I picked up a nasty virus infection on my main work development PC, running Windows Vista Business. I don’t know where or how it got picked up, but in all likelihood it was from a poisoned web page running some nasty Javascript payload that got in past a lax Microsoft Security Essentials.

I noticed something amiss when all Google Image Search results stopped scrolling past page one of its ajax-loaded image results listing – across ALL my browsers! Then I began to notice that every now and then when I clicked on a Google search result, I would be automatically redirected to some or other advert site (like Groupon for example), instead of the search result on which I had clicked! And to top it all off, all of a sudden my machine became a lot more non-responsive than what it used to be, plus I was struggling to download and install certain Windows updates!

Something was definitely up in other words!

Scans from Microsoft Security Essentials and AVG turned up nothing, meaning I had to turn to Google with little more than the search term “google search results redirect virus” to go on.

Luckily for me, this was more than enough.

After a fair bit of research, I learned that the most likely culprit was a rootkit infection and to that extent I would need to try and sort it out using a different set of tools from what I had currently been making use of.

The most visible rootkit killers available to me was GMER and Kaspersky Lab’s TDSSKiller, but seeing as TDSSKiller worked for me first time around, I can’t really comment on GMER effectiveness.

At the start of the clean up process I quickly learned that another little nasty trick the rootkit had pulled was to remove the Safe Mode boot option from the system, preventing me from thus loading Windows without loading the troublesome rootkit along with it. Also, it automatically killed any attempts to run TDSSKiller (or GMER for that matter!) from a normal Windows login, highly annoying as you can well imagine!

Luckily Kaspersky is aware of this problem and have released via their support forum a cleaned version of TDSSKiller which doesn’t identify itself and thus blocks the rootkit from stopping it from loading up in the first place! (Again, thank you Google Search)

You can download the modified TDSSKiller from: http://forum.kaspersky.com/index.php?showtopic=212719 (Note, you’ll have to register in order to grab the download)

From there it is a simple matter of extracting and launching the tiny application and running a scan. In my case the tool quickly uncovered a Rootkit.Boot.SST infection which I promptly deleted. A quick reboot and the machine now appears to be running fine again.

Just to be safe though, I did run a couple of additional scans with the latest TDSSKiller, GMER, Microsoft Security Essentials and Malwarebytes Anti-Malware, all of which turned up nothing.

So for now, I reckon I can safely say, “Done”. Stupid annoying virus writers… :(

(Oh, and another tip for if you can’t get either TDSSKiller or GMER to run, RootRepeal gets a nice little picture tutorial via http://en.kioskea.net/faq/18862-rootkit-boot-sst . Useful.)