Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure if rootkit or failing HD


  • Please log in to reply
5 replies to this topic

#1 realeverett

realeverett

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 05 January 2013 - 11:12 PM

Hi everyone,

I'm on Windows 7 x64 with a 2007/08 computer that has previously been running smoothly. Here are some symptoms which I noticed, all of which started within the past week:
(1) I had accidentally downloaded a file off usenet which was supposed to be a video but was a .exe. Stupidly, in my rush I clicked on it before Windows Security Essentials detected and deleted it.
(2) Since then, the computer, a few minutes after booting, will suffer slowdowns with the mouse cursor, jerky movement, slow keypress response, can't Ctrl-Alt-Del, and eventually BSOD a kernal inpage error.
(3) Sometimes the BSOD mentions ntfs.sys. The dump will fail.
(4) At one point the PC even BSOD on normal boot and safe mode, but Windows recovery mode allowed me to boot again.
(5) Safe mode doesn't seem to have the slowdown --> BSOD issue.

Here are some things I've tried:
(1) full chkdsk takes several overnight and seems to hang or eventually reset. I didn't see any errors nor did I see any results. I really can't keep an eye on it 100% of the time.
(2) I had issues updating Microsoft Security Essentials. The error would indicate update failed. When I finally got to run a full scan, it doesn't finish before the BSOD. I also haven't found anything using MSE.
(3) I tried using MalwareBytes. The first time I tried to install, it indicated that it couldn't install properly since the directory was read-only or something weird like that. I clicked "retry" a few times before finally choosing ignore. After install it was clear something was wrong (scans were weird; couldn't update), so I had to eventually reinstall and update in safe mode. A full scan, which took me several hours, found nothing.
(4) I tried MB Anti-Rootkit scan according to instructions but nothing was found.
(5) I tried ComboFix (before I read that I shouldn't have)
(6) I tried rkill in both safe mode and normal boot but it couldn't find anything.
(7) I tried TDSSkiller but it couldn't find anything.
(8) I tried defragging my HD but the BSOD issue interrupted the program.
(9) RootRepeal won't work since I am x64.
(10) I tried GMER but it didn't make any sense to me, nor did it seem to find anything of note.
(11) I don't see any HD SMART errors. I really doubt a HD issue since I haven't had any, but I know you can't predict them.

As you can see, there are some suspicious behaviors with my computer with regard to virus scanners running into issues, but I haven't been able to find any malware or hardware issues. I'm stuck since I've always thought I was careful about malware. It seemed like a TDSS problem at first but nothing's been found.

Thank you for your time.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:40 PM

Posted 06 January 2013 - 01:23 AM

... I don't see any HD SMART errors

Let's have a quick look ...

How to obtain hard drive S.M.A.R.T. data on a Windows system and then paste the report into a forum post
  • Download the GSmartControl installer application:
    • Go to the GSmartControl - Downloads page.
    • Scroll part way down the page to where the current version available for download will be displayed.
      Posted Image
    • Click on the link to download the installer file to your computer.
      (There may be a mirror link there also which will enable you download the file if the main download link does not work for some reason.)
  • Double-click the downloaded application to run it and install GSmartControl on the computer.
    Note: Vista/Win7 users, right-click > Run as Administrator
  • When installation is complete, run GSmartControl:
    • Start GSmartControl from the Start > Programs menu.
  • When the interface has loaded and scanning for hard drives is complete, click on the hard drive icon to select the device.
  • Go to Device on the top menu > View Details, and a new Device Information window will open.
  • Click on the Attributes tab to display the S.M.A.R.T data values.
  • Near the bottom of the window, click on View Output and a new Smartctl Output window will open.
  • Right-click anywhere inside that window > Select All.
  • Again right-click in that selected area > Copy.
  • Now paste that in a reply to your topic.
    Note: Please enclose the pasted report in CODE tags so that the spacing/formatting is preserved (to make it easier for all to read).
    • Firstly, click on the "Insert code snippet" button Posted Image
      You will then see the "start" and "end" code tags (highlighted in dark blue/selected in the image) in the text box.
    • Click between the two tags to insert the cursor between the tags and then press <Ctrl+V> to paste the report there.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 realeverett

realeverett
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 06 January 2013 - 11:43 AM

smartctl 5.43 2012-06-30 r3573 [i686-w64-mingw32-win7(64)-sp1] (sf-5.43-1)

