XP Pro Directory Files corrupted by ERUNT

Hi,

I am new and glad i found this website as it seems to have a lot of knowledgeable people.

I have a Dell Precision M6300 with Windows XP Professional 32 bits that i mainly use to do 3D CAD design with Rhino 3D and photo editing with Gimp.
Unfortunately my computer came with Windows XP Pro pre-installed so there was no XP Pro CD coming along with it... (it's a refurbished computer, got it from a third party dealer). Also, to make things more complicated, my DVD reader-burner is no longer working since more than a year. It's a Sony, and apparently i am not the only one who had problems with that Sony disk player-burner. So that means, i wanted to wipe out my hard disk and reinstall Windows XP from scratch i cannot, unless i bought an external CD reader (but i am not entirely sure it might work, yet.. haven't tested that, as i have not been able to make a Microsoft plug and play mouse work on my machine but strangely it works on the little inexpensive computer of my wife which is one of those new little 10 inch machines)(and Microsoft's solution seemed to risky for me to take as it involved disabling the touch pad, which mean that if it failed i would have nothing left to access my computer...). Strangely, the computer detects the Sony DVD drive and does not detect anything wrong, but it just won't open and a DVD got stuck inside it over a year ago which forced me to dismantle the machine and the drive to remove it manually. I reassembled everything and it has been working normally ever since (except for the Sony DVD player which is still out of function) until i had the following problems:

The computer now have serious trouble that started just after i installed and tested ERUNT. Here is what happened:

For a period of 1 month or so, i had big problems with the Sirefef virus. I was finally able to get rid of the last component of Sirefef when i used about 4 of the 6 or 7 tools that which i initially found here. Prior to this Sirefef had slowed down my machine and generated a lot of alerts almost all the time about my Avast antivirus stopping various viruses or websites but was never able to catch and destroy them (Avast customer service was of no help at all and i had to find the solution entirely by myself, they just didn't seem to care, which is a shame). Because my system was not the Windows 7 or Vista given as an exemple on the forum explaining how to get rid of Sirefef, the instructions did not match most of what i saw onscreen for my machine but luckily the virus removal tools worked and went into action correctly and it caught one last component of the virus. The computer have been working normally ever since and i re-installed Avast.
(With the exception of my Firewall, Sirefef virus disabled it and it has been impossible to access it ever since, even after i removed Sirefef, i don't know how to remedy to this).

However, i had saved some of my data on an external hard drive during the period when i had the virus (but didn't know yet it was Sirefef at the time). So after i got rid of Sirefef on my computer, i decided it would be a good idea to scan my external drive as well to avoid contamination. I tried to run the Sirefef removal tools in the same safe mode as i had before on my computer's drive, and with the external disk connected to my machine, but they didn't seem to find my external drive and instead they scanned again my computer hard disk. So i tried a different approach, and not sure if those tools were designed to be used that way: i directly scanned the external disk with those tools (not in safe mode). The tools didn't seem to find anything.

So i decided it would be a good idea to try Erunt, to make a copy of my directory just in case i had some future trouble with another virus as nasty as Sirefef.

I clicked and installed it and when came the moment to click where to install the copy of my Windows Directory files, i did not click save because i was not sure where it was going to send this copy and i was afraid i would not be able to find it as i had not created any special file for it that i could recognize easily.

I don't remember why i ran Erunt a 2nd time, and again it asked me to save the copy, again i didn't click save because i didn't feel safe about saving the copy where i may not be able to find it, but i may have done something wrong because the next thing i know:

My computer is now taking a very long time to booth up.

My Avast and Malwarebyte softwares cannot be opened or used anymore, i cannot reinstall Avast either.

I cannot move or drag and drop any of my icons or documents.

And, MAJOR CATASTROPHE, my Internet Explorer is down, my internet access icons on the lower right hand corner are also totally gone and i cannot go on the internet anymore ! Worse, i cannot even use MY MAIN TOOL, Rhino 3D, anymore, because it says it cannot access the license manager... so i cannot do any of my work... (thankfully i had previously saved my most recent 3D files on an external drive, because now none of them can be opened on my computer).

MAJOR headache, because this computer and 3D software are going to become my main source of income for the future (on an extremely small budget), and i was close to complete a new 3D model to sent it to RP to show to potential clients when the problem started (i had just changed to all numeric design after 15 years of building things the hard way, with manual tools, at home).

