Farbar Recovery Scan was run

[ANGLICO1]

I have Malwarebytes Anti-Malware (Premium), and Anti-Exploit Premium

Windows 7, SP 1

64-bit OS

6 GB RAM

I ran the anti-malware scan and it detected nothing.  I ran a custom scan of my external backup drive and it detected nothing.  Yet the popups keep coming, "Outbound" is blocked, but something must be generating the Outbound.

=============================================

Scan result of Farbar Recovery Scan Tool, FRST.txt and Addition.txt logs are attached, as well as an .rtf file with the images of the popups and the Malwarebytes scan results.

 

 

Malwarebytes popups.rtf

FRST.txt

Addition.txt

[LiquidTension]

Hello ANGLICO1, welcome to Malwarebytes' Malware Removal forum!

My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. 

General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================

Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
• Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
• Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page.

======================================================
 
Unfortunately, your computer is badly infected, and I must ensure you are aware of the following. Please read the warning below, let me know what you think and how you wish to proceed. 
 

BACKDOOR WARNING
 
------------------------------

One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, Email, eBay, Paypal, online forums, etc).

Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee the trustworthiness of your computer unless you reformat your Hard Drive and reinstall your Operating System. This is due to the nature of the infection, which allows the attacker remote control over the machine. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

You now have the choice between cleaning the infection(s) present or reformatting your computer. Ultimately, this decision is personal, and down to you and what you're most comfortable with. Please let me know how you wish to proceed, and if you have any questions.

[ANGLICO1]

My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. 

Adam, you may call me Vance, although I have been called many things, I answer to most, just don't call me "late to dinner."  Thank you for your prompt response. I need to study your suggestions, although I may not understand some of the terms.  All my software is licensed to me.  Besides the usual Microsoft Office software, I have a vBulletin product that allows me to maintain a website, and some specialized software that geologists use.

 

I retired in March, but still assist my long-time employer remotely when they need a geologist.  Perhaps coincidently, my email addresses began spamming voice mail messages, although I don't even know what that is, at the same time that the company installed a telephone system which messed up their server and emails.  I was still using their Vipre Business software, required because I occassionally link to their server for the purposes of plotting geological maps and sharing data. In any case, to be safe, I removed all means of connecting with the company, I scanned thoroughly with Vipre Business and with a download they sent me (a 25-hour scan), some things were removed, and then I removed Vipre Business and installed your software.

 

Future data sharing with my former employer will be via CD, DVD, or thumb drive.

 

I don't know what Peer to Peer file sharing is.  In the past, most of my support involved connecting to the company server, and sending plots (geological maps and cross sections) to their large plotter.  I seldom if ever transfered actual data files that way.  Normally, I would send a spreadsheet or writeup by email.

 

I'll study your info, and get back, but there is so much I don't readily grasp that it may take me several days to look up the terms.

 

Vance

[LiquidTension]

Hi Vance, 

 

Rather than focus on the "General P2P/Piracy Warning", I suggest considering the backdoor warning. 

 

If there are any terms you do not understand, by all means ask. 

[ANGLICO1]

Adam,

 

1.  This appeared upon Malwarebytes installation.  Is this okay?  Should I remove these exclusions?  I have no idea what these are.  Screenshot attached.  (.rtf file with the image)

 

2.  Banking, etc.  Paypal is the only financial information I believe that may be compromised.  I will notify them today.  My bankers and financial advisers know me personally, and from the beginning of online banking all were advised to never allow online access to my accounts.  Thanks for the heads up.

 

3.  If I opt to reformat my hard drive, does that mean just my C: drive where the OS and most software reside?  I have another internal drive with some programs software, and dual internal (data) hard drives set up in RAID configuration, plus two external backup drives.  Would all these drives need to be reformated?  I have data from the past 20 years of geological work stored in various places that would need to be copied somewhere, but would that potentially be infected too?  I am mostly retired, but had hoped to gift all this geological data to the Oklahoma Geological Survey very soon.  I don't want to give them an external hard drive that carries an unpleasant surprise.

