Solved C:\CI.dll Corrupt file crash - help!

[Rakdos]

Hi guys,

this morning while torrenting some stuff I got a virus (I immagine) that instantly restarted my computer and I got an unusual "loading files" message ... it then proceeded into an endless loop of startup repair that fails... and then I have to shutdown and it all starts again.

When i check the results of the failed scan i discovered that the corrupt file is
C:\CI.dll
So I've been searching all over for something to solve it, but unluckily I don't have a Win7 CD to install (came with the computer already installed) and I haven't backed up any of my files

I've already tried various things such as disabling restart from the advanced boot menu, the Sfc /scannow, infinite loop repair, System restore to an earlier point, system image recovery, windows memory diagnostics, chkdsk, various command prompt methods...

I'm about to try to use a pre boot avira antivir cd, to see if that works.
Basically I want to reinstall windows without loosing any of my files (Untill now the only decent method i've found to give a try is taking out the HD and putting it on another computer to copy the files then reinstall Windows 7 from System recovery Options) ...what do you think I should do?

Some other questions:
Can i move my HD to a mac? I have no other computers accessible right now...
The Reinstall Windows option from recovery tools, will it delete all of my files?

The affected computer is an MSI GX740
- Windows 7 64bit
- Intel i5 430 2.23ghz Cpu
- 4GB Ram
- 320GB hard drive
- Ati Radeon HD 5870 Gpu

I'll give further specs if needed.
Thanks in advance

 

[Rakdos]

Anyone :s ?

 

[SIW2]

ci.dll corrupt

Boot Critical File


Computer won't restart: "Root cause found: Boot critical file D:\CI.dl

 

[Rakdos]

Hi SIW2,

I've already read all of those topics, tried the answers you and others provided, but none of them have worked, as i've written in my original post. (The problem isnt updates either)
I'll check out the Macrium reflect and puppy linux now..

 

[SIW2]

Did you manage to run avira and get it to clean up the infection?

First try replacing the corrupt ci.dll - using a boot cd of some kind.

If that doesn't do it:

If you are able to start your built in oem recovery program - there should be an option there which allows you to copy important data to another location - before it reimages the pc.

The reimaging will overwrite at least the windows partition.

 

[Rakdos]

I have managed successfully to boot up with Avira, and to scan, but i met some other issues, where it results in an [archive scan abort] on the trojan, and doesnt solve anything. Additionally, when I save the logs, and as instructed am told to restart, it wipes the logs and nothing changes.

I just replaced the ci.dll file that i just downloaded, and it didnt change anything - still can't boot.

I do have access to the System recovery options, the screen is like http://4.bp.blogspot.com/_8qMdy9GxQw8/TRx4hoVAF5I/AAAAAAAAAec/zSoV4pysBRE/s1600/8.jpg with an added Reinstall OS at the end as an additional option.

What would you have me do exactly?

 

[questluv21]

Hi all,

Don't mean to hijack this thread by any means, but my recent problems sound identical.

Rakdos: have you tried hitting F8 when the machine starts and selecting 'disable driver signature enforcement'? I tried it in on a whim when nothing else would work and much to my surprise, my machine booted up perfectly.

I too suspect that my problems stem from a virus, as malwarebytes and the other virus scans I ran caught a few things once I finally got it booted.

However, once I ran those, I re-booted again and the startup repair loop was back. I had to choose 'disable driver signature enforcement' again. Once booted, I scanned for viruses and found nothing. I'm still getting google search redirects though, so I know it's not totally gone.

Is it possible that even if the virus is eradicated, the ci.dll file (or whatever causes the startup repair loop) is still damaged? Any ideas on how to get the computer to boot normally again?

 

[qzart]

You have a Virus

The process is pretty easy.
Pull your hard drive and attach to a working computer via USB or other method.
Download TDSSKiller.exe. from How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

scan your system and remove the reported virus.

