windows 7 hacked how can I find out what happend

I have a windows 7 box that I leave on all the time then remote into.  Today I tried to remote into it and saw a desktop that was different from my usual desktop.  I thought someone hacked in, so I tried to do a "shutdown /r" to kick them off.  The screen froze and I was kicked off.  I tried to remote in several times again and every time, I would get in then would get kicked off again.  Something similar happened before and it was because someone logged in was sending out spam. I am not sure what happend this time.

How can I find out what happened and how can I tell if my computer is clean?
jackjohnson44Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you have to gain physical access to the machine only then can you check the machine.  The golden rule is that once a machine is compromised only a clean install will guarantee that the machine is no longer compromised.
0
Sivaraj ELead – IT InfrastructuresCommented:
@ Jack Johnson

I agree with David, no other go, you need to get physical access to the machine to check what is happening, If you found its hacked then re-building the OS and changing the RDP port to different port is secure, your firewall should be enabled all the time. if you wish you can go for third party firewalls also.

Note; Rebuilding is just a suggestion and it depends upon the impact you got.

Regards, Shiva
0
tliottaCommented:
Even after you have physical access, there's no guarantee that you can find out what happened.

About the only way you could ever find out with any degree of certainty is if you had a network traffic monitor that recorded all traffic in/out of that system (and was not also hacked). You could then later re-play the network traffic to view any remote commands sent to the system and to watch any program objects and/or scripts that came across.

Once someone has sufficient access to your system, any tracks that showed how it was done could also be erased or obfuscated to the point of nonsense.

Tom
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

jackjohnson44Author Commented:
I have physical access now.

Does anyone else have any advice?  I was hoping for someone to mention something specific to look for in the event viewer or something of that nature.
0
Sivaraj ELead – IT InfrastructuresCommented:
@ Jack Johnson

What are the changes do you see in your machine first ?

Any software installed such as new plugin or anything weird ? If you found any check the installation date on appwiz.cpl. Its depends upon the new activity on the machine we can go further and check the Application events.

Regards, Shiva
0
jackjohnson44Author Commented:
Everything looks normal once I restarted the computer.  There is a chance that no one broke in and that there was another issue with the system.  When I had an issue before, I tried logging in and saw another user was attached.  I was able to find out that someone went in and created a user then logged in as that user.  There is no additional user.  Also I was able to login via remote desktop and was immediately kicked off.  Since only one user can connect at a time, when I RDP'd in, another user could not also be connected.  I also didn't see any message saying that someone was kicked off.  Also, there was no desktop for another user.

So I might have mispoke before.  My actual issue was that my RDP connection would connect then close immediately.  The first time I went in, my desktop was different.  After I came home and did a hard reboot, everything was normal.  The reason I mentioned another user hacking it was because of what happened before.  The computer was rebuilt since then.  It could just be an issue with windows needing a restart.  I'd like to confirm that no one else has logged in aside from me.
0
Sivaraj ELead – IT InfrastructuresCommented:
@ Jack Jackson

Here is the video to you which explain how to find out whether you got hacked, this can be done through your command prompt please have a look and try this.

http://www.csoonline.com/article/742575/11-sure-signs-you-39-ve-been-hacked
http://www.youtube.com/watch?v=N8348ffSzSU

Regards, Shiva
0
Sivaraj ELead – IT InfrastructuresCommented:
@ Jack Johnson

Looks fine, and I would like to suggest you to change the RDP port number to your desired number will give additional security and unless no one knows your port its always be safe. and you can enable your firewall to stop intrusion, and you can also remove the $ shares to stop infiltration (for administration purpose it is)

Regards, Shiva
0
jackjohnson44Author Commented:
Thanks, I will take a look at that article.

Also,
I had the issue yesterday, then I came home shutdown and restarted and everything looked normal so I shut down.  Today I turned it on and again saw the generic desktop and got the error "C:\Windows\system32\config\systemprofile\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."

I am beginning to think that there was another issue other than being hacked.

Also, this is actually a vhd that I boot directly to.  I am going to just restore a backup since that is safer than trying to figure out what happened.  I will also take your advice on the rdp port.

Do you have any other advice for after I restore a backup?

Thanks for your help!
0
Sivaraj ELead – IT InfrastructuresCommented:
@Jack Johnson

Problem seems to be in your profile, please refer this link and sort out issue.

http://social.technet.microsoft.com/Forums/windows/en-US/846bcb83-ae8d-4108-95f1-b097d2f71fa3/c-windows-system32-config-systemprofile-desktop-refers-to-a-location-that-is-unavailable-windows-7?forum=w7itprogeneral

This link give additional information on resetting the corrupted profile

http://windows.microsoft.com/en-us/windows/fix-corrupted-user-profile#1TC=windows-7

Also you can try creating another user on your machine and login to check the whether the problem is still persist

Regards, Shiva
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tliottaCommented:
How often do you run disk error checks/corrections? In this kind of case, it's something that should be done just to try to ensure that bad or questionable sectors are marked not for use.

Tom
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.