 

Rant - If so, this old Marine would like to ID the SOB and pay him a personal visit if possible.

WebExclusions2.rtf

[LiquidTension]

Hi Vance,
 

1.  This appeared upon Malwarebytes installation.  Is this okay?  Should I remove these exclusions?  I have no idea what these are.  Screenshot attached.  (.rtf file with the image)

Please upload the image to Imgur: http://imgur.com/
 

Would all these drives need to be reformated?

You should be OK to just reformat your C: drive. I can see two serious infections present (Poweliks and Zbot). Zbot's files are on your C: drive, and Poweliks resides entirely within your HKCU hive. Reformatting C: will wipe out both of these. 
 
We can scan your other drives now if you like, and determine which are clean. I would imagine your other drives are fine, but it's worth double-checking.

[ANGLICO1]

I uploaded the .rtf file with the image to http://imgur.com/

 

I ran a 4-hour MWB scan of the external backup drive yesterday, and nothing was detected.  Also the other internal drives were scanned without any detections. 

 

I'm wondering, given the age of the computer, 3 years or so, if I ought to buy a new computer, buy a new drive to replace the C: drive, or reformat.  I'm going to give this some thought.

 

I just made a mistake, worried about the possible origin of the problem with my former company and the connection with their problematic server.  I eliminated LogMeIn which enabled their IT guy to access my computer.  I eliminated MS Outlook Exchange, which connected me to them.  The final step was a mistake, to reset my Computer settings, from a business workgroup under their domain to just a personal computer.  That wiped out much, but lots of images and other files remain searchable, just without the old links.  Future support to them will be by delivering a CD or DVD with images or data.

 

I could get the IT guy to reset everything but I'm thinking just to back up critical things to other drives before reformatting or replacing the C: drive.. 

 

What file types can NOT be safely copied to a backup drive?

[LiquidTension]

Vance, 
 
I can't see the image. You need to provide the Imgur link provided after uploading the image. 
 

What file types can NOT be safely copied to a backup drive?

The safest practice is not to backup any executable (.exe), screensavers (.scr), dynamic link library (.dll), autorun (.ini) or script (.php,.asp, .htm, .html, .xml) files because they may be infected by malware. You should also avoid backing up compressed (.zip, .cab, .rar) files that have executables inside as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension, so be sure you look closely at the full file name.

• Backing up documents, image, music and video files is fine.
• Specially crafted Word/Excel/PDF files can be used for malicious intent, so I recommend only backing up documents that you created, or you know come from a trusted source. 
• To repeat, do not backup up files with the following extensions:

.exe, .scr, .bat, .com, .cmd, .msi, .pif, .ini, .htm, .html, .hta, .php, .asp, .xml, .zip, .rar, .cab

[ANGLICO1]

Awesome!  This is sounding more feasible all the time.  I'm thinking about replacing the 464 GB C: drive with a 2 TB drive, loaded with a brand new MS Office.  Mine is Office 2007.  I'll have to list all the software that I really need post-retirement, and figure out the easiest and/or cheapest way to replace that.

 

My primary geological tool is problematic.  I'm trying to finish up a final consulting project for a friend.  That's not finished.  I purchased the software personally in 1997 before starting work at Staghorn, but after retiring I dropped the annual maintenance.  But I still own the product.  I don't want to have to pay the $1,500 or so annual maintenance to get it reinstalled.  So I have to decide whether to copy the project files for the client & friend, free of charge, and move forward, or whether to complete the project first.  Similarly, for the Oklahoma Geological Survey, I have to decide how much work and data culling to do before handing over the computer representation of a 41-year career.  I think all the file types involved are safe.  Many are unique to this software.

 

I'll be back after discussing the hard drive availability with Office Depot.  Any suggestions as to OS or MS Office versions are welcomed, with security in mind.

 

I can't tell you how much I appreciate your efforts.  If ever in Tulsa, I'm good for a few beers and lunch at a fine brew pub.

