Google search result links are redirecting to ad-sites.

[That1Kid]

Google has lately been redirecting me to ad-sites. Sometimes the ad redirects to another ad and so on. There are no pop-ups, just redirects. I have ran scans with Avira and malwarebytes, both showed nothing malicious. I made another thread about this issue, and was informed to post logs here of Malwarebytes, ComboFix, and HijackThis. Thanks for the help with this guys.


Malwarebytes:
Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4564

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/7/2010 7:54:51 PM
mbam-log-2010-09-07 (19-54-51).txt

Scan type: Full scan (C:\|E:\|G:\|)
Objects scanned: 230571
Time elapsed: 25 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix:
ComboFix 10-09-07.01 - Whize Guy 09/07/2010 19:20:26.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.[GMT -4:00]
Running from: c:\users\Whize Guy\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-07 23:18 . 2010-09-07 23:19 -------- d-----w- C:\32788R22FWJFW
2010-09-06 04:42 . 2008-07-31 14:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2010-09-06 04:39 . 2010-09-06 04:55 -------- d-----w- c:\program files\EVGA Precision
2010-09-05 23:57 . 2010-09-05 23:57 -------- d-----w- c:\programdata\NVIDIA
2010-09-05 23:54 . 2010-09-05 23:54 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-05 23:54 . 2010-09-05 23:55 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-03 19:52 . 2010-09-03 19:52 -------- d-----w- c:\program files\CPUID
2010-09-03 19:52 . 2010-05-11 16:00 20072 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-09-02 21:29 . 2010-09-02 21:29 -------- d-----w- c:\program files\CleanUp!
2010-08-29 00:14 . 2010-08-29 00:14 -------- d-----w- c:\programdata\RegInOut
2010-08-29 00:14 . 2010-08-29 00:14 -------- d-----w- c:\windows\RegInOut
2010-08-22 02:27 . 2010-08-22 02:27 -------- d-----w- c:\users\Family.WHIZEGUY\AppData\Roaming\Malwarebytes
2010-08-22 02:25 . 2010-08-22 02:25 -------- d-----w- c:\users\Family.WHIZEGUY\AppData\Roaming\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 23:17 . 2010-02-19 10:21 -------- d-----w- c:\users\Whize Guy\AppData\Roaming\ATI
2010-08-25 19:39 . 2010-03-02 19:58 -------- d-----w- c:\program files\CCleaner
2010-07-29 06:30 . 2010-08-11 16:50 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 16:50 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-27 23:07 . 2010-07-27 23:07 -------- d-----w- c:\program files\oZone3D
2010-07-27 22:49 . 2010-07-27 22:49 -------- d-----w- c:\users\Whize Guy\AppData\Roaming\FreeStone Group
2010-07-27 22:49 . 2010-07-27 22:49 -------- d-----w- c:\program files\Video Card Stability Test
2010-07-27 06:51 . 2010-02-19 05:37 -------- d-----w- c:\program files\World of Warcraft
2010-07-25 20:43 . 2010-02-19 12:14 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-15 18:11 . 2010-06-09 04:20 -------- d-----w- c:\users\Family.WHIZEGUY\AppData\Roaming\Xuvee
2010-07-09 20:37 . 2010-07-09 20:37 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-30 06:25 . 2010-08-11 16:50 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 02:47 . 2010-08-11 16:50 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 16:50 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 16:50 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 16:50 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 16:50 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 16:50 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 16:50 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 16:50 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 16:50 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2010-06-09 17:01 . 2010-06-09 17:01 95744 --sha-r- c:\windows\System32\regsvcr.dll
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux7"=wdmaud.drv

[HKLM\~\startupfolder\C:^Users^Whize Guy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Whize Guy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Whize Guy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Whize Guy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2009-07-24 23:05 118640 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

R3 cpuz130;cpuz130;c:\users\WHIZEG~1\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-11-04 17408]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2009-07-25 30560]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-24 1343400]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [x]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2009-07-13 4608]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-05-11 20072]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-07-14 01:14 126464 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
FF - ProfilePath - c:\users\Whize Guy\AppData\Roaming\Mozilla\Firefox\Profiles\jgsinkdn.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-RivaTunerStartupDaemon - c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-09-07 19:26:29
ComboFix-quarantined-files.txt 2010-09-07 23:26

Pre-Run: 277,406,420,992 bytes free
Post-Run: 277,335,195,648 bytes free

- - End Of File - - 4947D452A286B3C8F71EBFF344375239




HijackThis:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:06:23 PM, on 9/7/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Whize Guy\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 3310 bytes

 

[joelm3103]

Seems clean to me but as I'm not certified in this area, wait till confirmation from Osiris or another Mod. Also are you still having any problems surfing the web?

 

[That1Kid]

Only google search results. As long as i type in the address of a site, it works fine. Google links still redirect me. I downloaded an addon for firefox that stops redirection, but that isn't really solving the issue...just moving around it.

Thanks for posting, dude.

 

[Osiris]

Remove

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

 

[That1Kid]

Thanks for posting, Osiris. I can't find these things anywhere, though... You think you could point me in the right direction?

 

[joelm3103]

Thanks for posting, Osiris. I can't find these things anywhere, though... You think you could point me in the right direction?

I think he means when you run HijackThis, you would see the items he listed in the list. Check the items he listed and fix with HijackThis.

 

[That1Kid]

Ok, awesome. I just did that. Hopefully the problem doesn't persist. I will post back if it comes back. You guys are life-savers. Thanks!

 

[joelm3103]

Also hope your problem doesn't persist lol and yes please do post back if anything happens . No problem mate .

 

[Osiris]

Any update before I close this?