I think my machine is being remote controlled

Today I tried to use my machine, but it keeps on logging off, then a log in window appears.
When I log in it says that the current session will be logged off.

I checked the user accounts and a mystery account has been created.
I checked the remote machine control settings and can see that it has been turned on.

I deleted the account, unchecked the remote control settings and deleted all my firewall rules so that I have to allow each program to access the net.

All has been fine today, but I just checked the machine now and can see that the remote control settings have been switched back on, and another mystery account has been created.

What should I do?
Who is Participating?
Disable RDP.    http://www.petri.co.il/enable_remote_desktop_in_xp_2003.htm    (but uncheck the box, instead of checking it)

I assume you have an up-to-date antivirus software?  If not get AVG Free (free.grisoft.com)

Install and run Spybot S&D (www.safer-networking.org)

Install the latest Windows Updates (windowsupdate.microsoft.com)

If you have access to your hardware router/firewall, block port 3389.

Also is this a personal compuer or a company computer?  Have you left the computer at all since you have changed the settings? Have you changed your password?  
somewherehotAuthor Commented:
It's a personal computer
Yes I had left the computer since I had changed the settings
Yes I have changed my password

I'm using McAfee Firewall - I need to look up on how to block the port

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

What type of router are you using for the network and do you have access to change the port settings?
somewherehotAuthor Commented:
netgear (the new one with the draft wireless n thingy)
- and I should have access to change the router settings
i would change your password RDC requires the password to login

i would check and see if there actually is a connection going on... click start then run and type in cmd
then type NETSTAT  to Display networking statistics (TCP/IP)

it will tell you the current open connections and tell you what location the person might be that has remote access to your computer but if there using RDC to connect then it wont show up in there but if they are using something to monitor your computer then it will say it is connecting to them

You could also look through the System logs and see what user names have connected to your pc and from what IP address to try and find a reolution, unless they were smart enough to erase those before they left.  So in control panel > Administrative Tools > Event Viewer.  Look through the application and Securiyt logs to see who logged on and what they changed.  With the IP address you can find the ISP and then you can try and complain to them about the malicious activity their user is doing.
crashelite:  The symptom the user mentions says "current session will be logged off." which to me means that another user is interactively using her computer.  

In reality it WOULD show the RDP connection, but since it is XP, user would not be able to see anything via netstat since only one interactive login is allowed at a time.  

Agree with Taurance to check your eventvwr to see if you can get an IP address, and then check it via arin.net and contact their ISP to report the abuse.  Odds are it will end up being in Russian or China, and even if you could figure out how to get ahold of them, they are unlikely to help.   :-/

I am sure many people here would argue with me, but you always have the option to reformat and reinstall Windows completely.. that will take care of the problem and give you a nice fresh base to work with.

> What should I do?

I tend to recommend a quicker solution, to format the HD and install the OS from scratch. Too many unknowns, and this eliminates all existing problems, You'd still need to change your habits, one activity likely started this, so don't do it again. Don't forget to make new passwords if not IDs. Best is to preplan, and to have most of your stuff on the a separate HD so you can deal separately with that, while it may have 'bad' program (malware) it won't be active until you run it. You probably won't like to do that, and it reduces potential forensics, but if you really cared about that you could swap in another HD to preserve the state and look at that again later on when not on the network. Forensics and analysis are time consuming, but necessary if you want to identify the intruder. Might be someone you know.

> When I log in it says that the current session will be logged off.

This is called Remote Desktop, a Microsoft vulnerability

> What should I do?

Disable Remote Desktop, you do not need it. But that only stops the intrusion, the malware is still present, unless someone stole your password.

To identify the malware, you can try running Symantec's latest, or on your own look at task manager for something extra that is running. You can also go to run MS config. Under startup can be some malware, it is ok to stop all of them, then restore one at a time until the culprit shows up. You can also revert to a prior restore point, one prior to the intrusion. You can also switch to linux or buy an Apple, they do not suffer such Microsoft vulerabilities. Or at least dump Internet Explorer and do not set yourself up as an FTP sit permitting anonymous logins. Under msConfig's services you can disable more that are unwanted such as this one.
killbrad > always have the option to reformat and reinstall Windows completely.. that will take care of the problem and give you a nice fresh base to work with.

:-)) Ditto. Not often any agree with me

Event viewer I typically recommend, but not here, for this it would be better to have some firewall logging, monitor the time it is in use (do not log them off yet) and look at log later on, hopefully they cannot get at the log or you've got that done in hardware or hidden real good



How to disable Remote Desktop by using Group Policy
NOTE: Remote Desktop is disabled by default on Windows XP Professional.

In Windows 2003, users or members of a group that have been denied "log on locally" can still connect to the computer using Remote Desktop Connection. In Windows 2000, connections from the console or through Terminal Services were handled the same way : through the "Log on locally" user right.

Method 1: Create a policy to block RDP requests from a specific network interface in Windows XP with Service Pack 2 (SP2)
Method 2: Manually edit the registry and add registry entries to enable listening for RDP requests

While recognizing the security benefits of SP2, some organizations have requested the ability to temporarily disable delivery of this update via AU and WU.
How to turn on the Remote Desktop Sharing feature of Windows NetMeeting in SP2

Automatic Reconnection feature for terminal services. You can use this feature to automatically reconnect to the same session without re-typing logon credentials if the session is disconnected because of dropped packets on the network or a network error. By default, a maximum of twenty reconnection attempts are made at five-second intervals.

By default, the Automatic Reconnection feature is turned on in Windows XP Service Pack 1 (SP1). You can turn the Automatic Reconnection feature off by editing the registry.
How to Turn on Automatic Reconnection in Windows Server 2003
How to Turn on Automatic Reconnection by Using a Group Policy
How to Configure Automatic Reconnection in Windows XP SP1
How to Configure Automatic Reconnection in the Default.rdp File

Important It is time to move to Microsoft Windows Server Update Services (WSUS).
MS05-041: Vulnerability in Remote Desktop Protocol could allow denial of service

If you work in a Limited User account, you might be able to decrease the effect of a virus or other malicious software. But if the attack happens while you're in an Administrator account, the attacker can gain full access to your computer and the results can range from annoying to catastrophic
somewherehotAuthor Commented:
Blocking the port was the key to this - thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.