PC is being remotely controlled

Hello,

I serviced the image with DISM on 3rd of this month, then serviced the same image in Audit mode again on the 5th. Deployed on the main machine on 11th.

After Installation, I noticed too much space being used on the system drive after every restart. So I want ahead to remove the unneeded files manually. In System32/WDI/LogFiles folder I deleted everything but there was an .etl file that refused to be deleted. I tapped on the Permissions tab but said, you don't have enough permissions to view the permissions. So I started CMD with Trusted Installer privileges, initiated delete command on the file, Access is denied. Okay. Then I started explorer as "SYSTEM", right click delete and nothing happens. I tried to rename the file from the same window, error, you need permission from the administrator to rename the file. I then booted from WinPE, browsed to the folder and file wasn't there, I deleted the entire LogFiles folder and then re-created it so that I can boot into Windows normally.

When I logged into Windows again, as a custom after fresh install, I scheduled chkdsk, it ran and saved logfiles in System Volume Information. I reviewed the logfiles and then deleted them. That was on 12th

Yesterday, I noticed Windows module Installer (Tiworker.exe) was doing something to the PC. High CPU usage and Disk usage. I did not interfere. Later I found out that it runs in relation with Windows update but here's the thing, I have Updates completely disabled from the registry and Windows applet from the Control Panel removed. Also, don't have SoftwareDistribution folder. Never have. So when there are no updates checking, downloading or anything what was the TiWorker.exe (Windows Modules installer) was doing ?

Anyways, I noticed in Services that WinHTTP webproxy service is running that I always keep disabled. I stopped the service but again, it restarted itself after a few. I Googled and found out the service is used by Win32 apps and .Net apps to connect to the web.

I discovered a suspicious folder in WinSxS "amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35..........." googled it and found that its Microsoft Distributed Transaction Coordinator (MSDTC) that's used on the Windows server to control the PC's on the Network. Yeah, it's Microsoft genuine folder but I never had my home PC connected to any local network neither did I ever have this service or folder before. This folder however is empty.

To resolve the situation, I downloaded Eset Internet security and did a full system scan but it couldn't find anything. Also, did a system scan win Kaspersky Virus Removal tool and it couldn't find anything either.

Today when I started the PC, chkdsk initialized and did a disk check, which I did not scheduled. Scouring through the System Volume Information folder, I discovered that not only it has the chkdsk log from today but also from the 12th that I deleted.

Files deleted from Recycle bin appear today too with the timestamp of 12th, yesterday Recycle Bin didn't have any files.

My best guess is that after the virus scan etc, today PC reset itself like restoring from a snapshot. I don't have Windows recovery environment, so how's this possible ? I also did a search on dtc runtime foldername and discovered a page in Spanish where a hacker is elucidating how it got into someone's PC, installed an alternate shell for easy access, hashes from their contacts in the Email etc. The page is publicly available on the web and is titled "HacktheBox"

Sorry for the long post but I had to detail everything. I could really use some advise here. What should I do ? Should I just continue to use Windows and keep an eye? Should I wipe the slate clean and do a re-install ?

Any help/advise will be greatly appreciated.

@Samuria @Malneb

Thank you for taking time and making valuable feedback. I scanned the full system With Avira and Avast booting from WinPe. No detection, every thing was clean.

After reading @Malneb's post, did a Hard drive check too and it came out positive as well. Maybe I'm just being paranoid but I really know my system and when there's something out of the ordinary, I can just tell.

However, I decided to keep using it and see what becomes of it.

Thank you both of you for taking interest in my thread, your input is highly appreciated.

flashh4 said:

@ceo54 ........ if you want we can run some scans to see if i can find anything !

Lets start with the 2 programs. Please post the logs/reports !

Download these 2 programs & run them, when done post the logs so we can see if that problem goes away or do i need to have you run a more stronger program ??
Malwarebytes AdwCleaner >>> Download AdwCleaner
Please download AdwCleaner and save it to your Desktop
* Close all open programs and browsers
* Right click on the icon and select Run as administrator
* Click Scan now
* Allow the program to Quarantine what it finds except for Pre-installed applications if you would like to keep those or other entries you would like to keep
* When completed click View Scan Log File
* Copy and paste the contents in your reply
* Click Skip Basic Repair if it appears then close the program

===========

Full System Scan with Malwarebytes Antimalware >>> https://www.malwarebytes.com/mwb-download
* If not existing, please download Malwarebytes' Anti-Malware to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If the program is already installed:
* Run Malwarebytes Antimalware
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
* Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
*** Post that log back here or just tell me what it found ?
If it is to long then you will have to zip it or find a site to download it to & let me know where !

Post the logs so i can read them unless nothing is found ! If they are to big then zip them up & give me a link !!

Thanks !
Chuck

Ah! now as I was on the last legt and about to fall in the bed, I have found an expert on the topic. Not too late though, we still have thread open. The things you asked, I will do them first thing in the morning,

Regards

@flashh4 @Malneb

I apologies, I have had a medical emergency. I have taken the medication and hope to get better soon. We shell continue this.

Kind regards