Chkdsk /f or /r not fixing file system

I cannot defrag my hard drive (actually partition) C: with OO Defrag because when it does a chkdsk there are errors.  

The machine is a HP Pavilion ZT3000 with a 60gb hard drive, and Windows XP Pro.  The hard drive is partitioned into 4 logical drives.  

The system boots fine and operates fine.  Logical drive C: is the bootable partition on the drive.  The other logical drives have no chkdsk problem.

When I run a CHKDSK /F or /R it does not fix the problem.  

So the cycle is endless.  I run CHKDSK /F or /R (during a boot), then run CHKDSK after the boot to see if it worked.  The problems are still there.

I cloned this hard drive to another drive on another machine and get the same problem.  So, I think the problem is in the Microsoft operating system and not a hardware problem with the drive.

I am concerned that eventaully the system will fail and I won't be able to boot or recover, even with a backup.

Please advise.
SNAG-0001.jpg
slulayAsked:
Who is Participating?
 
briancassinConnect With a Mentor Commented:
You have run chkdsk in recovery console what you posted about a false error I knew about that is why I kept saying recovery console but you are still getting the error in recovery console.

You never mentioned a windows installer error before what error are you getting with that ?

have you checked your event viewer log files for errors ?


I think honestly between how infected this machine was, the other errors you are getting windows is toast. As much as you don't want to do it there are times when things are just beyond repair. I think you need to consider at this point backing up your data and completely wiping your drive.

If you want to tell me the windows installer error message and whatever other errors you are getting in your event log I cna look into this before you format but I think this is your only option left.
0
 
sliiconmanCommented:
If you want to fis the file system from a command prompt  enter scannow /sfc  you will need the XP disk.

this will run a system file check and repair any broken system files.
0
 
slulayAuthor Commented:
Hello,

Thank you.

Could you please be more specific?

"scannow /sfc"is not "recognized as an internal or external command" when run from the DOS prompt

Do you mean this program is on the XP Disk as an executable?  

I'll have to search for the disk.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
sliiconmanCommented:
i did it backwards sfc /scannow


http://support.microsoft.com/kb/310747
0
 
briancassinCommented:
In windows you go to start run and type SFC /SCANNOW it will prompt for your windows XP cd if there are any damaged files.

In windows you can also go to the command prompt and type CHKNTFS C:  this will tell you if it is marked as a dirty volume or not

you need to go to recovery console you will need your XP disk to do this.

Put in your XP CD
restart computer,boot to xp cd,recovery,press enter
for password,at cmd screen type:Type chkdsk c: /p When its thru,type:
EXIT remove xp cd and let xp restart.Back on desktop,run defrag.


do you have pcanywhere there is a known issue of version 10.x causing this Also HP Scanjet scanners
0
 
briancassinCommented:
I would also check for viruses and spyware they can also cause this error to occur

Download Hijackthis and paste the Log that is generated from it

http://www.majorgeeks.com/download5554.html

Download  combofix.exe and save it to your desktop
Close any open browsers.
Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply along with a fresh HJT log as well
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Also run these

your going to need some anti spyware /malware utlities run too

http://security.kolla.de spybot s&d - download it install it (do not install tea timer, ) update it then run it

http://lavasoft.com - adaware - download it run it and then uninstall it
http://pack.google.com/intl/en/pack_installer_new.html?hl=en&gl=us&utm_source=en_US-et-more&utm_medium=et&utm_campaign=en_US&ciNum=11    - select to only download and install spyware doctor.

Additionally I would download and run rootkit revealer if it comes up with anything odd post it up here.
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

other things you might try
1. Make sure CheckDisk is not enabled in your startup list - if it is,
uncheck it:

Start / Run / Msconfig / Startup


2. Clear your BootExecute entry:

Start / Run / regedt32

HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Session
Manager
BootExecute

 -Delete all autocheck entries, especially: autocheck autochk /f *


HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT /
CurrentVersion / Winlogon

 -Highlight the Winlogon file.

 -Set "SFCScan" to 0 (zero).

0
 
slulayAuthor Commented:
I have a HP Perfection V100 and a 3450 Scanner....

0
 
slulayAuthor Commented:
I ran CHKNTFS and the file system is not dirty.

I'll try to find my SP2 CD.

Is there any way I can point SFC to look for the SP2 CD on my hard drive instead of the CD drive?
0
 
sliiconmanCommented:
There is a local cache taht it will look at but if it is corrupt it will look for CD. If you have the SP2 CD can you burn it?
0
 
briancassinCommented:
if you have the cd copied to your hard drive you can point SFC to your local drive

Go here for instructions on how to modify your registry however if you do this if you go to use the CD you will have to revert the registry changes

http://www.updatexp.com/scannow-sfc.html
0
 
slulayAuthor Commented:
OK, I was able to run the sfc /scannow command to completion.

Then I did a CHKDSK /F and then after it booted did a regular CHKDSK....still errors (see attachment)

Next I did a CHKDSK /R and then after it booted did a regular CHKDSK....still errors (see attachment)

What next....should I try a system recovery with the Win XP CD?

Or move on to the suggestions from Brian in post 20780523 above?

SNAG-0002.jpg
0
 
sliiconmanCommented:
Yes I would give that a shot at this point.  Could very well be spyware.
0
 
briancassinCommented:
Did you run checkdisk from recovery console as I instructed ?

Do you have PC Anywhere installed ?

You did not mention if you used this
CHKNTFS C:  this will tell you if it is marked as a dirty volume or not

you need to go to recovery console you will need your XP disk to do this.

Put in your XP CD
restart computer,boot to xp cd,recovery,press enter
for password,at cmd screen type:Type chkdsk c: /p When its thru,type:
EXIT remove xp cd and let xp restart.Back on desktop,run defrag.
0
 
slulayAuthor Commented:
1) No, I don't have PC Anywhere installed...but I did install terminal server software then uninstalled it.  I don't remember which one.  It was a trial.

2) I now have "Remote Desktop Control" installed.

3) I burned a XP Pro Install CD and ran the Recovery Console as instructed.  After reboot still same problems.  See attached file.

4) Chkntfs DOES NOT report a dirty volume.


SNAG-0003.jpg
0
 
slulayAuthor Commented:
Here is the log file from HijackThis
hijackthis.log
0
 
slulayAuthor Commented:
Here is the output from combofix
ComboFix.txt
0
 
slulayAuthor Commented:
Hey Guys, I have to leave for a few days...I'll pick this up next week and continue...thanks for your help.
0
 
slulayAuthor Commented:
autoruns output --

I completed the suggested registry changes

see attachments
AutoRuns.txt
SNAG-0004.jpg
SNAG-0005.jpg
0
 
slulayAuthor Commented:
forgot to mention, no changes to the problem after my last comment

01.31.2008 at 04:41AM PST, ID: 20785966
      
0
 
briancassinCommented:
your combofix log is not good.

it found Beagle on your system.
IS your anti virus up to date ?

It found viruses on your system and a known file that is for a rootkit. It could be either one of thse two below
http://www.symantec.com/security_response/writeup.jsp?docid=2006-062016-4555-99&tabid=2


http://www.symantec.com/security_response/writeup.jsp?docid=2006-032316-2221-99&tabid=2

Your are going to need to run the other utilities I mentioned above. In addition you will also need to get rootkit revealer from sysinternals and run that
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

also I would run
http://housecall.trendmicro.com
http://www.bitdefender.com 
0
 
slulayAuthor Commented:
see attached files
SNAG-0006.jpg
SNAG-0008.jpg
0
 
briancassinCommented:
according to combofix it did find those but it may have removed all of the infection I wanted to check to make sure nothing else was in the system and it looks like things are still comming up.

have you run all the utilities yet ? spybot s&d, adaware, rootkit revealer ??

are you still getting the error with chkdsk when you go to recovery console and run it ?
0
 
slulayAuthor Commented:
Note that on the previous post I did not fix the Spyware Doctor because I had to license the software first

See Spybot output....fixed these

also attached is the output from the rootkit scan (does it clean up also?)

and the scan results from Ad-Aware

Next I will reboot with chkdsk /f and then see what I have, will post
SNAG-0009.jpg
RootkitReveal.txt
SNAG-0010.jpg
0
 
briancassinCommented:
you are rootkitted

C:\WINDOWS\TEMP\is-CR9OC.tmp      1/31/2008 2:04 PM      0 bytes      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-CR9OC.tmp\_isetup      1/31/2008 2:04 PM      0 bytes      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-CR9OC.tmp\_isetup\_RegDLL.tmp      1/31/2008 2:04 PM      3.50 KB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-CR9OC.tmp\_isetup\_shfoldr.dll      1/31/2008 2:04 PM      22.77 KB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-CR9OC.tmp\helper.dll      1/8/2008 10:01 AM      41.00 KB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-CR9OC.tmp\PCTLicReset.dll      1/8/2008 10:01 AM      545.51 KB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-CR9OC.tmp\SecurityUtil.dll      1/8/2008 10:01 AM      84.00 KB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-JOOPT.tmp      1/31/2008 2:04 PM      0 bytes      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\is-JOOPT.tmp\is-C1MVH.tmp      1/31/2008 2:04 PM      679.50 KB      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\Setup Log 2008-01-31 #001.txt      1/31/2008 2:04 PM      715 bytes      Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\TEMP\~DF4428.tmp      1/31/2008 2:01 PM      16.00 KB      Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\TEMP\~DF458E.tmp      1/31/2008 2:01 PM      512 bytes      Visible in Windows API, MFT, but not in directory index.


that should not be were you running anything else at the time of rootkit revealer ?

