on Internet Options.
*Click on Security
*Click the Internet icon
*Click on Custom Level
*Change the Download signed ActiveX controls to Prompt
*Change the Download unsigned ActiveX controls to Disable
*Change the Initialize and script ActiveX controls not marked as safe to Disable
*Change the Installation of desktop items to Prompt
*Change the Launching programs and files in an IFRAME to Prompt
*Change the Navigate sub-frames across different domains to Prompt
*Change the Allow paste operations via script to Disable
*Click on OK
*Save (if asked).
*Click on Apply button
*Click on OK
*Close Internet Options

Visit Microsoft's Windows Update Site Frequently -
It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all scanning programs regularly -
Without regular updates you WILL NOT be protected when new malicious programs are released.

We will leave this topic open for a couple of days, in the event you have further problems.

Good luck with your Norton's.

Merry Christmas and Happy New Year!
Retired Graduate
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Mojo » December 18th, 2005, 3:05 pm

Wow - what a difference a day makes! Everything is fine. I managed to uninstall Norton 2005 successfully. It was a downloaded upgrade from an earlier version and I've never been confident about it. So I purchased and downloaded McAfee Internet Security 2006 without any trouble and it seems to be working a treat. I have followed your latest guidance and I'm now a happy bunny because I've also noticed that my computer is responding much faster than previously. Thanks for all your help Piney but as you say lets keep this thread open for another couple of days. Happy Chrsitmas. Mojo
Regular Member
Posts: 50
Joined: July 4th, 2005, 7:34 am

Unread postby Piney » December 18th, 2005, 6:14 pm


You have JUST made my day :lol:
I suspect, although the infection mucked up your machine, that the Nortons download was a bit out of whack, and created lots of slowdowns while it sorted itself out.

I use NIS2005, and frankly I would prefer to return to 2004 as it just seemed to 'work' better for me.

We've no problem leaving this open for a couple of days. Even after it is locked, it is available with a personal message requesting it be re-opened.
Retired Graduate
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby NonSuch » December 21st, 2005, 6:07 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Posts: 28528
Joined: February 23rd, 2005, 7:08 am
Location: California
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 105 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware