Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible FileSytem and/or $MFT Corruption After Malware Cleanup


  • Please log in to reply
11 replies to this topic

#1 nv87654

nv87654

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 19 July 2012 - 08:27 PM

We have Vista x64 Home Premium Dell desktop that we have struggled for days and days after a SMART HDD Rogue Fake HDD infection. After many, many AV scans, etc. we finally thought we had the system clean because scans were atarting to continuously show clean and the system was booting again. So, after thinking we had recovered the system, we uninstalled McAfee and installed Kaspersky Pure 2.0 as out new AV tool. We scanned again with the new Kaspersky and everything was looking good. Then about 2 days later, after basically letting the system sit idle, we began having problems installing and uninstalling programs, some programs could not start up, Kaspersky database update would fail, getting errors popping up having to do with corrupt file system, corrupt $MFT, etc.:


- Windows Media Player constantly running very high on memory consumption, even though we are not even running Windows Media Player

- Early on, after virus cleaning, we say a error pop up (only twice) saying the $MFT was corrupt and unusable

- Tried uninstalling various applications and it fails

- Kaspersky updates won't commit. Says it cannot create a directory .

- Other apps starting up automatically in Windows (i.e. Logitech, Dell Dock) give file system corruption type errors.


So, I have been on the assumption that the MFT and/or the file system is corrupt and have tried the following tasks:



From the Vista Installation DVD RE command prompt, I have run both of these commands several times with the same result:


sfc /scannow

It runs there for about 20 seconds and then returned with output/error of: "Windows Resource Protection could not start the repair service"



Next, I attempted to run chkdsk from within the same Vista DVD Installation RE command prompt:

Here is the following command I ran:

X:\Sources>chkdsk c: /x /f /r

Output was as follows:

The type of the file system is NTFS.
Volume label is OS.

CHKDSK is verifying files (stage 1 of 5)...
791104 file records processed.
File verification completed.
5387 large file records processed.
0 bad file records processed.
0 EA records processed.
50 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...

14 percent complete. (838035 of 929100 index entries processed)
X:\Sources>

All the chkdsk stops and exits at this same index number 838035 every time I run it.


I have run disk diags and it all says the disks are OK.

But I am suspicious that the MFT might be corrupt or out of sync with the file system.

I have went through these steps more than once and it is the same behavior every time.

Any help or advice on this would be much appreciated.

BC AdBot (Login to Remove)

 


#2 DonnaB

DonnaB

    Bleepin' Ailurophile


  • Malware Response Instructor
  • 2,373 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The edge of reality
  • Local time:05:45 PM

Posted 19 July 2012 - 10:34 PM

Hi nv87654,

I see that on July 11th you started THIS thread in the Security forum and Conspire had come to your rescue though you did not respond and the thread was then closed due to lack of response.

I would like to suggest that you go back to that thread, click on Conspire's name and send him a Private Message asking him to reopen the thread and follow through with his instructions.

Donna :)

Edited by DonnaB, 19 July 2012 - 10:38 PM.

A cat named ugly


Proud parent of a young Man who devotes his life to the U.S.Navy

Graduate of GeekU Malware Removal training program

"To achieve the impossible, it is precisely the unthinkable that must be thought." ~ Tom Robbins

"Once I knew only darkness and stillness... my life was without past or future... but a little word from the fingers of another fell into my hand that clutched at emptiness, and my heart leaped to the rapture of living." ~ Helen Keller

#3 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:45 AM

Posted 20 July 2012 - 09:20 AM

... I have been on the assumption that the MFT and/or the file system is corrupt ...

I think you are correct there. I also think it would be of no use attempting to re-open your earlier topic as DonnaB has suggested you do.

Let's err a little on the safe side to start with and test the hard drive itself: We'll get to checking/fixing the disk file-system later if it turns out that there is no problem with the hard drive.

Rather than burning and using a SeaTools for DOS CD, in your particular case I am opting to use UBCD so that we can get a bit of extra information, namely a look at the S.M.A.R.T data which will give us a better idea of what might be going on here.

FIRSTLY ... Create a bootable UBCD ... CD

Please do the following on a working computer:
  • You will need a new blank writable CD.
  • Download UBCD and burn to a CD:
    Note: If you have trouble finding a download link here:

    UBCD download page: Download UBCD
  • Look under the heading: Mirror Sites
  • Try any of those listed websites which are hosting/providing the UBCD .ISO file for downloading.
  • An example direct download link to try would be:
  • Michigan Tech Linux/UNIX Users Group
  • Which in turn leads you to: http://lug.mtu.edu/ubcd/
  • and eventually the download link itself: ubcd511.iso
    (Sorry about it not being exactly straight-forward, easy and obvious!)
[/list][*]If you do not already have a suitable burning program for writing .ISO images to disc ...
  • Download and install ImgBurn.
  • Ensure that you UN-check the box agreeing to install the Ask toolbar during the installation.
  • Place a new (blank) CD disc in the drive tray.
  • Choose Write image file to disc.
    • Under Source, click on the Browse button: Navigate to and select the .ISO file that you wish to burn.
    • Place a check-mark in the box beside Verify.
  • Click Posted Image
[*]When the CD has been burned and verified as successful, it will be bootable.
[/list]============================================

SECONDLY ... Get the S.M.A.R.T data using UBCD > Parted Magic

Boot the ailing computer with the UBCD CD.
  • (You may have to configure the Boot Menu or BIOS Setup Menu to boot first from the optical/CD/DVD drive.)
  • At the first menu screen, select Parted Magic and press <ENTER>.
    Use Default settings ...
    Be patient until UBCD loads and you are presented with the Desktop.
  • Click Start (bottom-left-corner button) > System Tools > Disk Health (GSmartControl)
  • In the GSmartControl window that appears, click on the device that represents the failing hard drive (any other device may be a flashdrive if you have one connected) to select it.
  • On the top menu, click Device > View Details.
    A Device Information window for the failing hard drive will open.
  • Click on the Attributes tab at the top (to display the S.M.A.R.T data).
Save the S.M.A.R.T data as a text output by smartctl.
  • At the bottom of the Attributes page, click Save As.
  • Look at the default file name and location that the file will be saved.
    Default location will be "root".
  • Click Save.
====================
Now to get the text file uploaded to BleepingComputer.com.

Establish internet connection

At the UBCD Desktop, click the 'start' button (bottom-left corner button) > Internet > Start network.
  • The Start Network Options window will open.
  • Ensure the appropriate option is selected, and click Continue ...
    The Network Utility window will open.
  • Ensure the appropriate option is selected, and click OK.
    You should now have a working internet connection.
Open Firefox and go to BleepingComputer site

At the UBCD Desktop, click the 'start' button (bottom-left corner button) > Internet > Firefox.

Attach file &/or paste text to a post
  • In your topic at the bottom of the page, click on Add Reply.
  • Under the text box, under the heading Attachments, click on "Browse" to browse for the file that you wish to attach.
    A file upload window will appear.
  • On the left-side, click on "root" to display the contents of the root directory.
  • You should see the text file there that you saved earlier. Click on it, to select it, and then click Open at the bottom-right of the window.
  • Back at the BleepingComputer.com forums window, click on Attach this file.
  • Now type a few words in the text box "text file attached" and then at the bottom click on Add Reply.
  • Note: If you are feeling confident enough to try it, you can open the text file with a text editor and paste the contents in a reply so it can be seen easily by anyone browsing the topic, if you wish. If you do this, don't forget to enclose in CODE tags to preserve the format/spacing.
  • Please enclose the pasted report in CODE tags so that the spacing/formatting is preserved (to make it easier for all to read).
  • Firstly, click on the "Insert code snippet" button Posted Image
  • You will then see the "start" and "end" code tags (highlighted in dark blue/selected in the image) in the text box.
  • Click between the two tags to insert the cursor between the tags and then press <Ctrl+V> to paste the report there.
[/list]All done!
==================================

THIRDLY ... Test the hard drive.

