Is my computer infected by malware?

Solved
By NCISabbyfan
Aug 2, 2013
  1. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Still no sign of "David" folder.

    Right click on your "David" folder, click "Properties", make sure "General" tab is selected and post a screenshot of that window.
  2. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Strangely, there is no Properties option when I right click the "David" folder.
  3. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    What options do you have under right click?
  4. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Just these options:

    Open
    Explore
    Bitdefender - File Shredder
    Copy
    Create Shortcut
    Delete
  5. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Open Windows Explorer. Go Tools>Folder Options>View tab.
    Do you have checkmark in next to Hide protected operating system files?
  6. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    I didn't, but I do now.

    However the engineer originally set up my computer, he didn't tick this option.

    The "David" folder is still displayed.
  7. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Please download and save Junction.zip
    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Type:
    cmd
    Click OK. Vista and 7 users hold SHIFT and CTRL keys, press Enter.
    A command prompt window will open.
    Copy and paste the following command:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    Wait until a log file opens.
    Copy and paste the log in your next reply.
  8. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Having no luck with the Junction program. :(

    I typed in "cmd" without quotes in the Start search box, but there was no "OK" option, so I clicked enter and it took me to a command prompt window, bypassing the SHIFT and CTRL keys then Enter, which made no difference when I tried it the other way before.

    Either way, when a command prompt window opened, I tried to copy and paste the command but it required me to type it in manually, as "^V" is all that's displayed.

    I then copied the command exactly as you've listed it manually, but "junction" isn't recognized.
  9. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Did you place Junction.exe in the Windows directory (C:\Windows)?
  10. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

  11. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Copy my command.

    Go Start and in "Start search" type:
    cmd
    You'll see "cmd" line at the top.
    Right click on it, click "Run as administrator".
    Command window will open.
    Right click next to the prompt line and click "Paste".
    My command should get pasted.
    Press Enter.
  12. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Your alternative method has worked successfully this time, but unfortunately the result is the same:

    ---------------------------
    Notepad
    ---------------------------
    Cannot find the C:\Windows\system32\log.txt file.

    Do you want to create a new file?
    ---------------------------
    Yes No Cancel


    Administrator: c:\Windows\System32\cmd.exe

    Microsoft Windows (Version 6.0.6002)
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>cmd /c junction –s c:\ >log.txt&log.txt& del log.txt
    ‘junction’ is not recognized as an internal or external command,
    Operable program or batch file.

    C:\Windows\system32>_
  13. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    OK, while at this prompt:
    C:\Windows\system32>
    type:
    cd..
    (that's "cd" and two "dots")
    Press Enter.
    You should be at:
    C:\Windows>
    Paste my command again and press Enter.
     
  14. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    No change after "cd" and two "dots", other than no listing of System32 at the end:

    C:\Windows\system32>cmd /c junction –s c:\ >log.txt&log.txt& del log.txt
    ‘junction’ is not recognized as an internal or external command,
    Operable program or batch file.

    C:\Windows>
  15. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    You did it wrong...

    When you're at this prompt:
    C:\Windows>
    you paste my command and press Enter.

    C:\Windows>cmd /c junction –s c:\ >log.txt&log.txt& del log.txt
  16. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    I didn't do it wrong, I followed your instructions.

    The result is exactly the same, even when at the prompt C:\Windows>:

    C:\Windows>C:\Windows>cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
    'C:\Windows' is not recognized as an internal or external command, operable program or batch file.
  17. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    There is no "C:\Windows" in my command.
    I said when you're at C:\Windows> prompt paste my command which is:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  18. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Still with me?
  19. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    I have continued to follow your instructions exactly as you have listed them, re-checking page 3 and page 4 to double check and I have definitely done what you've asked every time, but I'm just getting the same obstruction as before:

    C:\Windows>cmd /c junction –s c:\ >log.txt&log.txt& del log.txt is what appears after I type in this, as per your instructions:

    C:\Windows\system32>cd..

    C:\Windows\system32>cmd /c junction –s c:\ >log.txt&log.txt& del log.txt
    ‘junction’ is not recognized as an internal or external command,
    Operable program or batch file.

