Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The file or directory is corrupted or unreadable.


  • Please log in to reply
11 replies to this topic

#1 stralachni

stralachni

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 27 July 2009 - 01:27 AM

Hi.

I have been having a virus problem for the past week, and I ran many programs to fix it, according to postings on this site.

One thing I'm working on now, is deleting an infected file.
I get the error:

The file or directory is corrupted or unreadable.

The file name is C:\WINDOWS\system32\drivers\UACrhxfhbrrsb.sys

chkdsk doesn't fix it, because it has problems fixing files with a mix of UPPER and lower case in the file name.

I tried "unlocker", but doesn't work.

If you could help me delete that file, that would be great.
Thank you.

Ben

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 27 July 2009 - 01:34 AM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 stralachni

stralachni
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 27 July 2009 - 01:58 AM

Thank you for your help.

I tried to run RootRepeal, but as soon as it starts up, it says,

"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog."

Not sure what to do.

I tried running it in Safe Mode too, but same issue.

Do you know what the problem is?

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 27 July 2009 - 02:08 AM

In RootRepeal go Settings > Options and adjust the Disk Access Level. Try all the different levels and see if you can get it to run.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 stralachni

stralachni
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 27 July 2009 - 02:13 AM

Oh sorry, I think I was tired!
Anyways, I now did go there and tried all the levels.
Special, Low, Middle and High... all with the same result...

"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog."

Any other ideas?

Thanks.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 27 July 2009 - 02:16 AM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 stralachni

stralachni
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 27 July 2009 - 03:10 AM

Hi.

In the mean time, I got Root Repeal to work.
Please have a look at my log.
Should I still run "Sophos Anti-rootkit" in addition to Root Repeal?

* Please note that UACrhxfhbrrsb.sys was not mentioned in the Root Repeal log.
Why not? Was it supposed to find it and do something about it?


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/27 02:03
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\sdfix\apps\hpfix5.reg
Status: Allocation size mismatch (API: 4096, Raw: 696)

Path: C:\WINDOWS\Prefetch\NET.NET-15004E59.pf
Status: Could not get file information (Error 0xc0000008)

Path: c:\windows\pss\win.ini.backup
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\windows\temp\wfv4.tmp
Status: Allocation size mismatch (API: 50069504, Raw: 45875200)

Path: c:\documents and settings\ben\recent\dave-wedding-speech2.lnk
Status: Allocation size mismatch (API: 4096, Raw: 544)

Path: c:\documents and settings\ben\recent\81114_11811718_123_379lo.lnk
Status: Allocation size mismatch (API: 4096, Raw: 552)

Path: c:\documents and settings\mami\recent\gebrutstag09.lnk
Status: Allocation size mismatch (API: 4096, Raw: 576)

Path: c:\documents and settings\mami\recent\xp_virusalert_repair.lnk
Status: Allocation size mismatch (API: 4096, Raw: 560)

Path: c:\documents and settings\mami\recent\rootrepeal-error.lnk
Status: Allocation size mismatch (API: 4096, Raw: 576)

Path: c:\documents and settings\mami\recent\combofix-warn.lnk
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\documents and settings\mami\recent\dave-wedding-speech2.lnk
Status: Allocation size mismatch (API: 4096, Raw: 544)

Path: c:\documents and settings\mami\recent\dave-wedding-speech3.lnk
Status: Allocation size mismatch (API: 4096, Raw: 544)

Path: c:\documents and settings\mami\recent\ben-best-spots-to-live.lnk
Status: Allocation size mismatch (API: 4096, Raw: 568)

Path: c:\qoobox\quarantine\registry_backups\service_uacd.sys.reg.dat
Status: Allocation size mismatch (API: 4096, Raw: 544)

Path: C:\WINDOWS\system32\CatRoot2\tmp.edb
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACd.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\MoveEx_SysHive_link.vir
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ben\Application Data\BitTorrent\resume.dat.old
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ben\Application Data\BitTorrent\db[1].exe
Status: Locked to the Windows API!

Path: c:\documents and settings\ben\application data\microsoft\office\recent\dave-wedding-speech2.lnk
Status: Allocation size mismatch (API: 4096, Raw: 552)

Path: C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\winlogon.exe.20090721-054726-00.hdmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\tbredir[1].xml
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\NET1.EXE-02C3403D.pf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\Google Toolbar
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\down[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\NET.EXE-151FD66D.pf
Status: Locked to the Windows API!

Path: c:\documents and settings\mami\application data\microsoft\office\recent\dave-wedding-speech2.lnk
Status: Allocation size mismatch (API: 4096, Raw: 552)

Path: c:\documents and settings\mami\application data\microsoft\office\recent\dave-wedding-speech3.lnk
Status: Allocation size mismatch (API: 4096, Raw: 552)

Path: C:\Documents and Settings\Papa\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_870_D33A_70D3_2D66\$db_dirty$
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Mami\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{AD214208-2E96-5136-5297-E3695047EC30}\01\10-{AD214208-2E96-5136-5297-E3695047EC30}-v1-{CACA12A0-BD2E-482B-88F4-3B74CC809BCE}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Application Data\Macromedia\Flash Player\#SharedObjects\KT9RRJMC\static.fmpub.net\banners\1\0Uploaded\intel\crowdfire_contest\SGIPlayer.swf:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 27 July 2009 - 04:05 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UACd.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes following the instructions given below. Keep rebooting and running quick-scans with Malwarebytes until it shows zero infections. If after 3 scans it is still not clean post the final log.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 stralachni

stralachni
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 04 August 2009 - 09:42 AM

Hi.

Sorry for the late reply.
Thank you very much for your help.
This has worked for me... things are ok now :thumbsup:

Ben

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 04 August 2009 - 04:07 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 2kemon

2kemon

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 15 March 2010 - 08:14 AM

I have a similar problem I need some assistance with.

My external harddrive is giving me problems on both my desktop and my laptop. Error message "The file or directory is corrupted or unreadable". The drive shows up, but in RAW format. I can't access the data on the drive. Been googlinh for 24 hours, but haven't come up with a solution yet.

I've made a clean and fully updated install of windows XP on my laptop now, but the problem is still there. But my girlfriends laptop with windows vista reads it just fine.
I just don't know what to do.


I followed the steps in the first answer by budapest and got a report:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/15 14:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\documents and settings\2kemon.desktop\local settings\temp\nsd2.tmp
Status: Allocation size mismatch (API: 114688, Raw: 0)



Now the harddrive in question (USB connection only) wasn't plugged in. Should I do a scan with it plugged in?


Please help - kind regards
2kemon

#12 2kemon

2kemon

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 15 March 2010 - 03:34 PM

I ended up installing windows 7 on another partition and dual boot. Windows 7 was able to read the disc just fine, so now I'm copying away - I still don't get it though ;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users