Help needed with possible RDP/Keylogger Intrusion on my Win 7 System

Hi dmcmillen,

Run these excellent free scan tools on default settings, Malwarebytes first for the scan log!

Malwarebytes
ADWCleaner
SuperAntiSpyware
HitmanPro
TDSSKiller

You can upload the Malwarebytes scan log if you wish and I'll have a look see!

Personally, I don't like Norton. You may wish to peruse AV (Anti-Virus) Comparatives for detailed testing reports on the AV vendors that submit their products for testing. BTW: Windows Defender (WD) is utilized as the base-line standard. Don't like WD either!

Nic

There shouldn't be, Malwarebytes free or the premium real time version are compatible with most AVs. You will be doing a one time scan at least for your issue. You don't need to enable the premium trial if you don't want to.

dmcmillen said:

What do you suggest. Right now not knowing how MB is working, I would probably uninstall MB before rebooting to be on the safe side.
I did save the scan to the attached file.
Edit: I just turned off Automatically Quarantine detected malware. Even so, the quarantined item was not detected as malware.

Malwarebytes, if your are running premium trial is perfectly find leaving it as is. It is an excellent supplement to your AV. If you didn't chose to enable premium trial, it's not active until you start the program, again, perfectly fine to leave it on your computer. I enable premium trial, now expired, I use the free program to routinely scan.

Why did you turn off Auto Quarantine? That's defeating the purpose of real time scanning. BTW: By default, most AVs quarantine as a precaution. You can chose to delete the offender, or if it was a false positive, you can add an exception.

I'll check over your mb log in a few, I have a little running around to do. With a quick look, you had way way too much adware, pups, etc. I don't permit any of that to be installed on my computers.

Curiosity questions: For what purpose do you use Advanced System Care? Are you using the free or paid version.

Nic

Had a look at your MB log, there are a few troublesome entries that have the ability to download trojans, keyloggers, etc.
Additionally, if you wish to use a Bit Torrent, don't use Vuse which is an excellent program to download/install malware!

If you must use a Bit Torrent client I suggest you use Tixati as I do. No nagware, no malware, no BS period, never had an issue downloading legitimate files. We don't condone piracy and in fact, is against SevenForums rules, not saying that your are pirating, just sayin'

Nic

Thanks for the tip on Tixati. Fyi, the Tixati link is a bad link.

I only installed MB in order to troubleshoot the original posted problem, that of finding the Signature exclusion of Backdoor.graybird in NAV and the existence of UDP and TCP inbound rules for a setadf4.tmp file. I am trying to determine whether someone has been on the system and left a backdoor to return.

I see that MB flagged some items that I will need to take care of, but there were also false negatives with respect to ASC. MB flagged things that NAV did not flag and didn't find things that NAV Power Eraser found. This is not unexpected behavior. MB seems to be a bit more sensitive than NAV and the default setting is to treat all detections as malware. The thing I don't like about MB is that it didn't give me any reason as to why the items were flagged as detections. And limited options as what to do with them. Also there were 2 adware detections as malware but the report shows no malware detected. The biggest problem I had with MB was that while I was reviewing the detections, it suddenly notified me that it was going to remove all detections and to reboot. And it wouldn't let me unquaratine the ASC file until I rebooted. With this 'erratic' behavior I uninstalled MB completely and rebooted the machine. Had to recover the quarantined ASC file from backup and still had to reactivate the sw. I wasn't willing to risk the possibility of MB removing all the false negative files and reg entries.

The results of the MB don't show any evidence of malware related to my possible backdoor.graybird intrusion (or other trojan) and since backdoor.graybird has been around I'm assuming that all AV/spyware programs are set up to detect. Of course, it's a good idea to detect if there are any other potential problems.

To answer your question about ASC, I use the paid version along with the free version of their defrag program. I primarily use it as another tool to help clean up the registry and files. Do you know why MB is flagging? They have an excellent uninstall program but I use Revo for that.

OOPs my bad, too many hours studying my textbooks I presume. Link fixed, thank you!

Not my first boo boo, won't be my last. LOL

I perused the Malwarebytes website regarding that matter a few days ago. They stated programs are flagged as PUPS that have the potential to alter your computer setting, have the ability to download back-doors, trojans, keyloggers, etc. I presume this is error on the side of caution mentality. Better to flag it and let user decide apparently. The reboot and access denied to unquaranteen must be a new feature in the new Malwarebytes.

I just tried a little searching but didn't find the article, it's for sure in my history, but don't have the time right now to locate it.

I've never heard of MB auto rebooting. I don't use the newest versions, so I can't attest to that. I have MB anti-exploit and anti-malware running and the new versions include those and it deletes my installations!

You could install an older version as I have, and it doesn't do the reboot thing and as the new versions, you can add exclusions for false positives. The database for malware detection is the same.

Have you heard of Farbar Recovery Scan Tool (FRST)? You could run that and enter whatever program you wish to search for and it will provide you with the path to every entry on your computer, files, folders, registry everything. I use FRST for a few reasons, great tool, free. I like free!