New
#1
Help needed with possible RDP/Keylogger Intrusion on my Win 7 System
Win 7 Home Premium, 6.1.7601 SP1 Build 7601, x64, Arris Surfboard SB6190 cable modem, Linksys EA8300 router, Norton Antivirus
I discovered the intrusion when double checking my Norton Antivirus Signature Exclusions and to my horror I found Backdoor.graybird was excluded from all detections, which I immediately removed.
Further examination of the system has revealed the following:
- I found 1 UDP and 1 TCP entry in the Firewall Inbound Rules for setadf4.tmp which were set to allow the connection which I immediately blocked. This was a red flag since hackers use tmp files to install key loggers. I have rigorously reviewed all startup items in msconfig, all processes and services and nothing unusual jumps out at me except for 2 conhost.exe processes that Process Explorer ties back to System, csrss.exe and svchost.ext processes.
- I do not see any remote access programs running like GoToMyPC, UltraVNC, Logmein, VNC, RealVNC, TightVNC or TeamViewer.
- I ran a netstat -ano and investigated all the ESTABLISHED items and the pids were all accounted for.
- I ran Berkley's ICSI Netalyzer and it found one DNS resolution anomaly on mail.live.com, 204.79.197.212, which resolved to Reverse Name/SOA of a-0010-a-msedge.net. Don't know whether that's a problem or not.
- I ran a full system Norton Antivirus scan and nothing was found.
- I ran Norton Power Eraser and nothing was found.
Any suggestions here please? I think I would have felt better if I had found something to remove.
David