    C:\Windows>
  20. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
    Code:
    :filefind
    junction*
    
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  21. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Thanks for your update.

    This is intriguing. I have activated SystemLook, as requested, findings below, but after doing this, I tried the same thing I did originally with conflicting outcomes, the latter positive.

    First time around, when I deleted my surprise Desktop folder (which only appeared straight after I'd deleted the remaining remnants of "LogMeIn"), the vast majority of my Desktop icons vanished, which I quickly rescued from the Recycle Bin.

    However, this time around, while still being cautious, but knowing I could restore items from the Recycle Bin, if anything drastic happened again, to my surprise, besides my Desktop folder being deleted, None of my other Desktop icons have gone into the Recycle Bin. I checked the usual "Documents" directory, had a quick flick through and opened one to test that it was working, and it's working fine.

    While this is very good news, though puzzling that the Desktop icons remained intact this time around (other than the one I chose to delete - the "David" folder), I felt I should still update you on SystemLook to ensure everything's in order, in case anything remains that needs fixing, but thanks for your help with this and previously ensuring my computer is not infected with malware:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:44 on 21/08/2013 by David
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "junction*"
    C:\junction.exe --a---- 150392 bytes [14:39 07/09/2010] [17:13 07/08/2013] F1F23D4DF41C5DA5444C97781FF2CAB7
    C:\Users\David\Desktop\Junction.zip --a---- 79623 bytes [16:56 07/08/2013] [16:56 07/08/2013] 42509C552B16E06D9178DD2AEBB48795

    -= EOF =-
  22. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    OK. You didn't follow my instructions. That's why the command didn't work.
    My instructions say:
    Yours in just C:\ directory:
    C:\junction.exe
  23. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    No. I did follow your instructions, but there was a duplicate, which I had removed before but I've found some files reinvent themselves. I didn't know this at the time. At this time, there is only one copy in C:\Windows.

    I have since deleted the "David" Desktop folder, due to finding it is now safe to do so (as none of the other Desktop icons have disappeared, unlike originally), which I sent to the Recycle Bin and erased. My standard "David" folder and documents are all intact.

    However, here are the results of SystemLook:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 08:36 on 22/08/2013 by David
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "junction*"
    C:\junction.exe --a---- 150392 bytes [14:39 07/09/2010] [07:24 22/08/2013] F1F23D4DF41C5DA5444C97781FF2CAB7
    C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\Junction.zip.lnk --a---- 428 bytes [07:22 22/08/2013] [07:35 22/08/2013] BAEDF2D524938007D432DC961535E751
    C:\Users\David\Desktop\Junction.zip --a---- 3198 bytes [16:56 07/08/2013] [07:24 22/08/2013] 78683FCFC909E490198F25418F369A08
    C:\Windows\Prefetch\JUNCTION.EXE-311EEC9C.pf --a---- 19584 bytes [07:25 22/08/2013] [07:32 22/08/2013] 939D65353DF5F708687679A2C7B6178B

    -= EOF =-
  24. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    In that case....

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB) and install one of two free alternatives:

    - Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    - PDF-XChange Viewer: http://www.tracker-software.com/product/pdf-xchange-viewer

    ==================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
  25. NCISabbyfan

    NCISabbyfan Newcomer, in training Topic Starter Posts: 97

    Thanks for your latest instructions. I was just about to start working my way through them when I encountered a couple of puzzlements.

    Normally, when new versions of software come out, their numbers augment, eg from version 1.4.1 to 1.4.7.

    Oddly, when I was about to uninstall Adobe Reader X (10.1.7) to make way for the new version, I noticed that, on Adobe's web site, they have version 10.1.4, which must be the latest version (and 10.1.1 in a sub-link), and I 'somehow' installed a new update of Audacity earlier this month, both in my Control Panel under "Programs and Features", even though I hadn't gone to the Audacity site to upgrade it.

    It sounds like my computer has been infected. I'll check with you first, just in case 10.1.7 is bogus. If you feel or know this is bogus, I'll uninstall it and replace it with 10.1.4 then follow the instructions you've given me above.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.