I have tried 'Undo Changes Made To Your Computer' almost right away, it is totally unaccessible... 'Search' i also not working... 'Go back to last good configuration' also just sends me back to the same situation i am right now (no change)... and Repair Mode gave no result when i booth up on Safe Mode.

ALL or most of my commercial softwares like Rhino 3D, Avast, and so on no longer work, but several of my GNU softwares such as Gimp and Blender still open and seem to work, though some others have problems.

I also cannot click open any of my photos, i have to right click and get the 'open with software so and so' command to open them with picture viewer individually with this method, which is extremely painstaking.

I also cannot open ANY of the webpages i had saved on my computer and i cannot save any of them to my external drive or a USB key......

I also cannot save to my external drive any of the movies i have on my computer (including .FLV format, which is GNU license...). I have also lost sound on all my video files.

Basically the only thing i can do is type this on Wordpad, and look at my pictures with the method mentionned above, and work on Gimp, and erase files.

My suspicion is that Erunt somehow overwrote my Directory file once or even twice, as i found a lot of red dot with a white X 'error' messages in the event viewer, but i cannot locate where exactly the unwanted copies are or HOW to get rid of them without damaging my system any further.

So i would need a step by step method for someone who is not a tech expert, i've just been using Windows since 2 years and i have very below average knowledge of what to do when problems like this occur. I have also never reinstalled Windows XP or any OS on computers before, i would prefer a solution where i could remove the corrupting files manually and repair my Directory files in a safe manner, or use a software that could do this for me or a combination of both (i don't know any specifically and i don't really trust any of the supposedly free softwares like PC Cleaners and Speedy Computer that ask you to register after you do the scan and then ask you to pay for a full version to repair your Directory (i doubt i could even do that because i would have to go online to register them, i have installed them but since i cannot get a connection now, i doubt i can get them to work even if i pay for them or got the registration key).

Could someone please help me find a resolution to this problem ?
Thank you so much in advance.

Hi

It really sounds like the computer still has malware on it. I recommend that you follow the instructions here...
http://www.bleepingcomputer.com/forums/topic34773.html

After you go through the malware cleaning process and are sure that the computer is clean, come back to this subforum and we will help you with any problems that still exist.

James

Erunt is used and recommended here for registry back up because it is reliable and can not cause the problem you are seeing.

I go along with James. You have suffered a recurrence of Malware. After you have followed the directions in James's link please post back here that it has been done.

I have an aversion to software that says free and then wants money to fix a problem. Not to mention they wouldn't help With your problem.

softwares like PC Cleaners and Speedy Computer that ask you to register after you do the scan and then ask you to pay for a full version to repair your Directory (i doubt i could even do that because i would have to go online to register them, i have installed them but since i cannot get a connection now, i doubt i can get them to work even if i pay for them or got the registration key).

Thanks
Roger

P.S. Staff member AustrAlien's guide to the use of Erunt for reference.

Backup the Windows system registry with ERUNT

• If you are using ERUNT on a Vista or Windows 7 system:
  
• And ... if UAC (User Account Control) is enabled on the Windows system (as it is by default):
  
• When installing ERUNT, ensure that the AutoBackup option is UN-checked!
• Run ERUNT (or ERDNT.exe) using right-click > Run as Administrator
  Note: Backups will not be automatically created daily. Instead you will need to create them manually by running ERUNT.

[/list]Download ERUNT (The Emergency Recovery Utility NT) to the computer.

• There are two versions to choose from:
  
  • Installer file Download Now
    
  • Run (double-click) the installer file to install ERUNT on the system.
  • Run ERUNT using the shortcut that will have been created on the Desktop.
  • Follow the prompts, leaving all settings in their default configuration.
• Zipped file Download .ZIP
  
  • Unzip/Extract the .zip file to a folder in the location of your choice.
    Read the README.TXT file for full instructions and more information.
  • Run (double-click) the contained ERUNT.EXE file to backup the registry.
  • Follow the prompts, leaving all settings in their default configuration.

------------------------------
Note: To restore the Windows registry using ERUNT backups:

• Navigate to the EFDNT folder created to house the registry backups:
  C:\Windows\ERDNT <<< folder
• Inside the ERDNT folder you may find other folders labelled by date (manual backups if any).
  
