DameWare Home  |   Product History  |   Community  |   Sales  |   Resellers  |   Contact Us  
Article - #100005   

 

The DameWare Mini Remote Control is Unexpectedly Installed on the Computer

 
The information in this article applies to:
  • DameWare NT Utilities
  • DameWare Mini Remote Control

With the increased popularity of internet access, more and more computer systems are being connected to the Internet with little or no system security.  Most commonly the computer's owner fails to create a password for the Administrator's account.  This makes it very easy for novice hackers ("script kiddies") to gain unauthorized access to a machine.  DameWare Development products have become attractive tools to these so called "script kiddies" because the software simplifies remote access to machines where the Username & Password are already known.

 

Answer:

Although the DameWare NT Utilities (DNTU) and DameWare Mini Remote Control (DMRC) applications are designed to assist Network Administrators in easily managing remote computers across Local Area Network (LAN) and/or Wide Area Network (WAN) environments, it is unfortunate that the software is sometimes misused in a manner for which it was not intended.  However, this type of unauthorized network access to a machine can be accomplished just as easily by using any other network application, including several that are incorporated within the Operating System.  The DNTU and DMRC applications rely heavily on the Operating System's built-in security.  It is important to note that the DNTU and/or DMRC Client Agent Services cannot be installed on a computer unless the person installing the software has already gained Administrative access privileges to the machine.  This implies that someone has explicit knowledge of one or more Administrative User ID's & passwords (i.e. Administrator, etc.).  Administrative rights are required to install the DNTU and/or DMRC Client Agent Services (or any other service) on a Microsoft Windows NT / 2000 / XP / Vista system.  If the DNTU and/or DMRC Client Agent Services have been installed without permission, it is likely one or more of the Administrative passwords are blank, or an unauthorized person knows one of the Administrative passwords. 
 
The information below will explain how to remove the DMRC Client Agent Service and/or the DNTU Client Agent Service, however, it will not resolve all security issues.  Therefore it is important to determine the "root cause" of the issue.  If DameWare software can be installed on a machine without permission, someone has explicit knowledge of an Administrative UserID & Password (i.e. Administrator, etc.).  The fact that an unauthorized person has explicit knowledge of an Administrator UserID & password also implies that other software can be installed without permission.  Once again, a computer system's security has to be compromised before the DMRC or DNTU Service can be installed without permission.  It is highly recommended that the root cause of the intrusion be investigated in addition to simply removing the DMRC or DNTU Service.

If the computer is in a corporate environment, please contact the network support staff to verify the validity of the program installation.  If the software has been installed without consent, please follow the instructions below on how to remove the Client Agent Services.  Also included in this article is information on how to possibly discover who installed the unwanted software as well as suggestions on how to improve a machine's security.


How to remove the DMRC and/or DNTU Client Agent Service:

Please note that if the DWRCS.exe and/or DNTUS26.exe files are not located in the system32 folder, search for them and perform the following steps from that folder instead of the system32 folder.

  1. Go to a command prompt  (usually Start / Programs / Accessories / Command Prompt).
  2. Type cd %systemroot%\system32 and press Enter.
  3. Type DWRCS.exe  -remove and press Enter.
    Type DNTUS26.exe  -remove and press Enter.

After the service removal, the following files can be deleted:  (This may require a re-boot before deleting.  It is also not required to delete the files, because the Service was removed in the previous step).

DNTUS26.EXE
DWRCS.EXE
DWRCS.INI
DWRCK.DLL
DWRCSET.DLL (v 3.6x and later)
DWRCSHELL.DLL (v 3.6x and later)
DWRCST.EXE  (v4.4 and later)

If the DWRCShell.dll cannot be deleted, it is likely the Windows Explorer Shell has already loaded it.

Reboot the machine.
Click on the Start button and select run.
Type CMD and press ENTER.
Once the DOS prompt is visible, type: CD %systemroot%\system32 and press Enter.
Now delete the DWRCShell.dll file.