Copyright (C) 2002-12 by Bruce Allen, http://smartmontools.sourceforge.net



=== START OF INFORMATION SECTION ===

Model Family:     Seagate Barracuda 7200.11

Device Model:     ST3750630AS

Serial Number:    9QK0NRTT

LU WWN Device Id: 5 000c50 00cda52d5

Firmware Version: HP24

User Capacity:    750,156,374,016 bytes [750 GB]

Sector Size:      512 bytes logical/physical

Device is:        In smartctl database [for details use: -P show]

ATA Version is:   8

ATA Standard is:  ATA-8-ACS revision 4

Local Time is:    Sun Jan 06 11:41:27 2013 EST



==> WARNING: There are known problems with these drives,

see the following Seagate web pages:

http://knowledge.seagate.com/articles/en_US/FAQ/207931en

http://knowledge.seagate.com/articles/en_US/FAQ/207951en

http://knowledge.seagate.com/articles/en_US/FAQ/207957en



SMART support is: Available - device has SMART capability.

SMART support is: Enabled



=== START OF READ SMART DATA SECTION ===

SMART overall-health self-assessment test result: PASSED

See vendor-specific Attribute list for marginal Attributes.



General SMART Values:

Offline data collection status:  (0x82)	Offline data collection activity

					was completed without error.

					Auto Offline Data Collection: Enabled.

Self-test execution status:      (   0)	The previous self-test routine completed

					without error or no self-test has ever 

					been run.

Total time to complete Offline 

data collection: 		(  642) seconds.

Offline data collection

capabilities: 			 (0x5b) SMART execute Offline immediate.

					Auto Offline data collection on/off support.

					Suspend Offline collection upon new

					command.

					Offline surface scan supported.

					Self-test supported.

					No Conveyance Self-test supported.

					Selective Self-test supported.

SMART capabilities:            (0x0003)	Saves SMART data before entering

					power-saving mode.

					Supports SMART auto save timer.

Error logging capability:        (0x01)	Error logging supported.

					General Purpose Logging supported.

Short self-test routine 

recommended polling time: 	 (   2) minutes.

Extended self-test routine

recommended polling time: 	 ( 177) minutes.

SCT capabilities: 	       (0x103f)	SCT Status supported.

					SCT Error Recovery Control supported.

					SCT Feature Control supported.

					SCT Data Table supported.



SMART Attributes Data Structure revision number: 10

Vendor Specific SMART Attributes with Thresholds:

ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE

  1 Raw_Read_Error_Rate     0x000f   111   083   015    Pre-fail  Always       -       317521

  3 Spin_Up_Time            0x0002   096   093   002    Old_age   Always       -       0

  4 Start_Stop_Count        0x0032   100   100   050    Old_age   Always       -       961

  5 Reallocated_Sector_Ct   0x0033   100   100   051    Pre-fail  Always       -       2041

  7 Seek_Error_Rate         0x000f   073   060   015    Pre-fail  Always       -       103740170113

  9 Power_On_Hours          0x0032   074   074   050    Old_age   Always       -       23245

 10 Spin_Retry_Count        0x0013   100   100   019    Pre-fail  Always       -       1

 12 Power_Cycle_Count       0x0033   100   037   051    Pre-fail  Always   In_the_past 952

184 End-to-End_Error        0x0033   100   100   051    Pre-fail  Always       -       0

187 Reported_Uncorrect      0x0032   001   001   050    Old_age   Always   FAILING_NOW 711

188 Command_Timeout         0x0032   100   099   050    Old_age   Always       -       9

189 High_Fly_Writes         0x003a   052   052   058    Old_age   Always   FAILING_NOW 48

190 Airflow_Temperature_Cel 0x0022   088   042   034    Old_age   Always       -       12 (0 50 12 11 0)

194 Temperature_Celsius     0x0022   012   058   034    Old_age   Always   FAILING_NOW 12 (0 8 0 0 0)

195 Hardware_ECC_Recovered  0x001a   045   029   026    Old_age   Always       -       317521

196 Reallocated_Event_Count 0x0033   100   100   051    Pre-fail  Always       -       2041

197 Current_Pending_Sector  0x0012   100   100   018    Old_age   Always       -       6

198 Offline_Uncorrectable   0x0010   100   100   016    Old_age   Offline      -       0

199 UDMA_CRC_Error_Count    0x003e   200   200   062    Old_age   Always       -       0



SMART Error Log Version: 1

ATA Error Count: 33645 (device log contains only the most recent five errors)

