New
#1
PC is being remotely controlled
Hello,
I serviced the image with DISM on 3rd of this month, then serviced the same image in Audit mode again on the 5th. Deployed on the main machine on 11th.
After Installation, I noticed too much space being used on the system drive after every restart. So I want ahead to remove the unneeded files manually. In System32/WDI/LogFiles folder I deleted everything but there was an .etl file that refused to be deleted. I tapped on the Permissions tab but said, you don't have enough permissions to view the permissions. So I started CMD with Trusted Installer privileges, initiated delete command on the file, Access is denied. Okay. Then I started explorer as "SYSTEM", right click delete and nothing happens. I tried to rename the file from the same window, error, you need permission from the administrator to rename the file. I then booted from WinPE, browsed to the folder and file wasn't there, I deleted the entire LogFiles folder and then re-created it so that I can boot into Windows normally.
When I logged into Windows again, as a custom after fresh install, I scheduled chkdsk, it ran and saved logfiles in System Volume Information. I reviewed the logfiles and then deleted them. That was on 12th
Yesterday, I noticed Windows module Installer (Tiworker.exe) was doing something to the PC. High CPU usage and Disk usage. I did not interfere. Later I found out that it runs in relation with Windows update but here's the thing, I have Updates completely disabled from the registry and Windows applet from the Control Panel removed. Also, don't have SoftwareDistribution folder. Never have. So when there are no updates checking, downloading or anything what was the TiWorker.exe (Windows Modules installer) was doing ?
Anyways, I noticed in Services that WinHTTP webproxy service is running that I always keep disabled. I stopped the service but again, it restarted itself after a few. I Googled and found out the service is used by Win32 apps and .Net apps to connect to the web.
I discovered a suspicious folder in WinSxS "amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35..........." googled it and found that its Microsoft Distributed Transaction Coordinator (MSDTC) that's used on the Windows server to control the PC's on the Network. Yeah, it's Microsoft genuine folder but I never had my home PC connected to any local network neither did I ever have this service or folder before. This folder however is empty.
To resolve the situation, I downloaded Eset Internet security and did a full system scan but it couldn't find anything. Also, did a system scan win Kaspersky Virus Removal tool and it couldn't find anything either.
Today when I started the PC, chkdsk initialized and did a disk check, which I did not scheduled. Scouring through the System Volume Information folder, I discovered that not only it has the chkdsk log from today but also from the 12th that I deleted.
Files deleted from Recycle bin appear today too with the timestamp of 12th, yesterday Recycle Bin didn't have any files.
My best guess is that after the virus scan etc, today PC reset itself like restoring from a snapshot. I don't have Windows recovery environment, so how's this possible ? I also did a search on dtc runtime foldername and discovered a page in Spanish where a hacker is elucidating how it got into someone's PC, installed an alternate shell for easy access, hashes from their contacts in the Email etc. The page is publicly available on the web and is titled "HacktheBox"
Sorry for the long post but I had to detail everything. I could really use some advise here. What should I do ? Should I just continue to use Windows and keep an eye? Should I wipe the slate clean and do a re-install ?
Any help/advise will be greatly appreciated.