How to possibly discover who installed the software:

Please note that the account (Username) used to install the Client Agent Service must have Administrative rights.  Since an Administrator has full rights, and can do anything that he or she wants to do on the machine, there is no guarantee that any traces of the access intrusion will be found.  Here are a few possible methods of discovering how an unauthorized person accessed the machine.

Check the Application Event Log for DWMRCS or DNTUS26 entries for details about the account used to install / access the machine using the DMRC or DNTU program.  The DMRC will also attempt to log additional information about the remote computer that was used to access the machine.  The following is sample information of a DMRC event log entry:

  • Date: 01/21/03 16:49:44
    Date that the machine was accessed with the DMRC
  • Computer Name: PCNAME
    Name of the remote computer that was used to access this machine
  • User ID: John
    Remote machine's currently active UserID during the DMRC connection
  • Logon As ID: Administrator
    User Name used to access this machine with DMRC
  • Domain:
    Account domain used with the "Logon As ID:"
  • OS Product ID: 55555-OEM-5555555-55555
    Remote machine's MS Windows Operating System Product ID
  • OS Registered Owner: John Doe
    Remote machine's MS Windows registered owner's name
  • OS Registered Organization: ACME
    Remote machine's MS Windows registered owner's company name
  • Host Name from Peer: pcname
    Remote machine's Host Name (reported from that machine)
  • IP Address(s) from Peer: 192.168.1.10
    Remote machine's IP address (reported from that machine)
  • Host: IP Address: 192.168.1.10
    Remote machine's IP address (as seen by this Computer)
  • Authentication Type: NT Challenge/Response
    Type of authentication used to access this machine
  • Access Check: Administrators
    Access privileges of Logon As ID: Account

Consider enabling Security Audit Policy logging to monitor any attempted access to a machine.  If the Security Audit Policy is enabled, the Security Event Log can display all logon attempts made to a machine.  Also, if the Audit Policy is enabled and there is an issue with the Event Logs being deleted, the Security Audit Policy will record the account name used to delete the Security Log.


Suggestions on how to improve a machine's security:

Please note that the suggestions here are not guaranteed to cover every aspect of securing a computer and will only help in the most common and simplest areas of computer security.  It is the responsibility of the owner of the computer to take every possible measure to ensure that the machine is secured from unwarranted network access.

Consider changing all administrative account passwords and regularly check for new unwanted user accounts created on the machine.

Consider implementing a firewall for all internet access points.  The following TCP ports should be blocked in order to thwart unwanted service installations.

To block NetBIOS over TCP/IP:
UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)

To block Direct Hosting over TCP/IP (Active Directory):
TCP port 445 (DNS Direct Hosting).


For additional methods of analyzing security, check the following sites:

Microsoft Baseline Security Analyzer (MBSA)

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Gibson Resource Corporation
http://grc.com/default.htm

3 steps to help ensure your PC is protected
http://www.microsoft.com/security/protect/default.asp

Strong passwords
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/windows_password_tips.asp


Knowledgebase Article: #100005
Category: Troubleshooting
Last Revised: Friday, December 31, 2004
Keywords: remove, removal, unauthorized, intrusion, uninstall
Description: When DameWare's Mini Remote Control is unexpectedly installed, use these instructions. With the increased popularity of internet access, more and more computer systems are being connected to the internet with little or no system security. Most commonly the computer's owner fails to create a password for the Administrator's account. This makes it very easy for novice hackers ("script kiddies") to gain unauthorized access to a machine. DameWare Development products have become attractive tools to these so called "script kiddies" because the software simplifies remote access to machines where the Username & Password are already known.
How would you rate this article?
 12345678910 
Not HelpfulVery Helpful
Please tell us why you are rating this article this way.
If you need to enter a URL please remove "http://".
Please note: this field is required for negative responses.

No HTML please.                          
 

12345678910
Average rating:  9.4 out of 10.
154 people have rated this article.
   ©2003-2014 SolarWinds. All rights reserved.
    Terms of Use  |  Privacy Policy  |  Trademarks  |  EULA  |  End of Life