BleepingComputer.com: Google Redirecting Malware/BHO/Trojan?

Please anyone who can help me fix this issue:
Every time I Google anything I get the results but when clicking on a link I am redirected to a random site, the url listed below the description does not match where I want to go.
and I see at the bottom of the screen "finding site 7.7.7.0...." or what looks like a IP address, not "Searching Google"

I have run:
RegMechanic
Tracks Eraser Pro
Malwarebytes
SuperAntiSpyware
CCleaner
Adaware
SmitFraud
CWSshredder
TrendMicro Online Scanner (4 times)
Kapersky Online Scanner (2 times )

Any help is greatly appreciated.
Respectfull
RGincel


DDS (Version 1.1.0) - NTFSx86
Run by United IT at 16:02:10.40 on Tue 12/30/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2475 [GMT -6:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Documents and Settings\United IT\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll__BHODemonDisabled_FDDPNGJMRJYNEMFBJZJSJ
BHO: ReadMe-BHODemon - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll__BHODemonDisabled_NVHWICACVPSXDSZZK
BHO: ReadMe-BHODemon - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll__BHODemonDisabled_KMERKYGRSNUUATYLTWJNKNJHBLI
BHO: ReadMe-BHODemon - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\united~1\startm~1\programs\startup\bhodem~1.lnk - c:\program files\bhodemon 2\BHODemon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\united~1\applic~1\mozilla\firefox\profiles\2jurc5oj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-30 148496]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-9-3 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-30 353680]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 RUBotted;Trend Micro RUBotted Service;"c:\program files\trend micro\rubotted\TMRUBotted.exe" [2008-12-29 582992]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2008-12-29 206608]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2008-12-29 206608]

=============== Created Last 30 ================

2008-12-30 09:54 <DIR> --d----- c:\program files\BHODemon 2
2008-12-30 09:15 <DIR> --d----- c:\docume~1\united~1\applic~1\MailFrontier
2008-12-30 09:12 13,802,016 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-30 09:12 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-30 09:09 73,104 a------- c:\windows\zllsputility.exe
2008-12-30 09:09 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-30 09:09 <DIR> --d----- c:\program files\Zone Labs
2008-12-30 09:09 349,222 a------- c:\windows\system32\vsconfig.xml
2008-12-29 19:03 244,024 a------- c:\windows\system32\MSFLXGRD.OCX
2008-12-29 19:03 203,976 a------- c:\windows\system32\richtx32.ocx
2008-12-29 19:03 <DIR> --d----- c:\program files\Zamaan's Software
2008-12-29 19:00 <DIR> --d----- c:\program files\CCleaner
2008-12-29 16:57 <DIR> --d----- c:\program files\Lavasoft
2008-12-29 16:49 206,608 a------- c:\windows\system32\drivers\TMPassthru.sys
2008-12-29 16:40 <DIR> --d----- c:\documents and settings\united it\.housecall6.6
2008-12-29 12:41 66 a------- C:\pt2.bat
2008-12-18 18:44 67 a------- C:\ptm2.bat
2008-12-14 06:51 <DIR> --d----- c:\program files\Griffin Technology
2008-12-13 11:56 <DIR> --d----- c:\program files\iPod
2008-12-13 11:56 <DIR> --d----- c:\program files\iTunes
2008-12-13 11:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-03 17:40 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-30 09:33 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-30 08:31 2,762 a------- c:\windows\system32\tmp.reg
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-10-31 19:40 726,008 a------- c:\documents and settings\united it\gotomypc_437.exe
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 04:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-07-16 08:32 3,902,784 a------- c:\documents and settings\united it\gosetup.exe
2008-08-26 07:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 16:02:34.34 ===============

Let’s check out the following:

Please highlight and copy the contents inside the code box below:

cd desktop
reg query "HKLM\software\microsoft\windows nt\currentversion\drivers32" /s >look.txt
start notepad look.txt
exit
cls

Click Start > Run, and, in the Open area, type: cmd
Press: Enter to open a command window.
Right-click by the blinking cursor in the command window and select: Paste
The command window will close and a log will open on your Desktop.

Please post the contents of the look.txt in your reply.

~~~~
Also, please go to Start > Run and type: cmd.exe
Press: Enter

Copy all the text inside the code box below, paste it at the blinking prompt, and then press Enter.

Dir %systemdrive%\wdmaud.* /a h /s >wdm.txt
Start notepad wdm.txt

Wdm.txt will show up on the Desktop.

Please provide the Wdm.txt information in your reply.



If you use FireFox, you may want to consider installing the NoScript extension: http://noscript.net/
You can then allow or deny what scripts load, etc.

I believe that I found the issue, was a 14kb file in the Sys32 file called wdmaud.sys.
Restarted in safe mode, deleted it and reset the clocks to non military time. All seems well.
If something goes sideways i will post report you requested.
Thank you for your response.
Rgincel

Even though you removed the file C:\Windows\System32\wdmaud.sys, there may still be a bogus entry in:
HKLM\software\microsoft\windows nt\currentversion\drivers32

If you want to make sure, please follow the reg query instructions in post #2

Thank You, I am not around my machine right now. I will when I get back in pocket.
Thank you again
Rgincel