Botnet on my PC? How do I know?

Watching the latest Tek there was mention of botnets and such so: I have a request, my brother is convinced his PC (5 year old AMD based) was hacked and is part of a botnet, because he saw windows server 2000 installed on his W7 machine, which I then wiped for him, installed new (SSD) and W8 and sure enough windows server 2000 reappeared. He's paranoid as fk about it and won't use his PC at all.

How can I find out if his pc is infact botnet'ed or not? A video/tutorial from the Tek crew would be great, but any info really from you Tek gods should help me on my way.

Apart from the usual virus scanning I would install wireshark and look for any suspicious network activity.

See what you started Logan? :P

Look at Task Manager and what processes are running in the background, and what services are running. Compare that to "normal" services and processes, which you can google and find a list of. Anything that sticks out or looks odd, google it. there is a good website to use for this - http://www.shouldiremoveit.com/

Also check out this thread where I gave a step by step that I use to clean-up and de-bloatware/de-malware PC's. https://teksyndicate.com/forum/windows/pop-adsmalwarevirus/187277 my post with step-by-step is about half-way down the page.

Hope it helps. BTW unplug the Ethernet and disable wireless and walla - not on a bot net anymore. Then you can begin to scan and clean if necessary.

What do you mean windows 2000 server is installed on his machine?  As a second operating system?

How would that even be possible? Network boot?

You can dual boot windows 2000 server and windows 7/8.  I just don't know why that would be the case here?  It doesn't make sense.  I'm just trying to figure out what he is talking about when he says windows 2000 server is installed.

Yeah, I imagine a dual boot prompt comes up asking which OS to load before loading any OS. Other than that, I don't know how Windows server 2000 would be installed in a Win 7 or 8 machine unless they're using visualization.

No, I get that. He said he wiped his hard drive, but somehow still ended up with Windows 2000 Server. 

If he only wiped the windows 7 partition?  I don't know.  They way he was talking about it made it sound like a program that was installed within windows 7/8, rather than a secondary operating system.  That's why I was asking him to clarify.  Like I said, it doesn't make sense.

tell him "pics or it never happened".

he probably just means iis7 or something, that seems the most likely.

Guys I'm sorry was off the 'air' for a while there.

Thank you all so much for the replies.

OK to clear up some vagueness the old pc1 was rebuilt by me into pc2 ok?:

PC1, old hard drive, Win 7. Standard installation, about 6 years old. My bro let some tech goon look at his pc because one stick of ram was causing rendom crashes and quite honestly the pc was never right from day one. Booting to bluescreen then rebooting to windows. So my brother was trawling the windows folders and his task manager 'services' trying to find issues, and he finds windows server 200 running on the pc, something he didn't install. He (paranoia) assumed his pc was hacked and he stopped using it (loves his gaming and is currently depressed so I tried to cheer him up by helping out).

PC2: I bought a new ssd, installed fresh win7 on it and cleaned the pc components and rebuilt the pc, with the existing old hard drive as a data drive (I got rid of the windows partition and tried reabsorbing the space into one partition but it didn't work for me. Either way the old windows was obliterated right?

So I set up the pc and peft him to reinstall steam etc etc.

A week later I call over and lo and behold he's not using the pc, says he found windows server 2000 on the pc again and its running away in the background. This was disturbing to me now, how the hell did it reappear on a new ssd? There is no dual boot option btw, straight to win 7 (pro). Now he's not using the pc any more and is depressed, staying in bed all day and its got my parents worried sick. Me too if I'm honest.

Carl Hinkel: Thank you so much, I'll go read that thread and try work this out. 

What you're saying doesn't really make sense, windows server is an operating system, it's not a program which can be installed in another version of windows. Can you find out exactly what it's called or take a screen shot or something?

I know its a totally separate thing, what I wanted to know is if someone wanted to hijack a pc would they install server 2000 and have it running for their 'botnet' or whatever the purpose is? Or are some parts of saerver 2000 a part of wondows 7 pro, in which case there are simply folders and perhaps processes he saw and deleted which ruined the pc in the first place.

I have collected the PC and after I rebuild it again (he bloody formatted the SSD I think, yes I know!) then I'll be able to glean more info. The poor guy is a paranoid mess right now and this is just one of the things I'm trying to do to help him snap out of it.

Oh and fyi, I actually saw with my own eyes server 2000 on the PC before I wiped the original partition out.

He didn't imagine that much!

There are no parts of server 2000 integrated into Windows 7 Pro. Server 2000 is a separate operating system, you can't run it inside Windows 7. (Yes everyone who's gonna flame me I know about Hyper V and VMware but for simplicity's sake no) What you've likely found is a program trying to disguise itself as officially from Microsoft, and "Windows Server 2000" sounds very official and important, so a noobish tech user will be afraid to mess with it.

Do a clean install of Windows 7 Pro and get some good malware protection. CCleaner, MalwareBytes, AVG, MS security essentials, they're all pretty good.

To be clear, they couldn't "convert Windows 7 into Server 2K". To do that remotely would be near impossible without very fancy enterprise hardware with complex remote management.

Great stuff, so he wasn't totally mental, something was amiss.

OK kids, just an update.
Rebuilt PC again. Had to source an 'alternative' win8.1, because I was out of funds for a new os.
Crossfired his old Radeon HD5850 with another one, upgrading psu to 750w, few other bells and whistles. All the software referenced above, malwarebytes, Avast, ccleaner etc.
PC was a fair beast, for 4 days, when he went and started removing processes, stuff like printspoolers. FFS, he managed to break the whole thing again.
To make matters worse, in removing one of the 5850's I broke a pci-e port, it split in half and came of the mobo. Many swear words ensued.
Now I have to get another mobo and rebuild again, but this time I'm going to password lock the bios and set up a guest account for the brother, totally lock him out as it were.

It was running fine. And he broke it. If I had hair I'd have pulled it out.
Why do we help out family members when it always leads to heartache?

Thanks again for your help. I wonder can I pose one more question though.
Once I rebuild this pc, and lock him out, can anyone remote access the pc and 'hack' it again for whatever purpose.
i.e. to use thier internet for free, or to use the pc to mine bitcoin, or whatever the usual reasons are for potentially hacking someone elses system. Would ASvast, maywarebytes be sufficient with windows firewall to stop any remote accessing?