I have a Win7 64bit computer that has been sending info out to a cluster of 195.22.28.x ips as well as a 126.96.36.199 as soon as I open Quickbooks 2012.
I have found and uninstalled "Arcade Candy" programs and removed from registry any traces of them. Malwarebytes flagged them as PUP and I started seeing internet sites referring to them as the "Candy Virus" so I made sure to remove. Last I checked, no further files remain from them, yet I still see traffic sending out to those ip's from only this computer on the network.
Today I blocked the ips in my wifi router to temporarily prevent data going out that shouldn't be, and I'm scanning for rootkits with Malwarebytes root-kit beta and Kaspersky TDSSKiller. About 10 minutes in my Malwarebytes Rootkit scan, it found a Trojan.Zekos.Patched7SP1 and so far, no others found. the file it found it under was "rpcss.dll"
I'm vaguely new to the rootkit/registry crushed area but not new to the removal scene. The registry was having errors and I was unable to install Windows Updates which led me down this path. When our ISP called us I started taking this very serious. My biggest concern is ensuring no data is being sent out from our Quickbooks info.
Can anyone help me with a to-do list and which order to do what as well as how to triple check that my Quickbook backups aren't infected?
Thank you in advance!