All my computers are supposed to have Remote Desktop Service disabled for security reasons, but I recently found nearly daily instances of connections on one of the computers.
See photo... Viewed via Computer Management -> Event Viewer -> Applications -> TerminalServices-RemoteConnectionManager, ID 1155, S-1-5-20.
NONE of my programs use remote access, and I had disabled RDS in MSConfig settings from Day 1 of a Windows 7 reinstall months ago (after a prior keylogging/RAT infection).
Despite this, it appears that RDS has been starting up automatically with every bootup, based on Services.msc (see photo). I can also see RDS running in the Task Manager.
Is this a sure sign of a Trojan installing a backdoor/remote access program? There are zero RDS events on my other computers running Windows 7 and similar programs.
Is it possible to diagnose to what IP this connection is going, via Windows... or do I need to record network traffic with third party software (wireshark)?
Antivirus/TDSS scans have always been negative, but I know trojans can easily hide via a rootkit.