Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Help needed with possible RDP/Keylogger Intrusion on my Win 7 System

17 Sep 2018   #1
dmcmillen

Windows 7 Home Premium 64bit
 
 
Help needed with possible RDP/Keylogger Intrusion on my Win 7 System

Win 7 Home Premium, 6.1.7601 SP1 Build 7601, x64, Arris Surfboard SB6190 cable modem, Linksys EA8300 router, Norton Antivirus

I discovered the intrusion when double checking my Norton Antivirus Signature Exclusions and to my horror I found Backdoor.graybird was excluded from all detections, which I immediately removed.

Further examination of the system has revealed the following:
  • I found 1 UDP and 1 TCP entry in the Firewall Inbound Rules for setadf4.tmp which were set to allow the connection which I immediately blocked. This was a red flag since hackers use tmp files to install key loggers. I have rigorously reviewed all startup items in msconfig, all processes and services and nothing unusual jumps out at me except for 2 conhost.exe processes that Process Explorer ties back to System, csrss.exe and svchost.ext processes.
  • I do not see any remote access programs running like GoToMyPC, UltraVNC, Logmein, VNC, RealVNC, TightVNC or TeamViewer.
  • I ran a netstat -ano and investigated all the ESTABLISHED items and the pids were all accounted for.
  • I ran Berkley's ICSI Netalyzer and it found one DNS resolution anomaly on mail.live.com, 204.79.197.212, which resolved to Reverse Name/SOA of a-0010-a-msedge.net. Don't know whether that's a problem or not.
  • I ran a full system Norton Antivirus scan and nothing was found.
  • I ran Norton Power Eraser and nothing was found.

Any suggestions here please? I think I would have felt better if I had found something to remove.

David


My System SpecsSystem Spec
.
17 Sep 2018   #2
Snick

Win 10 x64, Linux Lite, Win 7 x64, BlackArch, Kali, VMWare Workstation Player, OpenVPN
 
 

Hi dmcmillen,

Run these excellent free scan tools on default settings, Malwarebytes first for the scan log!

Malwarebytes
ADWCleaner
SuperAntiSpyware
HitmanPro
TDSSKiller

You can upload the Malwarebytes scan log if you wish and I'll have a look see!

Personally, I don't like Norton. You may wish to peruse AV (Anti-Virus) Comparatives for detailed testing reports on the AV vendors that submit their products for testing. BTW: Windows Defender (WD) is utilized as the base-line standard. Don't like WD either!

Nic
My System SpecsSystem Spec
17 Sep 2018   #3
dmcmillen

Windows 7 Home Premium 64bit
 
 

Nic, any problems having Norton AV and Malwarebytes running at the same time?
My System SpecsSystem Spec
.

17 Sep 2018   #4
Snick

Win 10 x64, Linux Lite, Win 7 x64, BlackArch, Kali, VMWare Workstation Player, OpenVPN
 
 

There shouldn't be, Malwarebytes free or the premium real time version are compatible with most AVs. You will be doing a one time scan at least for your issue. You don't need to enable the premium trial if you don't want to.
My System SpecsSystem Spec
17 Sep 2018   #5
dmcmillen

Windows 7 Home Premium 64bit
 
 

Ok, installed Malwarebytes and ran 1st scan. MB Scan without rootkits.txt

Nothing serious. Alot of pups, some of them are for my Advanced System Care (ASC). 2 Adware malwares. I took no actions but while I was looking through the items, I got a popup that said all items had been removed and I must reboot, which I didn't. It quarantined one of the ASC files and won't let me remove from quarantine until I reboot. I took no action to tell MB to quarantine this file. I'm really irritated. I'm afraid to reboot because I don't want to lose these items. I've checked some of the items, files and registry entries and they are still there, but afraid reboot is going to remove. Unclear what happened because I did nothing except run the scan. I was going to rerun scan with rootkits (did already with Power Eraser).

What do you suggest. Right now not knowing how MB is working, I would probably uninstall MB before rebooting to be on the safe side.


I did save the scan to the attached file.

Edit: I just turned off Automatically Quarantine detected malware. Even so, the quarantined item was not detected as malware.


My System SpecsSystem Spec
17 Sep 2018   #6
Snick

Win 10 x64, Linux Lite, Win 7 x64, BlackArch, Kali, VMWare Workstation Player, OpenVPN
 
 

Quote   Quote: Originally Posted by dmcmillen View Post
What do you suggest. Right now not knowing how MB is working, I would probably uninstall MB before rebooting to be on the safe side.
I did save the scan to the attached file.
Edit: I just turned off Automatically Quarantine detected malware. Even so, the quarantined item was not detected as malware.
Malwarebytes, if your are running premium trial is perfectly find leaving it as is. It is an excellent supplement to your AV. If you didn't chose to enable premium trial, it's not active until you start the program, again, perfectly fine to leave it on your computer. I enable premium trial, now expired, I use the free program to routinely scan.

Why did you turn off Auto Quarantine? That's defeating the purpose of real time scanning. BTW: By default, most AVs quarantine as a precaution. You can chose to delete the offender, or if it was a false positive, you can add an exception.

I'll check over your mb log in a few, I have a little running around to do. With a quick look, you had way way too much adware, pups, etc. I don't permit any of that to be installed on my computers.

Curiosity questions: For what purpose do you use Advanced System Care? Are you using the free or paid version.

