spyware loading in advanced search page of google web page

Every time I load Googles "advanced search" page the phrase "www
isabella image411 com" automatically loads in the "exact phrase "
field of the page.

I remove it, but it continually returns every time I load the Google
advanced search page.

I sent a message to Google Help, and I was told that it was probably
spyware and the suggestion was to use ad-aware, cw shredder, etc. I
already use Ad Aware, did down load CW Shredder and ran it.

Neither ad-aware or cwshredder removed this spyware.

Computer is DEll Inspiron 8200, XP Home SP2, IE 6

Are there any suggestions.

Thanks for your help.

 

Hi Judy,

Download HijackThis to a folder of it's own - unzip and run. After the scan, click the save scan button, the saved scan will be in the same folder - then copy & paste it into your next post.

Download from here: http://radiosplace.com/

One of the mods will move this thread to the Security/Virus section where it will have a better chance of being answered.

Regards - Charles

 

Hi Charles, here is the hijack log.

Logfile of HijackThis v1.98.2
Scan saved at 5:58:29 PM, on 9/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macro Express3\MacExp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{523E9CB7-4D31-4E78-BF7E-B2F7DAC1FF0E}: NameServer = 151.164.1.8,206.13.28.12

Thanks, Judy

 

Judy - that looks sorta like it was run from safe mode. Not enough stuff running.

What version of Ad-aware and what date on the ref file?

Also I suggest you get Spybot v1.3 (scan/removal app similar to Ad-aware but with some additional features and works well with Ad-aware) and Spywareblaster (passive - just update and tell it to immunize). Quicklinks in my signature has sites to download each of them.

Try turning off PurgeIE for right now and with the computer running in normal mode, surf to the site that is giving you problems, close all open windows, run HJT again, and post a new log.

 

Actually, I did NOT run the scan in safe mode.

When you suggest I go to the site that is giving me trouble, then close all windows, do you mean leave the troubled window site open? ie: IE6. Do you want me to leave that open?

I did close all the windows before, and was not running PurgeIE. The short cut is on my desk top. Should I remove it from the process list in the task manager? CPU usage is 00.

Ad-aware SE Plus build 1.05. What do you mean by ref file? Last scan was 9/26.

I have used SpyBot in the past, and some of the "fixes" did damage to my csystem. ( Did see others say the same thing)

I will get Spywareblaster.

Thanks and I appreciate your answers to the questions above.

 

Judy--I am no expert, but I think you can safely remove
O16 DPF 94B82441-A413-4E43-8422-D49930E69764
Reboot and then see if things are fixed.
Newt--I agree, one very lean HiJackThis (not AdAware) scan, but it has everything you need.

 

Judy - my bad. I should have explained several of my comments before you had to ask. Just got in a hurry.

You had way fewer running processes than we normally see. Nothing wrong with that and it should give you a system that runs well but once in a while we see a HJT scan run from safe mode so lots of the things that need to be removed don't show since they don't start in that mode. Just checking.

The suggestion for shutting off PurgeIE for the moment was just in case it was being too efficient and blocking some things in the background that needed removing.

With programs like Ad-aware you have two version items that are important. The main application version (and yours is the latest) and the list of critters it looks for (from the ref file it is using). If you check for updates, it will find a newer one if it exists and you can update. The version you have will be listed like the top line in the first picture here.

I have occasionally heard from others on the forum that Spybot broke something - not recently though. Haven't seen it on any of my PCs but I may not be running whatever program(s) it is breaking. I like the extra protection well enough that if it did happen to break something, I'd figure out a way to exclude that particular program so I could continue to run Spybot.

 

Thanks Welshjim and Newt for your replies.

I did remove 016 DPF 94B82441-A413-4E43-8422-D49930E69764 and doing this did not change the spyware problem.

Do you have any other suggestions?

Thanks, Judy

 

Close Internet explorer, Fix this
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm

Let us know if you still get those symtoms when searching., Any other odd symtoms also.

 

Lonny, when you say "fix this" --

please explain to me how to do this.

Do I edit the registry ?

If so, do I remove that entry ?

THanks, Judy

 

Judy - run a scan with hijackthis. When it finishes you will have a window listing all the items it found. Place a check mark in the block to the left of the one Lonny indicated then click the button to 'fix checked'. The entry will be cleanly removed from your registry.

 

Thanks for the instructions.

I did fix the suggested line.

Still the problem has not gone away.

What to do next ??

 

This sounds like it is in Auto Complete, have you tried clearing that out? Internet Options, click on the Content tab, click on AutoComplete button, then click on the Clear Forms button.

 

Mark may have the answer there, but should the problem persist, I wonder if it started after installing and/or using Purge IE?? Did you by chance clear the index.dat files with it? Thinking that one or more may have been mishandled/corrupted by the program and if using the Emergency function for deleting "Corrupted Cache " might solve the problem. Another option here would be to download and install RegSeeker, open and click the histories button, then check for IE URLs and IE history cache cookies. If deleting what is found there doesn't help, use the find in registry function to search for the URL.

 

Mark, I do believe you solved the problem.

I did clear out autocomplete, and also removed the "advanced" link from my link folder.

I had previously un-installed the Google tool bar, but now did install again to see if it will work OK. Now testing this to see if using the google home page and tool bar to be sure this problem does not appear again.


Noahdfear, I do use all the features of PurgeIE including the the emergency function for deleting corrupted cache. I don't remember when the spyware started in relation to using PurgeIE. PurgeIE is an excellent program.

Also, a question for you. What does RegSeeker do that Registry First Aid does not do that is published by this Windows BBS Rose Software ??

Thanks all for your help.

 

I have to confess, I don't know the answer to that. I have not used RFA (sorry Arie ). I do know RegSeeker is freeware, and it has always done a fine job of cleaning my registry.

 

Glad to hear it was something simple, and all is well.