All Browsers Hijacked by TDSS Rootkit virus and Redirecting to Random Pages

10 years 7 months ago #47 by roller
Two days ago I was using the Google search engine for some research and I noticed that every time I clicked on a link from the search results the browser redirected to somewhere else. Most of the times the browser url will go to then redirects to another page, this didn't happen every single time but often enough to get on my nerves.

I was using Internet Explorer so I thought let me try other browsers but the same thing happened with Safari and Firefox, this made me to believe this is a sophisticated virus. I can't be sure when I was infected, the last programs I installed where a Cybernet DVD player BlueRay update and Virtual Cloandrive. I also received a flash file from a friend who used an online free Flash builder to create it.

Another symptom of this virus infection was that Windows update would not run and returned an error "Windows Update error 80072efe", which meant that Windows update can not connect to the update server. So the same virus that was redirecting web search results was also blocking Windows Update from reaching the server.

I scanned my PC with McAfee antivirus but it found nothing, this is not surprising as I often found that the popular antivirus programs usually can't detect shit. After some research I found out that this Rootkit virus which usually infect a .sys file such as atapi.sys. It may have been on my system for sometime rendering my PC as a bot and only recently it may have hijacked my browsers. These bot PCs are usually infected then sold or rented to third parties by the virus writers.

My virus was of the type TDSS rootkit which first appeared in 2008. Since then, it has become far more widespread than the notorious rootkit Rustock. The way it works is it infects a Windows driver that loads on start up and it also writes its code directly to the last sector of the hard drive outside the Windows system area. This makes it hard to detect as it is not entirely part of the operating system. The main purpose of the rootkit is to hide the malicious drivers and files from being detected.

A good technical write up about this TDSS rootkit virus can be found here .

Now you may ask how to get rid of this virus, well as there are many variations the methods might vary. What you want to do is remove the rootkit and all infected dll and files from your PC. For me the only thing that detected and removed the rootkit was TDSSKiller.exe from Kaspersky that can be found here: I also ran Malwarebyte to detect and remove infected files but on it's own it did not do the trick and I am not sure if it did anything at all to be honest.
Finally my only advice to avoid getting infected in the first place is not to install unknown programs and always log into your system with a User ID that does not have administrator privileges.

Please Log in or Create an account to join the conversation.

10 years 7 months ago #48 by roller
So few days later I had a further look into the rootkit and in the removal tool log I found that the infected file was 000.fcl. This system file belongs to PowerDVD which came with this Dell laptop.

So I am starting to think it was that DVD player update I clicked yes to install. Come to think of it I am not sure now if it was a Cybernet player update, Cyberlink or PowerDVD.

This type of file has high system access and few wondered why PowerDVD would use such a file, some suggested for DRM purposes...

If you Google 000.fcl and rootkit you will find a lot of topic where the two words appear but not many people are making the connection.

I am puzzled!

Please Log in or Create an account to join the conversation.

Time to create page: 0.723 seconds
Powered by Kunena Forum