Wednesday, April 21, 2010

TDSS Toolkit Infection Fix

Finally I got rid of this crazy Google search result redirecting virus. I'm pretty certain that I got it (and others which are easier to remove) from one of free games for Nokia phone sites. I struggled with it for more than a week. What a shame. This really taught me a huge lesson about nothing is free...

Symptoms:
1. Fake Windows XP Security Center showed up and it said I should turn on some security thing.

2. Some kind of virus doctor window showed up and started scanning.

3. Task Manager button was grayed out when Alt+Ctrl+Del were pressed.

4. regedit, regedt32 were disabled.

5. Windows update site was blocked.

6. Google search results got redirected.

7. Tab completion is disabled in command line.

8. Does not recognize .exe file

Fix:
1. Download ComboFix from bleepingcomputer and run it. This program takes a long time to run but it's worth it.

2. Download TDSSKiller.zip from kaspersky and run it. If TDSSKiller says your atapi.sys or tskXX.tmp (XX is a number, it's different for each system. Mine is tsk21.tmp) is infected and wants you to reboot to fix it. Don't do it yet.

3. If the problem is with atapi.sys, find a clean XP machine with the same SP level, copy its atapi.sys in c:\windows\system32\drivers to a floppy or flash drive. Boot the infected system to Safe Mode (F8 during system startup) with Networking, replace the infected atapi.sys with the clean one. Do step 4 although TDSSKiller doesn't report tskXX.tmp is infected.

4. If tskXX.tmp is infected, run regedit (To re-enable it if it's disabled by virus, run
gpedit.msc->User configuration -> Administrative Templates -> System.
Choose "Prevent access to registry editing", set it to disable and then set it back to Not Configured.). Search the specific tskXX.tmp in the registry and replace it with atapi.sys.

5. Delete tskXX.tmp in C:\windows\system32\drivers

6. Reboot

7. Clean up and prevention

a. Re-enable Alt+Ctrl+Del: Run gpedit.msc->User Configuration->Administrative Templates-> System->Ctrl+Alt+Del Options. Choose "Remove Task Manger", set it to disable and then set it back to Not Configured.

b. If you're using Firefox, I suggest installing the following Add-Ons to prevent future infections.

NoScript
Verify Redirect

Hope this fixes your problem. It was such a painful process to figure this out...

No comments: