I also have a Google link redirect problem. I've recently been hit with trojan horses and thought I'd cleaned them out with AVG Free and Malwarebyte's Anti-malware. It seems the only residual effect now is this redirect problem. Per the response to another's similar problem, I downloaded and ran RootRepeal uploaded the results to rapidshare. Here is the link: http://rapidshare.com/files/2740918... Can someone please analyze this and help me rid my computer of this annoying scum? Thank you.

Here is a fix some people have had success with called GooRedFix: http://cantalktech.com/2009/03/12/g... Some HELP in posting on Computing.net plus free progs and instructions Cheers

Thanks for the suggestion. I have downloaded it and ran it but it didn't behave exactly like the instructions posted on MajorGeeks i.e. it didn't offer me a menu, just a Yes/No question if I wanted to continue to check and remove the infection. It created the following log file. Also the MajorGeeks instructions (posted by chaslang BTW) said the files would be named goored, not gooredfix, so I'm a little confused. Here's the log file: GooredFix by jpshortstuff (12.07.09) Log created at 14:55 on 04/09/2009 (default) Firefox version 3.5.2 (en-US) ========== GooredScan ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [00:16 01/09/2009] {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [02:29 10/12/2007] {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [16:39 22/06/2008] {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [00:02 20/07/2008] {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [14:49 18/01/2009] {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [01:49 01/04/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [16:10 22/06/2008] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:49 18/01/2009] "avg@igeared"="C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared" [10:17 19/08/2009] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:13 16/08/2009] -=E.O.F=- There are references to fixing this problem with Firefox, but I have the problem with Google links on IE8 as well. Anyway, if you can tell me what I should do next, Thank you.

GooRedFix didn't eliminate the redirect problem (still existed in IE8 and Firefox 3.5), so I decided to check my system with Malwarebytes AntiMalware again. MBAM rid my system of bogus antivirus popups a few weeks ago, so I updated it yesterday and reran it. At first it found four dlls in my system32 infected with Rootkit.TDSS. It deleted them with a reboot and that seems to have fixed my Google redirect problem, but now it reports a registry key infected with the same Rootkit.TDSS: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmnrwbmlwb (Rootkit.TDSS) -> Quarantined and deleted successfully. but it isn't deleting it because rescans (after reboots) detect it again and again, with a quick scan or a full scan. Since my Google redirect problem is apparently solved, should I close this topic and open another one for this rootkit infection, or can someone here suggest how I can rid my system of this rootkit? Thanks ya'll.

This link below shows how to use Rootrepeal , http://www.malwarebytes.org/forums/... Rootrepeal you get from this link , http://rootrepeal.googlepages.com/ Remember we are looking for kbiwkmnrwbmlwb You could try Sophos Anti rootkit free http://www.sophos.com/products/free... Or the fully functional evaluation copy of Unhackme http://greatis.com/unhackme/downloa... PS. If you have Spybot s&d close teatimer . ..........

Unhackme would be the easiest one to use, most userfriendly for removing the rootkit. Some HELP in posting on Computing.net plus free progs and instructions Cheers

I am trying UnHackMe but I wouldn't call it user-friendly. It has installed helpers and assistants, required countless reboots and its menu options are numerous and confusing, all this for one rootkit trojan. If I can get any legible results from it, I'll let you know.