I have the same problem everyone else is havnig. It started with fake security alerts, progressed to google, then yahoo search redirects (almost always to triplexfeed.com), and now computer is super-slow.

Does this thing have a name yet? I asked Spybot about it and they didn't seem to know.

Have you all come upon one method that works for most people that you could post like you did the 8 steps?

I've updated Windows, Java, Flash, Adobe and some other things as others recommended. I've run AVG, Spybot, some others, and the three you include in 8 Steps, a couple of them several times. Almost all found some problems, fixed them, but nothing has fixed the redirect problem.

Now the computer is super-slow and I'm not sure what the heck is running at any one time.

I haven't run Combofix or the something-flush, as I know nothing about computers and need virtual hand-holding for this. (I'm a computer-fixing virgin so you really have to explain things as basically and completely as possible.)

Thanks in advance . I've attached the three logs you need--hope I did them right. Let me know what else you need.

Carol in Carolina

Am I supposed to be doing something now? I am afraid to do something else that I've read in the other threads without express direction. Thanks.

Its my google search engine and yahoo search engine. I can get to Google and put in search keywords, then get the results, but if I click on results it's redirected. Same with Yahoo. Google News works ok except the photos in results don't show anymore, don't know why. I'm also starting to get pop-ups which haven't been a problem.

oh, I use Internet Explorer, Firefox REALLY messes everything up so I don't use it.

I don't know if I have script-blocking--how would I find out? I know I have Zone Alarm and AVG--turn off both? Don't know if the Windows firewall is up or not. How do I know what I have? (I know that sounds lame but Others have used the computer on occassion, and I just don't know much)

I ran Combofix twice. Is it supposed to shut down teh computer when it does it? because it did, which relaunched zone alarm and avg...except now avg isn't showing up in the bottom icon tray, don't know why. And I still have the redirect problem.

OK, did it...still have problem....

I noticed this in one of the logs--what does it mean--is it fake avg?

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/6/2010 12:08 AM 360584]

Ok, I did it--but still have the redirect problem. (This time, though I did a search on Google Redirect and found more sites addressing it--can't get to them, but maybe someone--maybe someone from google?-- has developed a specific fix now?

BTW I forgot to disable avg, but Combofix told me it was still connected, so I guess it wasn't the other times.

Thanks for your on-going help.

Patiently Waiting,

Carol

Broni, you probably have access to way more sites than I do but this one seemed to have some new information, such as the thing about re-infecting through hosts. I have NOT made any of the changes it recommends yet although think I'll look at that SpyBot one.

http://www.google.com/support/forum/p/Web Search/thread?tid=6df7e15519290612&hl=en

Here are some things I pulled off that other site. Many people said the Hitman program was good, but since those could all be fake comments, I wanted to get the blessing of this board before doing it.

~~~~~~~~
the cause is a TDSS trojan. search google for TDSS killer and download the zip file to your desktop. i found a dns server in my LAN adapter settings and removed it.
~~~~~~~~~
Only Gmer reported a suspicious atapi.sys file in c:\windows\system32\drivers. The other programs found nothing that would solve this problem.
I copied the atapi.sys file to the computer with the Google redirect problem. The file date (on the problem computer) kept changing automatically to today's date (from 04/13/2008) within seconds after I copied the file. So, I ran the "attrib +r atapi.sys" command to make the file read-only on the good networked computer. Then I copied the read-only file again to the problem computer. Since then, the file date has not changed, and I've had NO redirect problems when searching at Google.
~~~~~~~~~~
Many people were having to manually identify and remove the offending file(s) from their systems, as it reached a point where most of the currently available products were not able to keep up with the changes to the malware. The malware can change multiple times a day, making it difficult for security vendors to be able to provide a solution
~~~~~~~~~~~
For those who would like to protect their Hosts file from unauthorized changes, you may want to consider using SpyBot Search and Destroy to lock the Hosts file. This Hosts file option can be found through the Advanced Settings Mode under the [Tools | IE Tweaks | Lock Hosts file read-only as protection against hijackers ] section.
Spybot Search & Destroy http://www.safer-networking.org/en/download/index.html While I do not use the TeaTimer resident protection (I only run manual scans when needed) I do use the immunize feature of SpyBot Search and Destroy to minimize exposure to bad sites, as well as use the option to lock my Hosts file from unauthorized changes. There are probably other ways to do this as well, this is just the one that I have used successfully for years.
~~~~~~~~~~~
viruses sometimes will alter your "hosts" file, which is basically a file that controls the redirecting for your browsers (specifically, this file makes it faster for your computer to convert URLs into the relevant IP addresses by having a shortcut list of IP addresses instead of having to look them up when you type in the URL). Anyway, here's what you need to do to fix: (1) Click START > RUN > and type in "C:\windows\system32\drivers\etc\hosts" (2) When prompted, open the HOSTS file in either Notepad or Wordpad (3) Delete all the lines of IP addresses in the text document except for "127.0.0.1 localhost". If you find several lines of IP numbers other than localhost in your hosts file, then this is almost definitely your problem and will be fixed right away. If not, then this probably isn't the issue, but it's worth a look.
~~~~~~~~~~~~
think atapi.sys file is the culprit while I use XdelScan to remove google redirect virus you can download it here: http://www.xdelbox.com/xdelbox-1-0-beta-release/
~~~~~~~~~~~~~~
The software I use to remove this rootkit is called Hitman Pro 3.5 http://www.hitmanpro.com It scans your PC in just 2-3 minutes and successfully cures the atapi.sys / Google redirect infection.

The SpyBot Tech told me to run GMER. It shut off the computer twice, so I broke up the scan into pieces, which I'm attaching. When I tried to do D drive it just froze up and I gave up. But it did seem to come up with something, see part two. I don't think that program removes it, though, does it?

Spybot also recommended running RootRepeal http://ad13.geekstogo.com/RootRepeal.zip but that froze up the computer, too and I haven't had any luck running it.

And now, for some weird reason, I have a new Outlook Express Icon on the desktop and lots of popups when I go to news stories...

That GMER really messed up the computer, was hard to get to run at all but for you, Broni, I'll try. : ) Might take awhile.