Boot the ailing computer with the UBCD CD.
  • (You may have to configure the Boot Menu or BIOS Setup Menu to boot first from the optical/CD/DVD drive.)
  • At the first screen select HDD and press <ENTER>.
  • Arrow-down to Diagnosis and press <ENTER>.
  • Arrow-down the screen all the way to the next page and highlight SeaTools for DOS V2.23 and press <ENTER>.
  • Click OK (the mouse should be working now).
  • When the tool has finished scanning for hard drives, do you see the HDD details (Model/Serial numbers) in the box under Drive List?
    If so, that is good!
    If not, then you have a problem: Let us know about it.
  • On the menu at the top of the window, click on Basic Tests > Short test and allow the test to complete.
    • Then run the Long test, which will take a considerably longer time to complete.
  • Click on Exit to close SeaTools and shut down the computer.
Please let us know the result of running the two tests.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 nv87654

nv87654
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 July 2012 - 11:01 AM

Thanks for the replies, DonnaB and AustrAlien.

I am hoping (and assuming) that we have gotten rid of all the Rogue.FakeHDD and associated malware. At least, it appears that we have, since it has been days and no weird symptoms from malware has surfaced. The only thing that has surfaced recently are the file system / MFT corruption errors. Could the malware have caused this? I don't know. But we have run SO many different AV/anti-malwars/rootkit tools and scans over the span of about 2-3 weeks, edited/deleted files via Linux boot, edited registry entries found by some of the anti-AV/malware tools etc., that it is possible that all that has caused the MFT and file system to get out of sync.

AustrAlien - When I get back home this evening I will try the two tests you mentioned to check the drives. BTW - It is a RAID 1 mirrored setup.

Thanks for your help.

Edited by nv87654, 20 July 2012 - 11:14 AM.


#5 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:45 AM

Posted 20 July 2012 - 01:16 PM

BTW - It is a RAID 1 mirrored setup.

Oh no! I trust you are familiar with what needs to be done, in that case.
  • I believe that you may well have to dismantle the RAID array in BIOS before proceeding.
  • When finished, you will need to re-enable the RAID array before attempting to boot from the HDD(s).
It would not be unusual or unexpected that the malware removal process has resulted in the corruption you are reporting.

Screenshots of the Attributes tab showing the S.M.A.R.T data (or other if warranted) may also be useful.

How to take a screenshot and post it in the the BC forums using UBCD
=======================

Take a screenshot

At the UBCD Desktop, click the 'start' button (bottom-left corner button) > Accessories > Take a screenshot.
  • The Screenshot window will open.
  • Under Region to capture, select either Entire screen or Active window as appropriate.
  • Under Action, select Save in (and note the default locating is root).
  • De-select Capture the mouse pointer if you do not wish to use that feature.
  • Click OK.
    A Save screenshot as window will open.
    You will see beside Name, the default name for the image file about to be saved is Screenshot.png
    You will see the location that the file will be saved to is root.
  • Click Save in the lower-right part of the window.
    Done!
=======================

Establish internet connection

At the UBCD Desktop, click the 'start' button (bottom-left corner button) > Internet > Start network.
  • The Start Network Options window will open.
  • Ensure the appropriate option is selected, and click Continue ...
    The Network Utility window will open.
  • Ensure the appropriate option is selected, and click OK.
    You should now have a working internet connection.
=======================

Open Firefox and go to BleepingComputer site

At the UBCD Desktop, click the 'start' button (bottom-left corner button) > Internet > Firefox.
=======================

Attach an image to a post and configure it to display in-post.

In your topic at BC, at the last post, click Add Reply.
  • Below the text box you will see the function to add Attachments.
  • Click Browse.
    A File Upload window will open that will enable you to browse to the image you wish to attach.
  • In the left pane, click on root.
  • In the right pane, click on Screenshot.png to select it.
  • Click Open (lower-right part of the window).
    You are now back at your new post on the BC forums.
  • Click Attach This File.
    Allow a little time for the attachment to upload and be displayed as an attachment.
  • To the right of the attachment Screenshot.png, click on Add to Post (in small type).
  • Lower down the screen, click Add Reply.
    Done!
=======================
If you 'lose' your image ...
  • At the UBCD Desktop, double-click the File Manager icon (top-left corner of Desktop).
  • The root directory window will open, and in it you will see your saved screenshot image, Screenshot.png
    Note: After re-starting the computer the image will no longer exist (it will not be saved since you are booting from a CD).

Edited by AustrAlien, 20 July 2012 - 01:27 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 nv87654

nv87654
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 July 2012 - 05:36 PM

AustrALien - The RAID was setup at DELL for us when we ordered the PC. Unfortunately, we don't have experience in disabling and enabling RAID and it seems risky for me to attempt it without some good step-by-step guidance. Do you have any suggestions on good, well-tested procedures to do that?

Also, are you saying that the tool you want to use to test the disks won't give good results unless the RAID is broken off first?

Another idea (possibly) ...

Since it seems we both think it is more likely a file system/MFT issue and not a disk problem, what if we just go on that assumption, skip the disk checks, and focus on how to "un-corrupt" or sync back the file system/MFT?

Thanks.

#7 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:45 AM

Posted 20 July 2012 - 06:21 PM

The RAID was setup at DELL for us when we ordered the PC. Unfortunately, we don't have experience in disabling and enabling RAID and it seems risky for me to attempt it without some good step-by-step guidance. Do you have any suggestions on good, well-tested procedures to do that?

Then we are in trouble: I have no hands-on experience with RAID. Apart from what either of us might turn up using Google, perhaps the DELL user manual for your system may provide sufficient answer for you?

You wrote: "... are you saying that the tool you want to use to test the disks won't give good results unless the RAID is broken off first?"
I suspect that having booted with UBCD > PartedMagic, that the Linux operating system would "see" only the one "drive".
  • I am not sure about the SeaTools utility:
  • Perhaps it might be worth a try, but being a Linux OS itself, you may not be able to "see" & test both HDDs.
You wrote: "... what if we ... skip the disk checks, and focus on how to "un-corrupt" or sync back the file system/MFT?"
Are you prepared to gamble and risk losing the lot ... and having to start all over again with a fresh installation of Windows?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 nv87654

nv87654
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 July 2012 - 06:37 PM

Thanks, AustrAlien. Let me research on the RAID and get back with you. It might be a day or two. Thanks again.

#9 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:45 AM

Posted 20 July 2012 - 07:01 PM

:thumbup2: No worries!

Edited to add:

I have run disk diags and it all says the disks are OK.

As an after-thought: Please don't think that I have neglected to pay attention to this.

DELL's hard drive diagnostics are widely regarded as reliable (as reliable as any of the others available), but they do not tell the whole story (they do not provide you with the necessary information to make an assessment of the situation yourself). I want the chance to do that: That is why I am asking to get a look at the S.M.A.R.T data. I need to know that what we intend doing is as safe as possible and the best choice possible under the circumstances.

Edited by AustrAlien, 20 July 2012 - 07:16 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 nv87654

nv87654
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 July 2012 - 07:51 PM

No problem. BTW - Can you run a S.M.A.R.T disk scan from a Linux boot? I will find out how to unmirror the RAID and then get back with you for next steps. But, if I do all of that, do you have a good idea of what to do about the possible MFT/filesystem corruption?

#11 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:45 AM

Posted 20 July 2012 - 08:05 PM

Can you run a S.M.A.R.T disk scan from a Linux boot?

I cannot be exactly sure what you mean by that, but I believe the answer to be "yes".
  • GSmartControl/smartctl is "the full package" when it comes to S.M.A.R.T.
    GSmartControl is what you will be using when you boot using UBCD.
You wrote: "... do you have a good idea of what to do about the possible MFT/filesystem corruption?"
I believe that I do ... when RAID is not involved.
  • Hopefully having a RAID arry will not make the situation un-recoverable?
  • Let's wait until we get a look at the S.M.A.R.T data and re-test the hard drives before thinking/planning further ahead.

Edited by AustrAlien, 20 July 2012 - 08:36 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 nv87654

nv87654
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 20 July 2012 - 09:24 PM

OK. Sounds good. I'll get back with you on the RAID situation first. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users