	CR = Command Register [HEX]

	FR = Features Register [HEX]

	SC = Sector Count Register [HEX]

	SN = Sector Number Register [HEX]

	CL = Cylinder Low Register [HEX]

	CH = Cylinder High Register [HEX]

	DH = Device/Head Register [HEX]

	DC = Device Command Register [HEX]

	ER = Error register [HEX]

	ST = Status register [HEX]

Powered_Up_Time is measured from power on, and printed as

DDd+hh:mm:SS.sss where DD=days, hh=hours, mm=minutes,

SS=sec, and sss=millisec. It "wraps" after 49.710 days.



Error 33645 occurred at disk power-on lifetime: 23245 hours (968 days + 13 hours)

  When the command that caused the error occurred, the device was active or idle.



  After command completion occurred, registers were:

  ER ST SC SN CL CH DH

  -- -- -- -- -- -- --

  04 71 04 9d 00 32 e0



  Commands leading to the command that caused the error were:

  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name

  -- -- -- -- -- -- -- --  ----------------  --------------------

  ec 00 01 00 00 00 a0 00      00:14:20.292  IDENTIFY DEVICE

  00 00 00 00 00 00 00 ff      00:14:20.287  NOP [Abort queued commands]

  00 00 00 00 00 00 00 ff      00:14:17.794  NOP [Abort queued commands]

  00 00 00 00 00 00 00 ff      00:14:07.961  NOP [Abort queued commands]

  c6 00 10 00 00 00 40 00      00:14:07.662  SET MULTIPLE MODE



Error 33644 occurred at disk power-on lifetime: 23245 hours (968 days + 13 hours)

  When the command that caused the error occurred, the device was active or idle.



  After command completion occurred, registers were:

  ER ST SC SN CL CH DH

  -- -- -- -- -- -- --

  04 71 04 9d 00 32 40  Device Fault; Error: ABRT



  Commands leading to the command that caused the error were:

  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name

  -- -- -- -- -- -- -- --  ----------------  --------------------

  c6 00 10 00 00 00 40 00      00:14:07.662  SET MULTIPLE MODE

  00 00 00 00 00 00 00 ff      00:14:07.661  NOP [Abort queued commands]

  2f 00 01 10 00 00 40 00      00:14:07.552  READ LOG EXT

  60 00 18 a8 36 cb 40 00      00:14:07.551  READ FPDMA QUEUED

  ef 02 00 00 00 00 40 00      00:14:07.441  SET FEATURES [Enable write cache]



Error 33643 occurred at disk power-on lifetime: 23245 hours (968 days + 13 hours)

  When the command that caused the error occurred, the device was active or idle.



  After command completion occurred, registers were:

  ER ST SC SN CL CH DH

  -- -- -- -- -- -- --

  04 71 04 9d 00 32 40  Device Fault; Error: ABRT



  Commands leading to the command that caused the error were:

  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name

  -- -- -- -- -- -- -- --  ----------------  --------------------

  2f 00 01 10 00 00 40 00      00:14:07.552  READ LOG EXT

  60 00 18 a8 36 cb 40 00      00:14:07.551  READ FPDMA QUEUED

  ef 02 00 00 00 00 40 00      00:14:07.441  SET FEATURES [Enable write cache]

  ef 03 45 00 00 00 40 00      00:14:07.332  SET FEATURES [Set transfer mode]

  c6 00 10 00 00 00 40 00      00:14:07.225  SET MULTIPLE MODE



Error 33642 occurred at disk power-on lifetime: 23245 hours (968 days + 13 hours)

  When the command that caused the error occurred, the device was active or idle.



