Lately I feel like someone has remote access to my computer.
Folders I never opened appeared in my recent places/locations folder and my virus scanner and computer in general have been acting strange.
I have also made a topic on the Microsoft community website (link: http://answers.microsoft.com/en-us/windows/forum/windows_7-security/microsoft-security-essentials-can-not-be-started/4a8dd460-6bc8-45c3-b7ec-95d7c1fa3327), but I think the feedback on this website will be more effective for my problem.
I will now copy my original post from the link above to explain the whole situation in as much detail as I can:
"Today I noticed that Microsoft Security Essentials was not defending my computer. It was still running yesterday and I even did a scan, I didn't turn it off so I obviously got suspicious. As I told someone on Skype I feel like it might be a virus I got a pop-up saying that my computer will restart in 1 minute. This happened for no clear reason so this made me even more suspicious, after the restart I disconnected my internet cable because I didn't trust it. After this had happened I tried to go into MSE to start it back up, everytime I press the big button saying ''Start now'' it either loads for ages after which I get a time-out (error 0x800705b4) or it loads for ages, turns it on and whenever I do a scan it gives me the error from the title. Normally it instantly turns on or off whenever I press it. I have restarted the computer multiple times.
I just restarted the computer again and it installed 2 updates. When I loaded my account it asked for my password to update a program called sc.exe located in the Windows32 folder (correct me if I'm wrong). It stated that it was a program by Microsoft Corp. so I entered my password and pressed enter, after this a command prompt popped up for a split second, this made me even more suspicious as I don't think a official Windows program would do that unless it's some dodgy program... So, I googled it a little and got to a page with the words ''execute commands on a remote computer'' and even to a page for a remote desktop tool using this function. Now, MSE is up and running but I feel like those updates installed some undetected backdoor in MSE so the Remote Administration Tool can keep doing what it's doing. You might think I'm over-the-top suspicious but today's events has caused me to be so.
It might be nothing at all, but I just want to make sure it's not or if something really is wrong. Also, whenever I clear my recent locations/places folder and I wait a while, some folders show up which I haven't been to AT ALL, or it shows a folder called ''CustomDestinations''.
Now, these events might just be bad luck, but I really fear that someone has remote access to my computer.
I hope you can give me some support/advice about this situation and how I can check for a R.A.T. on my computer and how I can prevent this in the future. I am currently doing a full virus scan with my internet unplugged."
I got a reply from a support engineer on which I replied with the following:
"I have ran multiple fast scans with MSE, and 1 full scan with MSE and it found zero threats every time.
I have downloaded the Microsoft Safety/Security Scanner and did a fast scan, and again, zero threats. I tried booting into safemode but for some reason when I try to open an account I get an error saying something like (rough translation): "A connection with the service Sens could not be made. Please contact the administrator." My system is Dutch, the original error said: "Er kan geen verbinding met de service Sens worden gemaakt. Neem contact op met de systeembeheerder.".
Exactly what progress in the task manager do you want me to look out for? I don't really know what you mean unless you want me to look out for anything suspicious. I don't really find any progress suspicious as I have no clue what most of the progresses are and do (or you could say I find them all suspicious).
I tried to open the event viewer logs but did not succeed, every time I try to open them I get an error saying: "Can not open the service eventlog on the computer ."
Here is a screenshot of the error:
(check original page)
I tried to manually look for updates but got an error when I pressed the "Search updates" button.
Under the button is a bit of text saying "More information about free software from (null). Suspicious how it says "(null)".
(check original page)
Again, very suspicious... I hope I can fix these problems because they make me more suspicious every time.
I am now doing a full scan (not in safemode as that doesn't work) with Microsoft Safety Scanner."
From that point on I have tried to stay offline as much as possible (I would only plug in my internet cable when loading a new internet page).
Also, I typed "netstat -ano" in the command prompt to check for established connections (I read that this is a way to check for RATs), and found an established connection to a program called "LMS.exe". I googled this program and found a lot of results with infections of this program. My virus scanner however did never pick it up, it might not be infected, but I thought I'd say it.
As you can see it is a pretty suspicious situation. I hope I (we) can figure out whether I really have a RAT/infection or that it was all just bad luck and that nothing is wrong with my system.
Sorry for the long post and the copy/pasting from my original posts, I just wanted to give as much information as I possibly can.
I am using Windows 7 Home Premium, Service Pack 1 (64-bits).
Thank you for your time, I am looking forward to support.
Edited by LennartNL, 18 October 2013 - 06:32 AM.