[Resolved] Windows 7 corrupted file

[ndeva]

I created new user account with admin right. log into it, after log a message pop out as follow: Program file\java\jre6\bin\jucheck.exe wants to make changes to hard drive. I did not allow it to preceed.

Created store point, Restore failed. check Event Viewer, error, error 46 was there but last time recorded was at 11:43pm last night, no record for current time.

[Hoov]

Go back to the other account and see when the last error 46 was on that account.

[ndeva]

on 3/12 at 11:35pm

It means has not recorded new error. Is that good?

[Hoov]

That is December 3rd at 11:35 at night, 25 minutes to midnight. That means the problem is still there.

I would like you to run a scan we normally reserve for malware, but it will give me a lot of information about your system all at once.

We need to see some information about what is happening in your machine.  Please perform the following scan:

• Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • DDS.scr
    
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
• Notepad will open with the results.
• Please copy and paste both logs into your next response. You may need more than one response.
• Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet. 

Information on A/V control HERE

[ndeva]

I have downloaded the program and run it. I only see a notpad open with long strange text in it. Is that what you after? I do not see any small box regarding the tool.

[ndeva]

Here is the first part notepad file.

[ndeva]

Here is second part.

[ndeva]

Here is the third part.

[Hoov]

The log should have been in standard text.

Try running it again. If you get a log that is text, please copy and paste it into the reply. It may take two posts to post it all. If it is still in code, I will move this thread to the malware removal board and we can start checking your computer for malware. The results you posted are not correct and while it sometimes can happen, it is usually indicative of some kind of malware.

[ndeva]

I did disable both antivirus, Fire wall and rerun the program with no success.

[Hoov]

OK, lets make sure that you have no malware on your computer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot''s Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes'' Anti-Malware
  
• Launch Malwarebytes'' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

[ndeva]

Here is the log file:
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
http://www.malwarebytes.org

Database version: v2012.12.10.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nader :: NLTOP [administrator]

Protection: Enabled

10/12/2012 10:39:41 PM
mbam-log-2012-12-10 (22-39-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 297154
Time elapsed: 14 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A08C6464-8102-465D-BB4B-3C1458E7F57F} (Trojan.BHO) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A08C6464-8102-465D-BB4B-3C1458E7F57F} (Trojan.BHO) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Nader\AppData\Local\Temp\~osD375.tmp\rlvknlg.exe (PUP.Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Users\Nader\AppData\Local\Temp\~osD375.tmp\rlvknlg64.exe (PUP.Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{22116563-108C-42C0-A7CE-60161B75E508}.JOB (Trojan.Downloader) -> Quarantined and deleted successfully.

(end)

[Hoov]

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix''s window while it''s running. That may cause it to stall

[ndeva]

What is your underestanding of previous scan? What you are after by scanning using new tool? All Maleware were removed and fixed by previous sacan?

[Hoov]

Mbam saw this, Trojan.FakeAlert. Sometimes that is indicitive of a nastier infection. Have you ever heard of people that get popups that tell them they have infections and you need to click here to remove the infections, and then thier computer really starts having problems? It is related to those. But another reason to run combofix is one thing it does it scan system files and checks them with thier signatures. If it finds a problem, it will replace the file. With the problem you saw originally, with sfc saying it found a bad file but then never listed one, this may be able to find that problem.