Is it possible for someone to be remoting into my computer and the activity to be disguised as an Rtv scan. When I am at work, my computer runs perfectly with no issues until most of the day shift leaves. My computer is located in the training room and under the administration of instructors who have the ability to remote into the computers for training purposes. I believe that someone is remoting into my computer and taking control of my keyboard. There have been times that I have seen the pointer move by itself and my keystrokes are disabled. I want to make the manager aware of this activity but I need to be able to give more information. I don't want to appear paranoid, but this activity has been witnessed by others sitting next to me. Please explain what could be going on. I keep my processes open where I can see the CPU activity. The CPU scale usually stays at 12% but at those times when it appears someone is remoted in the CPU jumps to 90%. If this were a network issue, it would be happening office wide. The problem on appears on my login and it doesn't matter what computer I am using.

RTVSCAN is the service component of Symantec Antivirus (discussed in SAV Administrator's Guide (http://www.symantec.com/techsupp/enterprise/products/sav_ce/savce_9.0/savcadmn.pdf)). Hogging the CPU and rendering the machine slow or inoperable to user input has been a problem on some machines with various SAV versions (Google "rtvscan.exe"). The movements you see may be your own, just delayed.


Is it possible for someone to be remoting into my computer and the activity to be disguised as an Rtv scan.
Possible, yes. Probable, no. I think it is unlikely that a remote access trojan disgused as a bogus RTVSCAN.EXE has infected multiple machines at your organization, yet the following can be pursued:

Unplug network cable and see if movements stop.
Compare RTVSCAN.EXE to same file on other computers for size. A MD5 hash can also be computed with Microsoft's File Checksum Integrity Verifier utility (http://support.microsoft.com/kb/841290) to confirm a match. If SAV is installed, there should only be one of these files, I think; none otherwise.
Entering netstat -on at a command prompt will list connections to and from the computer. Internal company IP addresses would be the most likely source of a remote connection. ARIN: WHOIS Database Search (http://www.arin.net/whois/index.html) may be useful for determining the controlling entity for public IP addresses, but if a remote connection is being made to an internal computer from outside your organization, your IT folks have a serious problem.