I made the extremely silly mistake of connecting directly to the Internet without a firewall up, and now, links from Google search results get redirected to a random other (presumeably malicious) search engine. I did a little research, and the Go.Google virus seemed like a match, but my computer doesn't have any of the files associated with that virus, and the redirects do not go to go.google.com, so I don't think that's what it is.
I tried rebooting in safe mode to run MalwareBytes, AdAware, etc., but found that safe mode had been disabled; it gets a STOP bluescreen after loading all devices. I checked the registry, and the SafeBoot key is present and unmodified, as far as I can tell.
At this point, the infection started to seem like the TDSS rootkit, but I couldn't find any of the hallmarks of that infection, either. There are no strange hidden or non-plug-and-play devices, and no TDSSServ.sys device.
RootkitRevealer came back with nothing. None of my security software can successfully update; it looks like it works, but the definitions aren't actually downloaded. Also, Symantec AV cannot complete a system scan; the scan ends (no crash or anything strange) after 1446 files scanned, every time. I also tried booting in Knoppix and running ClamAV, but that came back clean, too.
Next, I tried running SysInternals Procmon, and by chance, observed the following line when I opened Notepad:
11:50:35 AM NOTEPAD.EXE 5792 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tdlwsp.dll NAME NOT FOUND Desired Access: Read
So, I searched for tdlwsp.dll and got a bunch of fresh (within the last month) hits, indicating that tdlwsp.dll is part of the TDSS rootkit after all.
All of the information I found (including a thread on bleepingcomputer: http://www.bleepingcomputer.com/forums/t/260359/rootkittdss-infection/
) showed that tdlwsp.dll was being mounted under the hard disk controller as a hidden virtual device, for example: \\?\globalroot\Device\Ide\IdePort3\ppbwuxte\ppbwuxte\tdlwsp.dll... but my computer doesn't seem to show this symptom. None of the scans I run come back with a result like that (or any result at all). In fact, the only reference to tdlwsp.dll on my system that I can find is in Procmon; it looks like it's getting loaded every time a new program is launched.
So... yeah, sorry for the long story, but that's where I am. Luckily, the infection seems to only be redirecting Google links and disabling safe mode, for now at least. Help, please?