I think I have a Remote Access Trojan or worse. I don't even know where to begin.
I am running Windows 7 Professional 32 bit, fully patched, Java and Flash updates, protected with Kaspersky Total Security. I don't do torrents or visit dodgy websites. This is a standalone PC, Ethernet only, no wireless card, not joined to a domain, no file sharing. SMB, Net Bios over TCP/IP disabled. I read my Event Viewer and router logs regularly. I use a standard user account. Router and PC accounts are protected with 11-12 digit passwords with upper/lowercase letters, numbers, and symbols.
I was having trouble in late July with Internet Explorer. It wouldn't page backwards or forwards after a Google search, and I found this annoying. A Microsoft site suggested resetting IE's settings. I did this, and it seemed worse. I wondered if it might have been a recent Windows update?
I'll cut to the chase. Looking more closely at the Windows Event Viewer, I saw things in Security that bothered me, attempts to register and unregister a security audit source, several times a day. I looked at my router logs and discovered that suddenly IPv6 was configured and enabled, where it had never been before.
I called technical support, and they suggested updating the firmware. I did so, and the IPv6 settings are still there.
I saw more in the Windows Event Viewer that bugged me: A reference to MSDTC 2, which I have never installed on my system. Virtual Disk Service, which I have never enabled. Under Directory Services-SAM, "Remote Calls to the SAM database restricted using the default security descriptor."
I have run Kaspersky Scans in aggressive mode, a Trend Micro Scan, and Malware Bytes. I have run sfc /scannow, CHKDSK, sigverif, and have examined the disk, partitions, and volumes with DISKPART. Nothing unusual showed up with these scans.
I decided to do a system restore to see if I could get IE functioning normally. After rebooting, the event viewer reported that read/write on Volume Shadow Copy Service was screwed up, Path is \\?\GLOBALROOT\Device\Harddisk. Don't the double slashes mean it's a network share?
I looked at System Information>Software Environment>Startup Programs. The first of three startup tasks is as below and the second is like it with a p.
When I look at this same page under the administrator account, these tasks are in Chinese characters that mean "Picking Up" according to Google Translate.
Still looking at Software Environment, if I look at loaded modules and drivers, several are running although the service has been stopped and disabled through Services. The one entry that bothers me the most is DFS Namespace Client Driver. This is not something that I enabled/set up. All kinds of remote access services and drivers are shown as loaded and running, as is the Dynamic Volume Manager. I did not create any Dynamic volumes on my disk!
Oh, I also ran vssadmin. The Device Manager shows that I have 13 Volume Shadow Copies. vssadmin shows that I have #3-15. Lots more in the registry.
Last night I turned off Remote Differential Compression, and the Virtual Disk Service stopped.
Finally, the real kicker: The Environment Variables.
Variable Value User Name
ComSpec %SystemRoot%\system32\cmd.exe <SYSTEM>
FP_NO_HOST_CHECK NO <SYSTEM>
OS Windows_NT <SYSTEM>
Path C:\ProgramData\Oracle\Java\javapath;C:\Program Files\Common Files\Microsoft Shared\Windows Li
ell\v1.0\;C:\Program Files\Intel\Services\IPT\;C:\Program Files\Windows Live\Shared;C:\Program Files\
Common Files\HP\Digital Imaging\bin;C:\Program Files\HP\Digital Imaging\bin\;C:\Program Files\HP\Digi
tal Imaging\bin\Qt\Qt 4.3.3;C:\Program Files\Intel\OpenCL SDK\2.0\bin\x86 <SYSTEM>
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC <SYSTEM>
PROCESSOR_ARCHITECTURE x86 <SYSTEM>
TEMP %SystemRoot%\TEMP <SYSTEM>
TMP %SystemRoot%\TEMP <SYSTEM>
USERNAME SYSTEM <SYSTEM>
windir %SystemRoot% <SYSTEM>
PSModulePath %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\ <SYSTEM>
NUMBER_OF_PROCESSORS 4 <SYSTEM>
PROCESSOR_LEVEL 6 <SYSTEM>
PROCESSOR_IDENTIFIER x86 Family 6 Model 42 Stepping 7, GenuineIntel <SYSTEM>
PROCESSOR_REVISION 2a07 <SYSTEM>
windows_tracing_logfile C:\BVTBin\Tests\installpackage\csilogfile.log <SYSTEM>
windows_tracing_flags 3 <SYSTEM>
DellClientSystemUpdatePath C:\Program Files\Dell\ClientSystemUpdate\ <SYSTEM>
How screwed am I? Is it just a matter of reformat/reinstall, or could I have a boot virus that will persist through that?
I have Event viewer logs copied, screenshots of all this mess--I just thought I'd start with the worst because there might not be any point in bringing up the rest if it's as bad as I think it looks.
Thanks for your patience in wading through all this. I appreciate any advice y'all can give me.