Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 "botnet" activity flagged by my ISP


  • Please log in to reply
2 replies to this topic

#1 hagenf

hagenf

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 AM

Posted 11 January 2016 - 12:49 PM

I have a Win7 64bit computer that has been sending info out to a cluster of 195.22.28.x ips as well as a 204.11.56.48 as soon as I open Quickbooks 2012.

 

I have found and uninstalled "Arcade Candy" programs and removed from registry any traces of them. Malwarebytes flagged them as PUP and I started seeing internet sites referring to them as the "Candy Virus" so I made sure to remove. Last I checked, no further files remain from them, yet I still see traffic sending out to those ip's from only this computer on the network.

 

Today I blocked the ips in my wifi router to temporarily prevent data going out that shouldn't be, and I'm scanning for rootkits with Malwarebytes root-kit beta and Kaspersky TDSSKiller. About 10 minutes in my Malwarebytes Rootkit scan, it found a Trojan.Zekos.Patched7SP1 and so far, no others found. the file it found it under was "rpcss.dll"

 

I'm vaguely new to the rootkit/registry crushed area but not new to the removal scene. The registry was having errors and I was unable to install Windows Updates which led me down this path. When our ISP called us I started taking this very serious. My biggest concern is ensuring no data is being sent out from our Quickbooks info.

 

Can anyone help me with a to-do list and which order to do what as well as how to triple check that my Quickbook backups aren't infected?

 

 

Thank you in advance!

-Hagen F



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:07 AM

Posted 11 January 2016 - 12:59 PM

WELCOME TO BC...

Based on what you report is best that you start a new topic in the Malware Removal Forum.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 hagenf

hagenf
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 AM

Posted 11 January 2016 - 01:05 PM

thank you! wasn't sure where to post. I'm new to bleepingcomputer! Thank you for the direction, I'll repost there!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users