You have a lot of infections and I do not know why you had a problem with spyware doctor you shouldn't need a license to run it unless you want the upgraded version... you will have to manually remove what it found if you can not automatically run it.

The problem is your system has had a lot of trojans and rootkits on it. I honestly think that solving this issue with the chkdsk is directly related to all of these malwares, and viruses in your system and considering each tool is finding something different that is telling me you have a high amount of infection. Fact is at some point we may have to throw in the towel here and you will have to backup all of your critical data and just format the h.d. and reload the o.s. and then install some decent security tools as whatever you were running wasn't doing it' job or you you didn't have the proper security tools to address viruses and malware, spyware, trojans.
0
 
briancassinCommented:
0
 
slulayAuthor Commented:
Problem not fixed....yet.  

see chkdsk results after a reboot with chkdsk /f
SNAG-0001.jpg
0
 
slulayAuthor Commented:
OK, I have to leave for today......I am (an American) living in Argentine Patagonia, in the Andes.  We are three hours ahead of East Coast US Time.  Will check back when I can.

Is there any way to remove the rootkits automatically?  I imagine that is what chkdsk doesn't like.....

Then I can deal with the other trojans with disinfecting programs.

I don't really wan to rebuild the disk....it would be virtually impossible  to get it back the way I have it now.
0
 
briancassinCommented:
You want to run the /R switch fix fdisk and you want to run it in recovery console... I have mentioned this several times.

usually not

tere are a couple of programs but they may not report correctly

f-secures blacklight
http://www.f-secure.com/security_center/    blacklight is located at the bottom of the page

AVG
http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0


this is one is not really automated but provdes detailed info.
http://www.resplendence.com/hookanalyzer
0
 
slulayAuthor Commented:
OK, before this I was unaware of the recovery console.  I now have it loaded so I can run it at boot without the CD.  I did run it once with the CD but it didn't fix the problem.  I ran CHKSDK with the /P option as you mentioned with the command console.

I'm not sure what you mean with your last suggestion....

"You want to run the /R switch fix fdisk and you want to run it in recovery console"

Do you mean run CHKDSK with the /R switch or FDISK with the /R switch?

If these rootkits are hiding in unallocated file space, would not simply overwriting the unallocated space on the partition clear them?  
0
 
briancassinCommented:
sorry that was a mistype I meant CHKDSK not FDISK sorry....

yes with the P switch as mentioned before or the R switch...

rootkits load in the system kernel but they can affect other things. so overwriting the unallocated space on the partition would not clear them.

I need to know what you are and are not running when I suggest things to you as I have no way of knowing and only can assume you did what I told you to do when you do not give me any feedback. This wastes a lot of time in all honesty. Especially if for example now running chkdsk in recovery console fixed the problem.... IF you don't understand something then please ask, if you don't ask then I assume you understand what I am telling you to do and following my directions.  
0
 
slulayAuthor Commented:
I have been doing all that you ask...but have not yet done your postings

01.31.2008 at 10:31AM PST, ID: 20789484
01.31.2008 at 10:52AM PST, ID: 20789705

You put them in faster than I can do them....especially when I have to do some setups multiple things to do...and also I had to drive to the next city an hour away to take care of some business.....now I'm back for another hour or two.

If you print this dialog off and go through the entries you will see that I am following your instructions.  Sometimes I use 2-3 postings in a row to indicate the steps I've taken

I will do things in this order...

01.31.2008 at 10:31AM PST, ID: 20789484
01.31.2008 at 10:52AM PST, ID: 20789705
then chkdsk /p with the console

0
 
slulayAuthor Commented:
Vundofix did not find any errors.  I'm gong to run smitfraud overnight as it says it can take several hours.

Now I'll start on your suggestions in

01.31.2008 at 10:52AM PST, ID: 20789705
0
 
slulayAuthor Commented:
AVG did'nt find any rootkits on the regular or in depth search.  see attachments
SNAG-0002.jpg
SNAG-0004.jpg
0
 
slulayAuthor Commented:
Blacklight did not find anything
SNAG-0005.jpg
SNAG-0006.jpg
SNAG-0007.jpg
0
 
briancassinCommented:
I hate to say it but I am out of ideas for now... You may have no choice but to pull your data off and reformat the drive... I will look into this some more between tonight and tommorow and try to get back to you fri or sat on it. Maybe in the meantime another expert has another idea...
0
 
slulayAuthor Commented:
output from RootKit Hook Analyzer

I was unable to export the list so I did a screen capture.....the second one (modules) has enough resolution if you download it and zoom in.

the first one is SERVICES, filtered by Hooked Services Only

The second is MODULE

both are sorted by company

the
0
 
slulayAuthor Commented:
oops....these attachments belong to the previous entry for RootKit Hook Analyzer

This looks good....do you see anything wrong with the reports?
SNAG-0011.jpg
SNAG-0012.jpg
0
 
briancassinCommented:
the first thing in the list needs to go its a known trojan /backdoor systool.sys
0
 
slulayAuthor Commented:
It may be an overclocking driver....OR?  