• The AutoBackup folder contains dated folders with registry backups created automatically by ERUNT each day the computer is started.
• The location might look something like this:
  
• C:\WINDOWS\ERDNT\AutoBackup\25-07-2012 <<< folder

[*]Locate the backup (by date) that you wish to use and then run (double-click) ERDNT.exe within that same backup folder, and follow the prompts.
[/list]

Hi

It really sounds like the computer still has malware on it. I recommend that you follow the instructions here...
http://www.bleepingcomputer.com/forums/topic34773.html

After you go through the malware cleaning process and are sure that the computer is clean, come back to this subforum and we will help you with any problems that still exist.

James

Hi James,

Thank you ! I will try that. I will also post screen saves of what i found in the event viewer and so on, there are tons of error marks that appeared at the exact time i either ran my scan test attempt on my external drive or when i used Erunt. Not sure which one as i am not familiar with all the codes error indicated there, so i will post them here to give better information.

Thanks Roger, i will copy that too,

I forgot to mention that i also did a scan with an extra tool from Avast that is supposed to be specially created to scan for things like Sirefef when your computer is frozen and can only be opened in safe mode, per the instructions i found here when i initially removed that last (?) Sirefef component. Ironically Avast never let me know about the existence of that tool when i emailed them for help several times and i found it here instead. That Avast tool did not find anything during my most recent scan (before i posted here). I'll follow the instructions of James and come back with the results i will find.

Please...post the requested logs (per Preparation Guide, Before Using Malware Removal Tools and Requesting Help - http://www.bleepingcomputer.com/forums/topic34773.html ) in the malware forum reflecting the Prep Guide.

Do not post any additional logs, unless they are requested as an aide by forum personnel.

The requested logs are not to be posted in this forum...you will see that as you read/follow the Prep Guide.

Once your malware topic is properly initiated...this topic will be closed.

Louis

I've run many of the tools and followed many of the steps that were provided here mostly to no avail.

I did re-run the whole Sirefef removal routine provided here on one of the threads. This was done in safe mode with prompt.

I tried reinstalling MBAM, it was a failure both times... I got a message that says runtime error '372', 'failed to load control vbalsgrid.oex from vbalsgrid.eox mbam.sys'. I've saved a print screen of this and several other error messages from my system and softwares.

First i ran FRST and aswMBR in safe mode to no result except for 2 files listed as 'suspicious' by aswMBR, one was a .SYS file and another one a .dll.dll. I had a look at one of these; the .SYS file i think; in WIN32 folder and it seems to be totally unrelated to my current problems: it's been there on the computer since before i bought it in 2010 when it worked perfectly, so, not a virus.

TDDSKiller finds nothing and scans very fast.

I tried to install and run COMBOFIX twice from my USB drive to my computer, it promptly deleted itself from my USB drive TWICE !!! I clicked on it when it said 'Click yes to run in a reduced capacity' and that's when it vanished. It also sent me a message according to which it says it is 'expired' (is it one of those trial softwares that expires after 14 days...? When i initially ran it the first time when i was removing Sirefef, i think it was the one that succeeded to remove the last component of Sirefef from my computer). In any case, now it does not work at all.... I will try to re-download it and try again, but i guess if it catches the username of my wife's computer like it did the last time (if this is a 14 or 30 days trial) then i guess it will kick itself out again from my USB key... VERY frustrating......



I then tried the instructions indicated in the answer to my post:

I did not try Cobian Backup or Drive Image XML because i already have backed up 98% of what i've got on my computer earlier on an external disk on a regular basis. The only thing i wasn't able to save were the components of XP Pro that that are used by the system and that cannot be copied... (I don't know if Cobian or Drive Image or Erunt might be able to save these ? Anyone can enlighten me on this ?).

I did not try to enable a Firewall yet, still got to try that one, but mine being inaccessible and off line i don't know how to do that.

I did not try to run DeFogger because i don't have any of the CD emulation softwares listed on the tutorial and doubt i have any others.

I ran DDS and GMER, i have logs for the first one as well as for aswMBR and another one. I`ve just re-re-run GMER as i was not able to copy and paste any of the results from the long scans the 1st time, now i`ve got it too. OK, just noticed i forgot to uncheck 1 setting in GMER, i`ll re-run it & post the log requested per the instructions.

