Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Critial Error" message and "My Documents" deleted!


  • Please log in to reply
3 replies to this topic

#1 pward33

pward33

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 12 December 2010 - 09:45 AM

Hi,I don't know where to post this topic because I don't know whether this is a hardware problem, a virus problem or anything else.

Replies in layman's language please - complete technophone here :-)

Recently, whenever I went online I always for a message saying AdAware had detected a malcious operation but that it would be removed at the end of its scan. Last night I ran AdAware and AVG scans which deleted a lot of infected files and the machine worked fine.

I also always get two error messages (well, over the past few weeks anyway) saying Error leading C:\windows\nutmutl.dll The Specified Module Could not be Found and the same for C:\windows\efuxazez.dll. How on earth is the layman supposed to know what this means????

The above might be conincidence but today I got a couple of brief error messages that disappeared before I could write then down, one saying there was little disk space, the other saying it couldn't find the hard drive. I went to My Docs on the hard drive to delete some stuff, only to find the entire contents gone except the Programs folder. Clicking this, however, produces an error message saying the folder "refers to a location that it not available."

I now get every few seconds a message saying "Critical Error - "Damaged Hard Drive clusters detected. Private data is at risk." As I type I have had another message saying I have low disk space (not true now by the way!) and another saying "Windows No Disk": Exception Processing Message 0x0000013 Parameters 0x759A023C 0X84C3CAA4 0X759A023C 0x759A023C.

I should point out I do not have any Windows disks - I got this machine second hand from an office, so I really am panicking here. The loss of this PC wouldbe a disaster. PLEASE HELP!!!!! Many thanks

PS! I have just re-booted and the Critical Error Message has just been replaced with another saying: "Windows can't find hard dick space. Hard Drive Error." Eek.....

Edited by hamluis, 12 December 2010 - 10:30 AM.
Moved from XP to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:33 AM

Posted 12 December 2010 - 11:18 PM

Don't panic: Your computer has been infected with a fake computer optimization and analysis program that displays false information so that it can scare you into thinking that there is something wrong with your computer. You have posted in the right place.

I can't be sure which of the several possibilities it may be, so I'll have to leave the task of identifying it to you, but "HDD Rescue" is one of the possible culprits. See the following link:
Remove HDD Rescue (Uninstall Guide)

Have a look at the following link:
Virus, Spyware, & Malware Removal Guides

If you cannot see there, the name of the malware (infection) that you have, enter the exact name in the search box under "Search Guides", on the right-hand side of the page, and search for the appropriate removal guide.

Let us know if you don't have any luck with finding a guide that matches your infection.

If you do find the appropriate guide, follow the instructions closely. Ensure that you do update the MBAM (Malwarebytes Antimalware) database definitions before scanning.

The MBAM log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Please post the log and let us know how the system is running now.

Edit: :welcome: to the BC forums.

Edited by AustrAlien, 12 December 2010 - 11:23 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 pward33

pward33
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 14 December 2010 - 10:52 AM

Hi there,

Thanks a million AustrAlien, you have no idea what a relief it was to learn it was "just" a virus! Bastards!! I much appreciate that you took the time to help. The odd thing is that at no stage have I been prompted to buy software - yet!

OK, an update. The good news is that RKill stops the malware in its tracks and my folders are indeed intact! The bad news is that the Malware procedure didn't get rid of it and it was back when I rebooted until I ran RKill again. I have pasted the logs of both RKill and Malware below in the hope that you might have further suggestions if you have the time? Thanks in advance!!

Processes terminated by Rkill or while it was running:

C:\DOCUME~1\NEWOWN~1\LOCALS~1\Temp\wJjtFlFIvu.exe
C:\Documents and Settings\New Owner\Application Data\Dropbox\bin\Dropbox.exe
C:\Documents and Settings\New Owner\Desktop\rkill.com

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

14/12/2010 15:36:49
mbam-log-2010-12-14 (15-36-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 208981
Time elapsed: 30 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{075AE5E2-D8CD-D79F-2206-849795CDBB1F} (Trojan.ZbotR.Gen) -> Value: {075AE5E2-D8CD-D79F-2206-849795CDBB1F} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\new owner\application data\Adobe\plugs\kb56074843.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\new owner\application data\Uxaqs\emnyu.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:33 AM

Posted 14 December 2010 - 09:27 PM

This might take more than one attempt. Try the following and see if it makes an impression:

:step1: Run rkill and then download SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Run rkill

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


:step2: Run MBAM (Malwarebytes Anti-malware) like this:
  • With Windows booted normally (NOT in Safe Mode), open MBAM and click the Update tab and then Check for Updates.
  • When updating is complete, click the Scanner tab and select Perform quick scan and then click Scan.
  • When the scan has completed, if anything is found in the Results, choose Remove Selected.
  • Then post the contents of the log when it is displayed.
  • Now reboot Windows normally (NOT into Safe Mode). <<< Important

Please ask any questions, post the logs and let us know how the PC is running now.
What was the exact name of this malware, and which guide did you follow?

Edited by AustrAlien, 14 December 2010 - 09:50 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users