Nic
My System SpecsSystem Spec
17 Sep 2018   #7
Snick

Win 10 x64, Linux Lite, Win 7 x64, BlackArch, Kali, VMWare Workstation Player, OpenVPN
 
 

Had a look at your MB log, there are a few troublesome entries that have the ability to download trojans, keyloggers, etc.
Additionally, if you wish to use a Bit Torrent, don't use Vuse which is an excellent program to download/install malware!

If you must use a Bit Torrent client I suggest you use Tixati as I do. No nagware, no malware, no BS period, never had an issue downloading legitimate files. We don't condone piracy and in fact, is against SevenForums rules, not saying that your are pirating, just sayin'

Nic
My System SpecsSystem Spec
18 Sep 2018   #8
dmcmillen

Windows 7 Home Premium 64bit
 
 

Thanks for the tip on Tixati. Fyi, the Tixati link is a bad link.

I only installed MB in order to troubleshoot the original posted problem, that of finding the Signature exclusion of Backdoor.graybird in NAV and the existence of UDP and TCP inbound rules for a setadf4.tmp file. I am trying to determine whether someone has been on the system and left a backdoor to return.

I see that MB flagged some items that I will need to take care of, but there were also false negatives with respect to ASC. MB flagged things that NAV did not flag and didn't find things that NAV Power Eraser found. This is not unexpected behavior. MB seems to be a bit more sensitive than NAV and the default setting is to treat all detections as malware. The thing I don't like about MB is that it didn't give me any reason as to why the items were flagged as detections. And limited options as what to do with them. Also there were 2 adware detections as malware but the report shows no malware detected. The biggest problem I had with MB was that while I was reviewing the detections, it suddenly notified me that it was going to remove all detections and to reboot. And it wouldn't let me unquaratine the ASC file until I rebooted. With this 'erratic' behavior I uninstalled MB completely and rebooted the machine. Had to recover the quarantined ASC file from backup and still had to reactivate the sw. I wasn't willing to risk the possibility of MB removing all the false negative files and reg entries.

The results of the MB don't show any evidence of malware related to my possible backdoor.graybird intrusion (or other trojan) and since backdoor.graybird has been around I'm assuming that all AV/spyware programs are set up to detect. Of course, it's a good idea to detect if there are any other potential problems.

To answer your question about ASC, I use the paid version along with the free version of their defrag program. I primarily use it as another tool to help clean up the registry and files. Do you know why MB is flagging? They have an excellent uninstall program but I use Revo for that.
My System SpecsSystem Spec
18 Sep 2018   #9
Snick

Win 10 x64, Linux Lite, Win 7 x64, BlackArch, Kali, VMWare Workstation Player, OpenVPN
 
 

OOPs my bad, too many hours studying my textbooks I presume. Link fixed, thank you!

Not my first boo boo, won't be my last. LOL

I perused the Malwarebytes website regarding that matter a few days ago. They stated programs are flagged as PUPS that have the potential to alter your computer setting, have the ability to download back-doors, trojans, keyloggers, etc. I presume this is error on the side of caution mentality. Better to flag it and let user decide apparently. The reboot and access denied to unquaranteen must be a new feature in the new Malwarebytes.

I just tried a little searching but didn't find the article, it's for sure in my history, but don't have the time right now to locate it.

I've never heard of MB auto rebooting. I don't use the newest versions, so I can't attest to that. I have MB anti-exploit and anti-malware running and the new versions include those and it deletes my installations!

You could install an older version as I have, and it doesn't do the reboot thing and as the new versions, you can add exclusions for false positives. The database for malware detection is the same.

Have you heard of Farbar Recovery Scan Tool (FRST)? You could run that and enter whatever program you wish to search for and it will provide you with the path to every entry on your computer, files, folders, registry everything. I use FRST for a few reasons, great tool, free. I like free!


My System SpecsSystem Spec
18 Sep 2018   #10
dmcmillen

Windows 7 Home Premium 64bit
 
 

Possibly a clarification needed. MB didn't actually reboot the system. It just notified me that it was removing the detections and said I needed to reboot the system. I chose not to.

I'll check out FRST. Sounds like a pretty cool tool.
My System SpecsSystem Spec
Reply

 Help needed with possible RDP/Keylogger Intrusion on my Win 7 System




Thread Tools




Similar help and support threads
Thread Forum
A new form of intrusion?
I found this this morning and seems to me that methods of attaining data is becoming ever more insidious and in the realms of science fiction stuff. Think you're safe from hackers offline? This drone steals data from a PC's blinking LED | ZDNet
News
Horribly annoying and recurring Babylon Intrusion in Firefox.
Hi Sevenforums, thanks for Reading. I hope you can help me solve this prob or I'm gonna die. I recently installed some software from the net and the Installer offered Babylon Search, which I casually refused. Little did I know what awaited me. The Babylon stuff got installed anyways. The program I...
Browsers & Mail
Rootkit Intrusion Possible cause for BSoD Error 0x00000050
Hello, my name is Jogi. I was sent here by the BSOD team. Two weeks ago, my computer suddenly crashed while I was playing minecraft. Additionally, I was on skype with other players. The BSOD exactly happened when I clicked a link that was posted in the skype chat. Im not sure whether that guy...
System Security
Intrusion Attacks
I have had 297 intrusion attempts from 2/10/10 to today (3-5-10) luckily I have Norton 360 which blocks the intrusions, but why am I being targeted, why so many attacks and how can I prevent these intrusion attacks?
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:59.
Twitter Facebook Google+