Before i forget, here is one Windows component i may have erased accidentally before the whole trouble started, could this explain why i ran into major trouble when i tried to run ERUNT ? Because i am getting this error message each time i open my computer and after my desktop icons appear:



I think i erased it from the Temporary files, not 100% sure, but seems to be from there, can't remember why though, maybe because i thought it was suspicious when i first saw it.

I'm also getting this now, don't remember getting it before the ERUNT run froze so many of my functions and softwares on my computer:



I get this when i try to re-install Malwarebyte:



And this message appears, just before Combofix deletes itself from my USB key each time i try to run the full scan and fix operation:



When i click Fix avast nothing happens, it remains disabled unless i use SAFE booth up mode, and then it does not find anything. Booth time scans cannot be scheduled either, i tried different ways (booth time scan is usually the ultimate solution they gave me at Avast in case all things fail, either that or install Malwarebyte which now also now cannot be accessed after reinstall.



The message i get when i try to program a custom scan (i can adjust their settings but they immediately go back to their previous neutral settings after i leave the custom scan window. The other scan icons on the left are dissabled and cannot be used..



These are the only possible suspicious files that aswMBR found (the Avast tool that i found here on the Sirefef virus thread). No idea if these are positive or false alarms, but based on the checking i did a couple days ago when i found them, i saw thst at least one of those files if not both were created on my computer before i bought my computer (in 2010), so i suspect they are not virus components because my computer was fine until i got the Sirefef virus from a Russian website this summer (i know the exact site) and since i ran ERUNT on my machine in August.



These are things i found on my own a few days ago while looking for a possible source of the problem. Since i don't know what the error codes mean someone here could maybe deduct something from these ? They all appeared after the ERUNT run that resulted in many of my computer functions and commercial licensed softwares stopping to function:













I am sorry for posting all 6 of these, but i am totally at a loss at what to do now, and these might contain clues about what happened right after i ran ERUNT on my computer. I will not post the whole list as it was too long, so i only posted the beginning and the end of the couple sectors where i found these. I am now ready to post the results of the scans i got from the softwares i was told to use here in the tutorials in the other thread section the moderator mentionned above. If anyone's got a clue of what to do next, please by all means. I thank you a million times in advance.

After all what i tried above failed except for the scans to generate logs and the short aswMBR possible (false?) suspicious couple files found, i tried the following:

I was finally able to run a scan with Avast in SAFE mode, but it did not find anything. However it is totally unable to program booth time scans, i tried to program a custom scan as it was the only one that seemed to be programmable at this point but the settings i chose self disable themselves right away. The software also refuses its own 'repair' mode. I uninstalled Malwarebyte in SAFE mode and reinstalled it to no avail, it still cannot be opened and still gives me the same error message as before.

I also tried to install Combofix in safe mode again, and it started to scan, then told me again it is working in reduced mode because it is not up to date, i clicked accept and it quickly deleted itself for the 3rd time from my USB key....

I really a quick help here, anything you think i can do please let me know, i feel i have already tried everything i could do based on the tutorials and without this computer i cannot earn my living (unfortunately we have no budget to buy another one, i don't even think we can buy an XP Pro software disk to reinstall everything as our budget is already too tight my wife and I). So anyone's got a good idea ? Can i post my logs results on the other section indicated above ? I really want to find a solution.

Please repost this with a DDS log if possiblein a new topic.

We need a deeper look. Please go here....Preparation Guide .

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.

Thank you so much Boopme !

I will do that, i was also looking at the virus help section, interesting stuff.

Hi Boopme !

I have posted all the information and my DDS and GMER logs here:

http://www.bleepingcomputer.com/forums/topic464964.html

Neat system ! I was able to upload all my log results without a hitch.

I was also finally able to run ComboFix after i uploaded a fresh version of it last night. It was a partial success only, the only thing it did was remove 5 Gigs of what i suppose was useless (?) data in the Temp files, i was surprised at the qty of material it erased, the only bad thing is that it erased all my Google Earth kmz files... but it can be replaced, so no big damage there.

However it was not able to run the true deep scan for malware because it said i don't have the Recover Console installed in my Windows XP.

Thank you again in advance for your help !

You're welcome,please stop running ComboFix.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 5 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.