Reattach your drive. boot and do a full system virus scan

 

[fedupwith7]

I had this happen yesterday and I am giving you the benefit of over 8 hours of time wasting. it was on a laptop so I did not have a windows disk, just a recovery partition. I did have a boot disk, though.

Mine was definitely a trojan infection of the root files- as described above...

System Restore will not work, nor will using an image, or even recovery disks.

1 this is not due to a faulty ci.dll file. The Ci.dll will not work if other files are corrupt or missing. This is a red herring - replacing the ci.dll file will not help. If you try to boot the system with a boot disc you will find it tells you the ci.dll file on the Boot Disk is faulty!

2 Forget about doing anything with command prompt (DOS) When I tried it the sfc /scan... commands failed every time and I could only navigate to X:\ It would not recognize any other drive. This is because the trojan affects the headers of the various disc drives.

3 Some people recommend downloading iso versions of Avira, Trinity and other boot up virus killers. These will not work as most of them need an internet access to update once they are running and as your PC is almost bereft of life they can't get a connection!
Avira did find the problem after over an hour of scanning, but could not fix it.

If you have this problem, it is probably due to the rootkit Trojan as described above. if you have not downloaded anything from the net (or opened a compressed file - .rar etc) just prior to this happening, you might have a different cause - some people say this happens after critical updates from MS (!?)

Luckily, I have a remote USB drive caddy case (£3 on ebay). I removed the SATA drive from the laptop and connected it to an XP machine and ran the software How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

This did not seem to have an option to scan remote drives, only C, but it did report finding the trojan and by clicking on "cure" it removed it

However, when I put it back in the laptop I got the looping Startup Repair again!.

I removed all my files by using the caddy, replaced the drive in the laptop and did a Factory Reset.

You may find a different virus killer may repair the root so you don't need a reset.
On XP there was a DOS command - FIXBOOT. I don't think 7 has this but I may be wrong. I did not try this. it does the trick on XP. It might work after the Trojan has been removed.

 

[gregrocker]

All boot repair commands are automated in Win7 Startup Repair. The infinite Startup Repair loop should be repaired using the Win7 DVD Repair console or Repair CD because of likely System file corruption in built-in WinRE. System Repair Disc - Create

To disinfect or clear of possibility of infection, you can first run Microsoft Standalone System Sweeper from boot using CD or flash stick, or best is Malwarebytes from Safe Mode if necessary.

If BIOS has been infected you may need to reflash the BIOS.

 

[fedupwith7]

Please note. I did have a System Repair disk. It could not start the computer with this rootkit virus - you just get a corrupt ci.dll report for the DVD Rom Drive.
Similarly the computer will not start in SAFE mode, either, so that option is not available.
And looking at the Standalone Sweeper info, you have to create it Before the computer goes wrong!
Not much use after, and as the only Windows 7 machine I have is the one that had gone wrong, I couldn't create one to recover it!
I will check it out now, though.

 

[gregrocker]

You can create MS Standalone Sweeper CD or flash stick on another computer.

 

[fedupwith7]

I have just read this on the MS Sweeper download site:

""Ordinarily, the bootable media is created on a computer that is not infected. The architecture of Microsoft Standalone System Sweeper Beta does not have to be the same as the Windows operating system of the computer used to create the bootable media. It does need to be the same architecture (32-bit or the 64-bit) as the Windows operating system of the computer infected with a virus or malware.""

So you can create a 64 bit disk on a 32 bit machine. I can't see that a USB stick or external drive is a good format option for this situation.

I have now created a 64 bit Sweeper disk on the laptop that was infected, just in case it (or something else) should happen again.
BUT! as SAFE mode, DOS, Backup Disks and Image File Disks wouldn't work with this infection, and no external drive or USB port worked, and a normal System Repair Boot Disk would not work, will the Sweeper work?
If the Sweeper disk boots using the ci.dll file, it will fail as it cannot open the kernel files.
If it does work, I wish I had known before.
Perhaps somebody who tries Sweeper for this problem can add their findings to this thread.

