Windows 7: Remote Desktop connections (possible trojan)

All my computers are supposed to have Remote Desktop Service disabled for security reasons, but I recently found nearly daily instances of connections on one of the computers.

See photo... Viewed via Computer Management -> Event Viewer -> Applications -> TerminalServices-RemoteConnectionManager, ID 1155, S-1-5-20.

NONE of my programs use remote access, and I had disabled RDS in MSConfig settings from Day 1 of a Windows 7 reinstall months ago (after a prior keylogging/RAT infection).

Despite this, it appears that RDS has been starting up automatically with every bootup, based on Services.msc (see photo). I can also see RDS running in the Task Manager.

Is this a sure sign of a Trojan installing a backdoor/remote access program? There are zero RDS events on my other computers running Windows 7 and similar programs.



Is it possible to diagnose to what IP this connection is going, via Windows... or do I need to record network traffic with third party software (wireshark)?

Antivirus/TDSS scans have always been negative, but I know trojans can easily hide via a rootkit.

Thanks.

Hello wwjd, Welcome to SF

If you think you are infected try these out
Windows Defender Offline
http://support.kaspersky.com/5350

To view all current connections to machine enter elevated command prompt (start type cmd right click run as admin) and type netstat -ano this will show you all IP addresses currently active/connected
If you find anything your not sure about post back and can show you how to investigate program identity