Remote Access Intruder?

[HarrisonS]

A friend of mine who lives in an apartment has been seeing "remote access" messages on her computer. The computer is a fairly old desktop without any accessories or network connections, wired or wireless, and is running Windows XP Home. In the event viewer, there have been events listed stating that a remote access device has made a connection, with a reference to "IRDA8-1". She does not

have a IRDA8-1 device. After these problems started, she has become unable to connect to the internet, and when she does try, she gets an error message stating that "another window" is open and needs to be closed before a successful connection can be made. However, Task Manager shows that there are no other apps running.

I assume that someone in the neighborhood is using some kind of wi-fi device to access the internet using her computer. I would not have thought that would possible, because her computer is password protected and there are no other users.

Is this an intruder, and if so, how can their be blocked?

What kind of device are they using?

To do this, did they need to install some device on her computer without her knowledge?

How can access to the internet be restored, and what is this mysterious, invisible app that is running and preventing access?

[Tripredacus]

IRDA = Infrared Data Association. So the PC is reporting an IR device is accessing the computer. It isn't likely another user. Most PCs do not come with Consumer IR support, but some notebooks certainly do.

You say it does not have network support, then later you say it can't access the internet. How does this PC connect to the internet?

[VideoRipper]

Even more confusing:

without any [...] network connections, wired or wireless,

[...]

I assume that someone in the neighborhood is using some kind of wi-fi device

[HarrisonS]

IRDA = Infrared Data Association. So the PC is reporting an IR device is accessing the computer. It isn't likely another user. Most PCs do not come with Consumer IR support, but some notebooks certainly do.

You say it does not have network support, then later you say it can't access the internet. How does this PC connect to the internet?

She is still using an old-fashioned dial-up modem and phone line connection.

[allen2]

That's what i call a wired connection.

If you want to be sure the computer is clean, you'll have to reinstall it but that's a little extreme.

The only other is to use tools like autoruns (from sysinternals) to clean manually then disable all unneeded services then use a firewall.

[Tripredacus]

Look for an IR window on the PC then. Here are some pics.

Second picture on this page shows you an IR port on a notebook:

http://www.tomsguide.com/us/compaq-nc8230,review-488-4.html

All they are is a dark red square of plastic, like on old TVs and remotes.

Here is a picture of one on a desktop (in outer space apparently)

http://www.jdresearch.com/irdrive/icon/irdrive2.jpg

[cluberti]

Usually the range of an IrDA device is about 10 feet on most laptop machines, so if it is an IrDA connection the device is within ~10ft of the user when they're seeing the warnings, for what it's worth. It is worth noting that IRDA8-1 is an actual device name, and I've seen people with AOL software installed get these things logged in their event viewer over and over, even when no IrDA ports were in use (disabled in device manager). If she's got AOL (you did say it's dial-up, so the likelihood is good), it's a bug with the AOL software calling the *modem* itself "IRDA8-1", so the problem is coming in over the dial-up connection. My bet is that she's using AOL, honestly, and AOL has locked up the modem (requiring a reboot) when the problem occurs, as this is one of those "known-buggy" areas of the AOL codebase for dial-up.

[HarrisonS]

Usually the range of an IrDA device is about 10 feet on most laptop machines, so if it is an IrDA connection the device is within ~10ft of the user when they're seeing the warnings, for what it's worth. It is worth noting that IRDA8-1 is an actual device name, and I've seen people with AOL software installed get these things logged in their event viewer over and over, even when no IrDA ports were in use (disabled in device manager). If she's got AOL (you did say it's dial-up, so the likelihood is good), it's a bug with the AOL software calling the *modem* itself "IRDA8-1", so the problem is coming in over the dial-up connection. My bet is that she's using AOL, honestly, and AOL has locked up the modem (requiring a reboot) when the problem occurs, as this is one of those "known-buggy" areas of the AOL codebase for dial-up.

Thanks! Your reply is very helpful! Yes, she IS using AOL, and I have been recommending for a long time that she dump AOL and go to another provider. The problem has become so bad now that rebooting does not help, neither does removing and reinstalling the AOL software. Also, if there is an intruder at all, I believe it would have to be via wi-fi and not IR anyway, since IR would also require a visual line-of-sight as well as the distance limitation, which is not possible here. Anyway, this is another reason to dump AOL!

[joakim]

If it actually is a software bug, like suggested, then try to uninstall the IR driver for the device in the device manager (assuming you don't need the device). The machine will then not see any IR device it can connect to. Just a thought..

Joakim

[cluberti]

Yes, this will confirm if it's the AOL software or not - assuming you disable the IR device in device manager, and when connected to the internet you still see the IRDA8-1 errors, you can be sure it's the AOL software causing the problems. The only fix I can think of is to ditch AOL, but that's her choice.

[Tripredacus]

I believe even AOL now allows you to connect via the Windows Dial-Up app and just open a browser without ever having to open the AOL software.