 

[gregrocker]

You are not booting the CD's correctly so it is trying to start the HD yielding the .dll error which should not occur while booting a disk.

You'll need to correctly boot the Standalone Sweeper disk to clear the HD of infection and then run Startup Repair and possibly SFC manually from the Win7 Repair disk.

Set the BIOS boot order so that the CD drive is first to boot: How to Boot your Computer from a Bootable CD or DVD - Boot to CD

Or use the one-time BIOS Boot Menu key to trigger CD drive to boot: BIOS Boot menu keys (Imported)

Look for the prompt to "Press any key to boot CD drive."

 

[fedupwith7]

Thanks for that, but I did not have the Sweeper disk at the time as I had not seen it mentioned in any of these threads, and I did load with the Boot Disk several times and each time it went through a Startup Repair Sequence at the end of which it said there was a problem with D:/ci.dll. Before this it said the ci.dll problem was on the C drive.
Basically, no matter what I did it would not boot!
I am sure this virus affects the BIOS as antivirus software told me it had definitely changed the headers of each of the drives and I could not navigate to any drive except "X:\"
The ci.dll report is a symptom of the problem, not the cause.
The computer is now back to normal.
I think we had better see what happens when someone uses Sweeper to try to solve this problem before making any more posts.

 

[gregrocker]

Good work. Moving HD to uninfected computer may be necessary with this infection.

I wish this was posted in Security for their expert opinion and attention.

 

[fedupwith7]

There are some really evil Trojans going around at the moment. I had another rootkit one on an XP machine.
I couldn't ID it, it just came up as "drive has a rootkit corruption" when i virus scanned it. In both cases the Trojan came in a compressed rar file. So beware!
I managed to kill the XP one with the disk in a caddy by running a virus killer on it from another PC Then I ran Fixboot from the OS. It booted up ok afterwards but it was virtually unusable! There were so many things the Trojan had done, like removing the "display hidden files" and "show filename extensions" options plus lots more, including stopping Internet access, corrupting all virus and spyware killers and blocking them from being updated or deleted. Whoever had created it had thought of every possible wrinkle to stop you removing it! Nasty!
I managed to fix it by editing the Registry by following tips from clever, kind people like the ones on this Forum!

 

[gregrocker]

I've found that more than half the time SFC cannot repair damage from these infections even if they're "cleaned up" but it requires wiping the HD to clean reinstall.

 

[Iamien]

Just going to be honest here about how I got the infection, detected it, and removed it.


I am usually a very careful browser but I got sloppy and picked up the the boo/tdss.m trojan while browsing some of the more dangerous pornsites out there in search of legal but obscure content. While browsing my pc crashed and re-started in Startup Repair tool, kept looping and when I looked in details it was the ci.dll issue.

Found this thread and did not have a way to open up HD and remove it "remotely" by opening it as a slave drive on another PC.

I used the Avira Rescue Bootdisk to confirm I had the boo/tdss.m rootkit.

After searching around how to repair boot records I found out about Bootrec.exe (a built in windows executable)

After getting into the command prompt via a install disc(you can also access it after the Startup Repair tool "gives up" on trying to remove it "Advanced Tools"), I was able to run 'bootrec /fixmbr' which re-wrote the boot sector.

That fixed the ci.dll error, allowing me to boot into windows and also apparently completely removed the trojan as I am not getting anymore detections on any scan. I am glad this worked as I have lost my win 7 upgrade disc/key and would of been without a legitimate license if I had to re-install.

 

[gregrocker]

I'd install, update and run Full Scan with Malwarebytes
to be sure infection is gone, as bootrec commands (automated in Startup Repair) cannot clean infection.

Then I'd uninstall my AV and install Microsoft Security Essential,
run a full scan with it as well.