 

Guess the first thing I do after installation is redownload Malwarebytes Anti Malware Premium and Anti Exploit Premium, or even better just install from the DVD that you just sent me with three licenses.

[LiquidTension]

Hi Vance, 
 

I'll have to list all the software that I really need post-retirement, and figure out the easiest and/or cheapest way to replace that.

Most software (including Windows!) have free, open source alternatives, that are less vulnerable and have similar functionality. 
 
For example, any Linux distro can be used instead of Windows, and OpenOffice/LibreOffice can be used instead of MS Office. Both free, open source, and less vulnerable. Of course, switching from Windows to Linux is a huge step, but MS Office to OpenOffice/LibreOffice less so, and certainly worth considering. 
 

Any suggestions as to OS or MS Office versions are welcomed, with security in mind.

If we're still talking Windows, then I would recommend Windows 8.1. Many dislike Windows 8... I don't, but that's my opinion. As long as you don't go below Windows 7, it really comes down to personal choice. I would always go for the latest MS Office version (2013). Of course, it comes in many versions (Student, Professional, etc) - you would need to pick the version most appropriate for you. 
 

I can't tell you how much I appreciate your efforts.  If ever in Tulsa, I'm good for a few beers and lunch at a fine brew pub.

It's my pleasure. That lunch sure does sound tempting. It's a shame there's ~4,000 miles in the way!
 

Guess the first thing I do after installation is redownload Malwarebytes Anti Malware Premium and Anti Exploit Premium, or even better just install from the DVD that you just sent me with three licenses.

Yes, make sure you have to hand the relevant license information, etc.
 

[...] that you just sent me

Just so you know, I do not work for Malwarebytes. I provide assistance on a volunteer basis.

[ANGLICO1]

I have a new App on my iPad called MCBackupPro. 

 

When I eliminated MS Exchange as a part of disconnecting from the problematic server at Staghorn, I was able to restore everything but my contacts.  However, they were current on the iPad and this App allowed me to send .vcf contact files by email.

 

Are such apps likely to be safe, or might they somehow embed nasty things in the files they export?  This would be an easy way for me to restore my contacts to a newer email/contact management system, IF it is probably safe.

 

Now I'm getting paranoid.

("Just because you're paranoid, it doesn't mean they're not trying to kill you", as we used to say in Vietnam.)

[LiquidTension]

The app has good reviews on iTunes and Google Play. But this really isn't my area of expertise, so I can't give you a definite answer I'm afraid. Perhaps consider installing an Anti-Virus/Anti-Malware app on your iPad and running a scan. 

[ANGLICO1]

OK, seems like MWB has something like that, I'll look.

 

THANKS!

[ANGLICO1]

I don't see a MWB app advertised on the website, or in the iTunes App store.

 

Should I post more broadly to see whether anyone has had good experiences with any of those Apps available through iTunes?

 

A search for "malware" turned up a number of games,  A possible App, Max Virus Shield looks complicated and may require the use of Dropbox.  Many others seem geared primarily for web browsing.

 

I feel like I'm sinking in quicksand.

[LiquidTension]

You can read about the app here. 

 

https://itunes.apple.com/gb/app/my-contacts-backup-pro/id466388978?mt=8

https://play.google.com/store/apps/details?id=com.globile.mycontactbackup&hl=en

 

If you choose to purchase the app, you can always scan the backup file on your computer. 

[ANGLICO1]

Many thanks!  I'll snag an app but right now I have a grandkids event to attend, then dinner out, then watch the SF Giants beat the KC Royals.

 

Tomorrow, take this up again.

 

New strategy. 

 

1. I'll unhook this computer from the local home network and the internet.  I'll use this solely to complete my final consulting project for a friend, and the volunteer project for the Oklahoma Geological Survey.
2. I'll purchase a new system that won't have to have as much horsepower, and start from scratch there with all up-to-date software, without all the technical geological and imagery software.  All future emails will be from the new computer with all the Malwarebytes software installed before ever looking at the internet.

