Post Windows Scan Infection

I have a computer which was infected with Windows Scan. I have managed to remove that portion, but I continue to receive "blocked URL" pop ups from TrendMicro Security Agent at random times. Sometimes when I change webpages, sometimes when I close browsers, sometimes at random times, and sometimes multiple blocks at once. The url's are random gibberish (z0g7yalil0.com/long_stuff). MalwareBytes already cleaned off the Windows Scan, and new scans show nothing. TrendMicro shows nothing. IE appears to be mostly normal. Firefox runs mostly normal. Chrome is not able to browse at all. (I have already found and fixed the proxy issue). The computer is definitely not up to par, but at least it is better.

TIA for any help offered.

Yanda

I have gotten Chrome to work again using the --no-sandbox flag; however, the blocked URL warnings are still occurring. Any help that can be offered will be greatly appreciated.



Yanda

I can't offer any help yet, but I just got hit with the same thing, although in my case it called itself "Antivirus .NET". Symantec AV caught the java script installer after the install, but not that application. MalwareBytes seemed to remove the "Antivirus .NET", but I still can't access Windows Update, and my PC is making a slew of http connects through a svchost.exe instance that start with a DNS lookup for z0g7yalil0.com. The connection to z0g7yalil0.com returns a list of other addresses for it to go hit. I have two different spyware scanners and one rootkit detector that aren't finding anything, perusing my HijackThis log hasn't turned up a root cause, and browsing through the registry hasn't found anything suspicious either.

I think we have run Malwarebytes and TrendMicro just about every day and there's still nothing showing up. TrendMicro updates daily, so it is definitely well hidden.

Thanks for posting that I'm not the only one getting this. It appears to be mostly just irritating, not harmful, but maybe that is only because TM is catching the URL attempts.

Yanda

I found and ran the "gmer" rootkit utility. It reported some "rootkit like behavior" in my hard drive's boot sectors, plus also blue-screened during one of the file scans. After reading some of the rootkit removal tool (Combofix) documentation, I think I may be best off trying the Dell factory restore first, rather than using Combofix and potentially screwing up the factory restore option.

I was frustrated too. The only other reference I found was on a German board, also posted within the last week. I don't know if this is something new, or something old that just knows how to hide really well from the scanners. One other option might be to wait a week and see if the virus removal tools catch up and release a fix.