Rootkit Zero Access removed? Now trying to connect to blocked URL

The infected computer was not connecting to SSL sites properly, it was being redirected to a site with a bad Certificate. I disconnected from the network and began cleaning.

I ran most of the recommend programs here, Combofix said there was a Rootkit.ZeroAccess in the TCP/IP stack, and took care of it. After reconnecting to the network, my AV (Trend Micro) notified me it was blocking attempts to connect to a URL (methylen.com/Y2x8M...), about 100 times per minute. I also see the AV blocking attempts on drentalon.com/Y2x8M... and 178.238.225.233/Y2x8M...

SSL sites no longer redirect, but it doesn't appear to be bug free yet. Ran the programs to get the logs, here they are. Thanks!

 

and this one

 

Welcome to Major Geeks, SeptimusPryme

I want you to read and follow these instructions: TDSSKiller - How to run

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Attach both reports to your next message. (How to attach)

 

Thanks for your help. Here are the new logs.

 

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 21
• Java(TM) SE Runtime Environment 6 Update 1
• Spybot - Search & Destroy 2

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop.


Now reopen OTL
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Thanks again. Here are the logs from those programs.

After 15 minutes of testing, it appears to be fixed. I'll update if anything changes.

Anything I should do to wrap up? Thanks so much! I greatly appreciate your help.

 

You're welcome.

These latest logs are clean but feel free to test the computer until you are ready to proceed with the below cleanup steps.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

UPDATE: Well, I spoke too soon. Even though the client's endpoint Anti-Virus logs weren't showing the blocked URL requests, after a while the AV server sent an email saying that client was still making the 100+ blocked attempts to connect to the malicious site.

In other words, the client doesn't show any sign of infection, but the server reports behavior of indicative of an infected client.

I have already followed the post-removal procedure that you gave me in your last reply. Any more ideas on this?

 

The AV server from Trend Micro?
My initial thought is that they are reporting some old facts. Especially since the live end point client has stopped notifying you of malicious behavior.