 

Question, interesting thing.  I changed the computer System configuration away from the Staghorn.com configuration and the popups (and my emails) disappeared.  No problem, I'll disconnect from the internet, do a System Restore, and proceed.

[LiquidTension]

OK, sounds good. Keep me informed with how you get on. 

 

Let me know if there's anything else I can help you with. 

[ANGLICO1]

Tomorrow or Saturday, I'll go computer shopping.

Meanwhile, I restored the system to several days back and regained my key software, and Microsoft Outlook with all the emails and contacts.

 

1. If I save all this Outlook stuff as .pst files, can those be compromised?  That would be the easiest way to move this to the new computer.
2. Otherwise, and I'll eventually do this anyway, I'll buy Malwarebyte's online storage and save them there.  I hesitated to purchase anything more using a computer, but perhaps I could call someone and buy it by phone,  But then if my keystrokes are being seen, someone might see me logging in to save the data?

Thanks for keeping up with the progress.  BTW, when I restored and rebooted, Malwarebytes ran and Quarantined two Trojans.

 

Maybe both vendors were Trojan.Zbot.YK

[LiquidTension]

Backing up .pst files is fine. Of course, you may have saved Emails with malicious attachments/content, so I would delete any unknown Emails now, and backup afterwards. Ultimately, you should be fine saving your Outlook data as .pst files.

 

Yes. As I mentioned earlier, one of the infections present is Zbot. Zbot is designed to capture keystrokes/screenshots, and steal financial information, login details, passwords, etc. 

[ANGLICO1]

Adam,

 

By the numbers!  Please help me ensure that I perform the transition to a new computer in the proper sequence.  Re-order the steps, if I make a tactical error.

The old computer will remain as my geological workstation, but will be disconnected from the internet and from my home network.  Thankfully, it has never been successfully networked with my wife's computer.

1. I had my ISP reset all my email passwords to a random number.
2. I am disconnected entirely from my old company's server, whether through Logmein, MS Outlook Exchange, or their Vipre Business malware software.
3. I'm about to disconnect the CAT-5e cable to the infected desktop.
4. I need to check out those iThing Apps and install some security on those devices.
5. I will soon change all passwords everywhere, through my iPhone or iPad, and handle all emails from those devices until Nov. 7 when my new computer arrives, or when it is configured with Malwarebytes software installed.
6. I'll go through emails and other files, searching for the file types that you noted above and ensuring that those are not copied to a backup drive, even within a .pst backup file.
7. Once the new computer is configured, protected, and linked back to the internet, and once all passwords everywhere are changed via that computer, I'll hook up the backup drive and restore emails, contacts, and calendars.

Please review my battle plan, and revise as necessary.

Thank you very, very much!!!!!

[LiquidTension]

Sounds like a good plan to me, Vance. 

[LiquidTension]

Hello, 

 

Do you still require assistance?

[ANGLICO1]

Adam,

Not now but possibly in a week or so, after my new computer arrives and I begin implementing the transfer of selected files from the old (disconnected) computer to a backup drive, and from there to the new computer.

Hopefully, I'll have no problems. Either way, I will post an update in a week or two.

Thank you for checking.

[LiquidTension]

OK, thank you for the update. 

[ANGLICO1]

Update:

 

New system purchased.  Dell with Windows 8.1.  I don't like it, but maybe v. 10.0 will bring some old simplicity back.

 

I couldn't install MWB prior to connecting to the internet, because the Dell system wanted me to connect during setup. 

But the very first task was to install Malwarebytes Anti-Malware Premium from the DVD that was mailed to me.  Then I checked for updates and ran the first scan.  No problems detected.

The DVD did not contain the other program that I purchased, Malwarebytes Anti-Exploit Premium.  Yesterday I submitted a support question in hopes of finding out how to get that installed.

 

Do you recommend any other Malwarebytes software for this brand new system?

 

Once the Support folks instruct me regarding Anti-Exploit, I will begin the potentially risky task of transferring photos, contacts, email backups, etc. to the new computer.

 

I've changed every password I can think of multiple times, using my iPad.