Factory Restore

[greasydame]

On Monday all hell broke loose with my computer. Many things went wrong and I tried many things to fix them. The biggest problem I had was that I couldn't even get to my desktop. I was stuck in a rebooting loop. I used the XP CD that came with my Compaq Presario 6024US to do a this repair. Well, now I can get on my desktop but I get a lot of popups when I get on and the internet doesn't work. It says Wireless Connection Unavailable. My System Restore also doesn't work. It won't even open. These are the popups btw:

C:\PROGRA~1\COMMON~1\AOL\113917~1\ee\AOLSOF~1.EXE <In a command prompt like window

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
Validation failed for C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe. You probably are missing a necessary root certificate.

waol.exe - Bad Image
The application or DLL C:\Program Files\America Online 9.0\APPDATA.dll is not a valid Windows image. Please check this against your installation diskette.

I'm guessing that the fastest way to fix everything is to just do a factory restore. If I do the factory restore I will have to backup lots of stuff but will the issues I'm having be backed up in the files as well? I'm not sure how it works. I just don't want to backup something that will harm the newly factory restored XP.
One last thing, last month I made my old hard drive into a slave drive and added another HD that had more space. Will doing a factory restore do anything to the slave drive?

Okay, hope all this made sense. Thanks again in advance for any helpful replies.

[Shinma]

Factory restore will result in the same condition, as when you first received the computer.
Only the operating system and the default software that it was shipped with, will be running after the factory restore process.

Before starting the factory restore process,
Disconnect all HDDs except the HDD that it was shipped with.

[SirKenin]

It totally sounds like a corrupt or failing hard drive.

[Broni]

It looks like serious infection, rather.

[SirKenin]

Not really. The "popups" are error messages relating to the security software installed. waol.exe is the AOL security suite, ZL is that Zone alarm software. A computer stuck in an endless loop isn't typically viruses if a repair install fixex it enough to boot. It will, however, somewhat repair a damaged file table, rewriting the entries for the system files reinstalled.

As it doesn't rewrite ALL the entries, some of his files are still corrupt, including AOHell and ZA.

[Broni]

Well, I must disagree.
"Bad image" message usually indicates some infection, and surely it is because appdata.dll is nothing but a keylogger: http://www.threatexpert.com/files/appdata.dll.html

[greasydame]

I did the factory restore but encountered more problems. I made a seperate post for this issue here. Please check it out.

[SirKenin]

Disagreeing is fine.

I ran into this EXACT problem today. It was a Dell. Exact same in every way, including a very odd bluescreen error at bootup and "bad image" error with .DLL called by the Winlogon after two drive repairs finally got it booting.

Before AND after the repairs it would NOT boot in either Safe Mode or Normal Mode.

I did scan for infections. There were none. The drive was toast. It was a Maxtor Diamondmax 8. Done like dinner. I recovered the entire drive, dumped it on a Seagate, did a repair install and you know what? It worked like a charm.. Like nothing ever happened.

I know what I'm talking about because I do it every day of the week professionally.

[Broni]

On the other hand, I deal with computer infections 365 days a year.

[SirKenin]

Not everything is an infection (and incidentally, so do I... several times a day. Just sent three more out today. ) One of my staff thought that dell was infections, which is why it was scanned. It was clean.

edited to add:

Incidentally, we can complicate it a tad more. I've seen this happen, more times than I care to admit, particularly on forums. The eager beavers of the particular, unnamed forums (cited as "malware removal experts") would jump all over similar problems. They demanded this scan, that log, the other long list of things to do.

The poor saps would do it, ignoring the suggestion that they'd better repair their drives first. Then, the inevitable. They posted back saying the computer wouldn't boot anymore. They totalled the partition because they listened to these "experts". One poor guy even reformatted.

Knowledge is great. I respect it. But it's meaningless unless it can be applied effectively. In forums it's really hard. One doesn't have all the details. They have to be hyper-analytical and attentive. They have to read between the lines. They have to know hardware inside and out. They have to know how a computer operates right down to the hard drive itself. They have to be able to diagnose with minimal information or ask the right questions. I can do the former with ease. The latter takes a ton of practice and I've far from perfected it.

The sad reality that I found is that while they would jump to their own defense, claiming themselves "experts" and "professionals", accompanying it with this "proof" of being in business, the proof was never in the pudding. Repeatedly they screwed up. I know, I know. There are a lot of self-professed "pros" out there that don't have a clue. I know this. I have a few that call us in when they get in a pickle.

Still.. It's frustrating when I sit here and go "wow, all that could have been avoided if it wasn't for their own flawed sense of piety.".

Anyways, now you know where I'm coming from. I have no problem with people disagreeing. Go ahead. I don't make my money in forums, I make it in the real world actually fixing the problems first hand. I just have a problem when they get their heads stuck up their behinds, talking the talk yet failing to walk the walk, leading the unsuspecting to disaster because these so-called "experts" can't admit they're wrong.

Soo.. If I ever come across a bit crusty, you'll know why and be able to accept my apologies in advance.

[Broni]

I have no idea what you're trying to say, so I'll close my argument by saying this:

waol.exe - Bad Image
The application or DLL C:\Program Files\America Online 9.0\APPDATA.dll

How the computer is NOT infected, if the message points to a malicious file (APPDATA.dll) being present on the machine? It's little bit beyond my understanding, but...we learn every day.

[SirKenin]

I'd be happy to tell you.

The presence of APPDATA.DLL is only a problem depending on the directory it runs from. APPDATA.DLL is a part of the AOL Software (version 9) in this particular instance. It's a legitimate dll, running from a legitimate directory. In fact, if the .DLL is missing or damaged, as is the case here, you can download it from here.

The reason it's damaged, and supported by the evidence of a successful reinstall, is because the drive is damaged. In particular the $MFT and/or registry is corrupted and needs to be repaired before the drive and/or Windows install gets totalled. The drive should then be cloned onto a new drive, as the old one will fail again, most likely in short order.

Let's take a look at another example. &#37;ProgramFiles%\xp keylogger\data\appdata.dll

In this case, it's a keylogger and it's dangerous.

In the first example, it's version 9.0.0.xxx. The second gets detected as "Application.XP_Keylogger [PC Tools]"

If you need more info, please don't hesitate to ask.

[SirKenin]

Just as a side note, the inevitable did happen in this case as well. He posted a new thread with the "unmountable_boot_volume" error he's getting, indisputably data corruption. Please see this post for more details.

[Broni]

I can assure you, that APPDATA.dll is NOT AOL file, even if it sits in legit folder.
Surely, the only way to settle this argument would be, if greasydame uploads the file in question to http://www.virustotal.com/

[SirKenin]

Please see this thread for details confirming what I'm telling you. Also see this thread.