It is not often that I get stumped but this one has me confused (maybe the user is not telling me everything).
The client came to me and told me the computer was operating on it's own as in the mouse was moving, folders were opening etc.
I was able to verify this when the machine was connected to the network. There was definitely someone in control browsing through the folders at random, they seemed most interested in the network shares. I removed the computer from the network and started scans and searching for possible infections etc.
I found absolutely nothing installed, no run/runonce problems in HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE. No startup items that are not recognized, no services, no sheduled tasks, no nothing.
Anyway after running tdss, and rkill, and every other tool I could throw at it I came up empty handed as to how or why. The user claims they never clicked agree to anything anywhere or installed anything which seems to be true after manually digging through everything. Funny thing is this user says they had this same problem for the company they worked for before.
What they did do was copy some files from an external drive, none of the files were exe's or runables from what I could see. All were documents or pictures.
I uninstalled the wireless driver and reset all inet ipv4, tcp/ip settings. This remote has not happened again (yet).
So I am confused as to how they were able to remote into the computer silently without any input from the user (clicking agree or installing something). This is the first time I have ever seen a silent remote. I have seen many people agree to allow online technicians connect using team viewer or logmein123 etc, in those cases it was user error and the install file for the remote client was generally left in temp or running on the desktop.
Any ideas are welcome. The computer is back in production but I am still not 100% sure it is safe so I have removed all folder shares/permissions for now and told them to use it for the day and let me know if anything strange happens again.
Edited by zingo156, 05 March 2015 - 03:48 PM.