Redirect Virus Help!!

My computer has been infected with a redirect worm for like three or four days now. Once in awhile, if I click on a Google search result, it will redirect me to a website, usually click.gothotanswer. I have tried to download TDSSKiller, and Malewarebyte, RougeKiller it did picked up some malicious files, and I deleted all of it, but the problem continues on. I did run Combofix and it did not help with the problem. Here are the logs

 

Welcome to MajorGeeks, vannp94

Please attach the remaining logs from the Windows 7 Malware Removal/Cleaning Procedure.

1. Malwarebytes Anti-Malware
2. HitmanPro
3. MGtools

 

Thank you so much for helping me! I got the Malwarebyte and HitmanPro log, but for some reason when i tried to run the MGTools (with my antivirus turn off) it kept requesting me allow the program. I clicked yes to it multiple times but it kept repeating. So here I got the two logs from Malwarebyte and HitmanPro

 

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Here is the log for OTL and the extra file log

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\RtsUCcid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts516xIR.sys -- (RtsUIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Rasmey\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\appliand.sys -- (appliandMP)
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3659837969-2347660330-2530479047-1001\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}:6.0.33
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=2&q="
[2012/08/21 22:37:18 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Users\Rasmey\AppData\Roaming\Mozilla\Firefox\Profiles\2th37k9l.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2009/07/13 19:11:12 | 000,004,813 | ---- | M] () (No name found) -- C:\Users\Rasmey\AppData\Roaming\Mozilla\Firefox\Profiles\2th37k9l.default\extensions\zezdwkdaor@zezdwkdaor.org.xpi
[2012/07/24 22:26:22 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\Rasmey\AppData\Roaming\Mozilla\Firefox\Profiles\2th37k9l.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3659837969-2347660330-2530479047-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3659837969-2347660330-2530479047-1001\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:C18032C3
@Alternate Data Stream - 145 bytes -> C:\ProgramData\TEMP:5D4F063C
@Alternate Data Stream - 145 bytes -> C:\ProgramData\TEMP:149327FE
@Alternate Data Stream - 145 bytes -> C:\ProgramData\TEMP:0D46EE43
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:4E1E5A60
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:F5FC5DCE
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:371A321E
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:6F8A3AB1
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:3EC5BC08
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:9D6EAEC3
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:E6708F08
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:8AE92FD3
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:A18D4DB1
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:553CA6CA
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:96AFAB10
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:2216A431
FF - prefs.js..extensions.enabledAddons: zezdwkdaor@zezdwkdaor.org:1.0
FF - prefs.js..extensions.enabledAddons: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20120827
FF - prefs.js..extensions.enabledAddons: {ba14329e-9550-4989-b3f2-9732e92d17cc}:3.15.1.0
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}:6.0.33
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: avg@igeared:6.011.025.001
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=2&q="
[2009/07/13 19:11:12 | 000,004,813 | ---- | M] () (No name found) -- C:\Users\Rasmey\AppData\Roaming\Mozilla\Firefox\Profiles\2th37k9l.default\extensions\zezdwkdaor@zezdwkdaor.org.xpi
[2012/07/24 22:26:22 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\Rasmey\AppData\Roaming\Mozilla\Firefox\Profiles\2th37k9l.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files\Savings Sidekick /d
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"=-
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Rescan with OTL without anything in the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
Attach that latest OTL.txt and then let me know what problems still exist. (How to attach)

 

ok, here's the new log

 

Remember to attach the new OTL scan log too and to let me know if the problem persists.

 

Ok, so here is the new log scan:
After my laptop reboot, I noticed that my firefox browser has become faster, and i tried to click several google link result and did not see any redirect problem. So far, everything seems fine! Thank you so much! Hopefully the problem is resolve for good.

 

You're welcome. Your latest OTL log is clean. Make sure it doesn't come back after a few reboots / searches and then if all is still well:

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe