Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remote attack or not???


  • Please log in to reply
3 replies to this topic

#1 bigi12

bigi12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 18 August 2014 - 10:11 AM

Hi,

Would like to get some answers about remote access,
since i am not 100% sure if my PC was access by remote or not.

PC:
Gview
Windows 7 Ultimate
Intel® Core9TM0 i5-4670 CPU @GHz 3.40GHz
64-bit Operating System
16 GB (memory) 15.9 usable
Pen and Toutch: avalible

The most suspicious I did get when finding out in the event viewer a lot of processes witch where running, including the word remote.
So would like to ask if there is any possible logical explination for them running whit out the option that someone was accessing my PC over remote control? Sure that have not used any remote futures fore my personal use.

There are the processes running as Event viewer displays them as Log Name's:

Microsoft-windows-remoteapp and desktop conecitons/admin
Microsoft-windows-remoteAssistence/admin
Microsoft-windows-remoteAssistence/operational
Microsoft-windows-remoteDesktopService-RdpCoreTS/AdminMicrosoft-windows-remoteDesktopService-RdpCoreTS/Operational
Microsoft-windows-remoteDesktopService-RemoteDesktopSessionManager/AdminMicrosoft-windows-RdpcoreTS/Operational
Microsoft-windows-remoteDesktopService-RdpcoreTS/
Microsoft-windows-RemoteDesktopSessionManager/admin
Microsoft-windows-RemoteConnectionManager/Admin
Microsoft-windows-RemoteConnectionManager/Operational

At the same date some processes where stopped\modified:

Microsoft-windows-APi-tracking/Operational
Microsoft-windows-AppID/Operational
Microsoft-Windows-Application-experience/Program-Compatibility-Assistant
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-Audio/Operational

 

Microsoft-Windows-Audio/CaptureMonitor
Microsoft-Windows-Audio/operational
Microsoft-Windows-BitLocker-DrivePreparationtool/Admin
Microsoft-Windows-BitLocker-DrivePreparationtool/Operational
Microsoft-Windows-Bluetooth-MTPEnum/Operational

 

Microsoft-Windows-CorruptedFileRecovery-Client/Operational
Microsoft-Windows-CorruptedFileRecovery-Server/Operational
Microsoft-Windows-DeviceSync/Operational
Microsoft-Windows-DHCPNap/admin
Microsoft-Windows-Diagnosis-PCW/Operational

 

Microsoft-Windows-DiskDiagnostic/Operational
Microsoft-Windows-DiskDiagnosticResolver/Operational
Microsoft-Windows-EapHost/Operational
Microsoft-Windows-EventCollector/Operational
Microsoft-Windows-FMS/Operational

 

Microsoft-Windows-Folder Redirection/Operational
Microsoft-Windows-Eventlog-ForwardingPlugin/Operational
Microsoft-Windows-HomeGroup Control Panel/Operational
Microsoft-Windows-HomeGroup Listener Service/Operational
Microsoft-Windows-IKE/Operational

 

Microsoft-Windows-Iphlpsvc/Operational
Microsoft-Windows-Kernel-WDI/Operational
Microsoft-Windows-MCT/Operational
Microsoft-Windows-MemoryDiagnostics-results/Debug
Microsoft-Windows-NTLM/Operational

 

Microsoft-ParentalControls/Operational
Microsoft-Windows-PeopleNearMe/Operational
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-ReadyBoostDriver/Operational
Microsoft-Windows-Recovery/Operational

 

Microsoft-windows-Security-Audit-Configuration-Client/Operational
Microsoft-windows-TerminalServices-ClientUSBDevices/Admin
Microsoft-windows-TerminalServices-ClientUSBDevices/Operational
Microsoft-windows-TerminalServices-PnBDevices/Admin
Microsoft-windows-TerminalServices-PnBDevices/Operational

 

Microsoft-windows-TerminalServices-RDPClient/Operational
Microsoft-windows-TerminalServices-ServerUSBDevices/Admin
Microsoft-windows-TerminalServices-ServerUSBDevices/Operational
Microsoft-windows-TerminalServices-RemoteConnectionManager/Operational
Microsoft-windows-TZUtil/Operational

 

Microsoft-windows-UAC-fileVirtualization/Operational
Microsoft-windows-UAC/Operational
Microsoft-windows-VDRVROT/Operational
Microsoft-windows-VHDMP/Operational
Microsoft-windows-WFP/Operational

 

Microsoft-windows-Windows Remote Managment/Operational
Microsoft-windows-Winsock Network Event/Operational
Microsoft-windows-Wired-AutoConfig/Operational
Microsoft-windows-WPD-ClassInstailler/Operational

Looks like all of those processes where running the last time at the same date assuming that if they run again the dates would overwrite. So all of those did not run more than 30 days already.

Also find some other suspicious things on my PC for example browser windows sometimes instanly crashed. Did get an massage very frequently that my usb device can not be detected. But did not touch any USB outputs since it started to popup.
If go to System Properties/select users/add/advanced/find now/ there are Search results for my Name (RDN) Guest, HomeGroupUser$ and Administrator 'in Folder' whit name of my user acc-PC and postgres witch I did alo to create an account to managing my database that I need. Also the Administrator have an arrow down on the icon as Guest has.
There are also 21 of other user accounts displayed witch I could chose from whit a blue-green icon.

We also have an wireless network whit two diferent internets, witch I share whit few other people and never made any effort to protect my PC or internet conection.

So first of all I would like to know what that could meen? And how big is the chance that my computer was actually superused over remote access?

And if this is not to clear I can also provide whit more details if there are suggestions where to find them.



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,379 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:04 PM

Posted 18 August 2014 - 10:37 AM

Please download MiniToolBox  , save it to your desktop and run it.
 
Checkmark the following checkboxes:
  List last 10 Event Viewer log
  List Installed Programs
  List Users, Partitions and Memory size.
 
Click Go and paste the content into your next post.
 
Also...please Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792 , taking care to post the link of the snapshot in your next post.
 
Louis



#3 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 AM

Posted 18 August 2014 - 11:51 AM

Generally Administraor, Guest, Remote Assistance, Remote Desktop is turned off by default. The down arrow you see on the icon means the account is disabled. Those logs are normal. If you're the only user then under User in management you should only see Administrator, Guest, Your Username. The 21 other things you see are you sure you're not clicking on groups folder? User Groups is something entirely different.

 

Remote Assistance and Remote Desktop you can check if they are enabled/disabled. Just type in Allow Remote in the search box. Click on any of those and a window should pop open. uncheck allow remote assitance. Below that verify that remote desktop is disabled. If you enable RDP & enable the built in Administrator account you shoudl always change the password and be sure your user password is also strong. If you use a router no connection can be made anyways inbound, because port 3389 has to be forwarded to your local machines IP address in order for RDP services to work.

 

You mentioned you have two Wifi networks that you share can you clarify that more? Is this private, public or both? If you have open public wifi that anyone can connect then yeah you should be concerned.



#4 bigi12

bigi12
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 19 August 2014 - 06:34 AM

Thanks for the replay technonymous.

Yeha the network is whit a password but there where plenty of people conecting to it. And I can imagine that potentualy someone who is using the same network evry day would want to access my computer. But we also all conectet whit a cable to the ruther.

 

Yes under manage accountns I see only admin, guest and user. The others I did find when going to->> System Properties/select users/add/advanced/find now/

 

I do had alowed remote asistence in the past.

And not Im not a member of any domain I am a member of a workgroup.

 

But also did change alot of settings since I saw that so meny processes whit remote where running in the event viwer.

 

Is there a posibilty that this evrything that I post before was running and there was not remote access to my PC?

 

Also I noticed that once I started to talk about this to people my hard disk driver space droped from 230 GB out of 238 GB to only 147 GB. And did not delite any filese of biger databas nor I have run eny sort of disk cleanup. Is it posible that windows updates did made this or something else?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users