  After command completion occurred, registers were:

  ER ST SC SN CL CH DH

  -- -- -- -- -- -- --

  04 71 04 9d 00 32 40  Device Fault; Error: ABRT at LBA = 0x0032009d = 3276957



  Commands leading to the command that caused the error were:

  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name

  -- -- -- -- -- -- -- --  ----------------  --------------------

  60 00 18 a8 36 cb 40 00      00:14:07.551  READ FPDMA QUEUED

  ef 02 00 00 00 00 40 00      00:14:07.441  SET FEATURES [Enable write cache]

  ef 03 45 00 00 00 40 00      00:14:07.332  SET FEATURES [Set transfer mode]

  c6 00 10 00 00 00 40 00      00:14:07.225  SET MULTIPLE MODE

  00 00 00 00 00 00 00 ff      00:14:07.224  NOP [Abort queued commands]



Error 33641 occurred at disk power-on lifetime: 23245 hours (968 days + 13 hours)

  When the command that caused the error occurred, the device was active or idle.



  After command completion occurred, registers were:

  ER ST SC SN CL CH DH

  -- -- -- -- -- -- --

  04 71 04 9d 00 32 40  Device Fault; Error: ABRT



  Commands leading to the command that caused the error were:

  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name

  -- -- -- -- -- -- -- --  ----------------  --------------------

  ef 02 00 00 00 00 40 00      00:14:07.441  SET FEATURES [Enable write cache]

  ef 03 45 00 00 00 40 00      00:14:07.332  SET FEATURES [Set transfer mode]

  c6 00 10 00 00 00 40 00      00:14:07.225  SET MULTIPLE MODE

  00 00 00 00 00 00 00 ff      00:14:07.224  NOP [Abort queued commands]

  2f 00 01 10 00 00 40 00      00:14:07.115  READ LOG EXT



SMART Self-test log structure revision number 1

No self-tests have been logged.  [To run self-tests, use: smartctl -t]





SMART Selective self-test log data structure revision number 1

 SPAN  MIN_LBA  MAX_LBA  CURRENT_TEST_STATUS

    1        0        0  Not_testing

    2        0        0  Not_testing

    3        0        0  Not_testing

    4        0        0  Not_testing

    5        0        0  Not_testing

Selective self-test flags (0x0):

  After scanning selected spans, do NOT read-scan remainder of disk.

If Selective self-test is pending on power-up, resume after 0 minute delay.


#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:40 PM

Posted 06 January 2013 - 02:27 PM

The hard drive is failing badly. :exclame:
  • Backup your important personal files ASAP while it is still possible, and then replace the hard drive.
Attributes with with obviously abnormal values:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  5 Reallocated_Sector_Ct   0x0033   100   100   051    Pre-fail  Always       -       2041
  7 Seek_Error_Rate         0x000f   073   060   015    Pre-fail  Always       -       103740170113
 12 Power_Cycle_Count       0x0033   100   037   051    Pre-fail  Always   In_the_past 952
187 Reported_Uncorrect      0x0032   001   001   050    Old_age   Always   FAILING_NOW 711
189 High_Fly_Writes         0x003a   052   052   058    Old_age   Always   FAILING_NOW 48
194 Temperature_Celsius     0x0022   012   058   034    Old_age   Always   FAILING_NOW 12 (0 8 0 0 0)
195 Hardware_ECC_Recovered  0x001a   045   029   026    Old_age   Always       -       317521
196 Reallocated_Event_Count 0x0033   100   100   051    Pre-fail  Always       -       2041
197 Current_Pending_Sector  0x0012   100   100   018    Old_age   Always       -       6
Reference: http://en.wikipedia.org/wiki/S.M.A.R.T.

Let me know if you have any questions or problems that I may be able to assist you with.

Edited by AustrAlien, 06 January 2013 - 02:32 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 realeverett

realeverett
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 06 January 2013 - 02:45 PM

Why doesn't it crash when I'm in safe mode? Is this something chkdsk can fix? Are there any other tips for me to follow so I can complete my backups without the drive constantly failing? Thanks.

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:40 PM

Posted 06 January 2013 - 02:53 PM

This is well beyond the capability of chkdsk to "fix" .... and indeed I very strongly advise against attempting to run chkdsk as it may make the current situation much worse than it already is and result in corruption of data that is still currently intact and recoverable. :exclame:

Safe Mode uses less resources than running Windows normally, so that it will often run without or with less issues when there is a problem.

If you cannot complete backing up of your important files using Windows in Safe Mode, then I recommend using a Linux operating system run from a bootable CD or flashdrive to do the job.
  • Let me know if you wish/need to go this way and I will provide complete instructions for you.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users