Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post Windows Scan Infection


  • Please log in to reply
4 replies to this topic

#1 Yanda

Yanda

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 24 January 2011 - 07:18 PM

I have a computer which was infected with Windows Scan. I have managed to remove that portion, but I continue to receive "blocked URL" pop ups from TrendMicro Security Agent at random times. Sometimes when I change webpages, sometimes when I close browsers, sometimes at random times, and sometimes multiple blocks at once. The url's are random gibberish (z0g7yalil0.com/long_stuff). MalwareBytes already cleaned off the Windows Scan, and new scans show nothing. TrendMicro shows nothing. IE appears to be mostly normal. Firefox runs mostly normal. Chrome is not able to browse at all. (I have already found and fixed the proxy issue). The computer is definitely not up to par, but at least it is better.

TIA for any help offered.

Yanda

BC AdBot (Login to Remove)

 


#2 Yanda

Yanda
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 25 January 2011 - 02:26 PM

I have gotten Chrome to work again using the --no-sandbox flag; however, the blocked URL warnings are still occurring. Any help that can be offered will be greatly appreciated.

:blink:

Yanda

#3 Kevin11952

Kevin11952

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 30 January 2011 - 05:27 PM

I can't offer any help yet, but I just got hit with the same thing, although in my case it called itself "Antivirus .NET". Symantec AV caught the java script installer after the install, but not that application. MalwareBytes seemed to remove the "Antivirus .NET", but I still can't access Windows Update, and my PC is making a slew of http connects through a svchost.exe instance that start with a DNS lookup for z0g7yalil0.com. The connection to z0g7yalil0.com returns a list of other addresses for it to go hit. I have two different spyware scanners and one rootkit detector that aren't finding anything, perusing my HijackThis log hasn't turned up a root cause, and browsing through the registry hasn't found anything suspicious either.

#4 Yanda

Yanda
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 31 January 2011 - 11:00 AM

I think we have run Malwarebytes and TrendMicro just about every day and there's still nothing showing up. TrendMicro updates daily, so it is definitely well hidden.

Thanks for posting that I'm not the only one getting this. It appears to be mostly just irritating, not harmful, but maybe that is only because TM is catching the URL attempts.

Yanda

#5 Kevin11952

Kevin11952

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 31 January 2011 - 08:34 PM

I found and ran the "gmer" rootkit utility. It reported some "rootkit like behavior" in my hard drive's boot sectors, plus also blue-screened during one of the file scans. After reading some of the rootkit removal tool (Combofix) documentation, I think I may be best off trying the Dell factory restore first, rather than using Combofix and potentially screwing up the factory restore option.

I was frustrated too. The only other reference I found was on a German board, also posted within the last week. I don't know if this is something new, or something old that just knows how to hide really well from the scanners. One other option might be to wait a week and see if the virus removal tools catch up and release a fix.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users