Can I just delete it or do I need something else to get rid of it?

What about the next two on the list....they don't have a company entry....or a description
0
 
briancassinCommented:
those are part of your Komodo firewall
0
 
slulayAuthor Commented:
I just ran CHKDSK /P in the console.  It said it found errors, but completed normally.

Then in the console also I ran CHKDSK /R and it completed without listing errors.

After I boot I get the attachment output from CHKDSK
SNAG-0000.jpg
0
 
briancassinCommented:
Interesting... If after removing that .sys file this happened that malware is messing with the hard drive.

if you try chkdsk /f in windows what happens ?

try this go to start run type eventvwr   and hit enter
then go to the application and see if you have any warnings or errors about chkdsk finding an invalid application or something.

0
 
briancassinCommented:
I may have just discovered something...

Do you have mozilla firefox ?

If so try doing this
Firefox 2 comes with a built in Session Store feature that saves your session data including open windows and tabs, window size and position, and text typed in forms. Session data is stored in the sessionstore.js file, located in the profile folder. To disable this feature, set browser.sessionstore.enabled to "false".

0
 
briancassinCommented:
Out of curiosity before this problem occured how much free hard drive space do you have  on your root drive ?
0
 
slulayAuthor Commented:
Hi Brian,

I have to go to bed now...it is 11:30 pm and I have to be up at 6:30 am.  (Patagonia Time).

I will be able to get back to this Friday afternoon.....

Yes, I use Firefox.

And, I have not yet deleted the syspected trojan .sys files......do I just delete them?

There are 1.25 gigs free on my C: drive.  It has a total of 6.2 gigs.

 I don't have any virtual memory assigned on my computer as I have 1.5 gig RAM and don't want cached data sitting around in the virtual memory files.  

THANKS FOR HANGING IN WITH ME!

See you tomorrow.
0
 
briancassinCommented:
yes delete the file i mentioned above it is a nasty. If it won't delete we'll find another way to deal with it.

Since you have firefox follow what I said about disabling that file in firefox if you still get the error on chkdsk then I want you to backup all of your firefox fav's etc.. then totally uninstall firefox then run recovery console again with the CHKDSK /r option
then reboot


The reason on firefox is I found some information and the file that was referenced in your last post is directly related to firefox.
0
 
slulayAuthor Commented:
OK, I set Firefox browser.sessionstore.enabled to "false".     Didn't change anything with CHKDSK.

and then uninstalled Firefox, ran CHKDSK /R from the console.

Still the same problem...CHKDSK finding errors and not really fixing them.

It reports various errors at various times.  

I also uninstalled a lot of unnecessary software....problem did not go away.

Just to re-iterate.....I cloned this hard drive to another identical laptop and the problem was replicated there.  So, it is not hardware or hard disk related...something to do with the Windows installation, I imagine.

Also, there is something wrong with the Windows Installer....I get that pop up a lot....but that is likely a different problem.
0
 
slulayAuthor Commented:
Maybe I'm chasing my tail......and there is nothing wrong??????

Here is a post I found in another discussion.  Please comment.

(Note that at some point in the past I had no errors on C: running chkdsk in read only mode)

http://www.pcreview.co.uk/forums/thread-2392826.php

--------------------------------- quote -----------------------------------------------------------------------------------

These error messages ***I.E. from chkdsk***  do not necessarilly mean that there is problem with the drive.

The reason you are seeing these errors is because when you run CHKDSK from a command
prompt, it runs in "Read only" mode, and the state of the computer is changing at the time you
run the utility. A "read only" chkdsk on an active NTFS volume will result in false positive
errors!

Read-only CHKDSK will abort before it completes all three phases if it encounters errors in any
phase, falsely reporting errors when in read-only mode. In other words, CHKDSK may report that
a disk is corrupted even when there is no real corruption present. This can happen if the volume
is modifed by of some program activity in the area that CHKDSK is examining at the time.

To test a volume correctly, the volume must be in a static state, and the only way to guarantee
that state is to lock the volume. CHKDSK only locks the volume when it runs before entering
Windows or while in Recovery Console with /P or /R (which implies "F") is specified.

You can test this by starting your computer in the Recovery Console and run "CHKDSK /P" from
there. See if you get any error messages. Now, boot back to Windows and the errors return.

--------------------------------------------------------------------------------------------------------------------
0
 
slulayAuthor Commented:
Well, I have tried everything suggested so far.  And still have the problem.

Peraps the MFT is damaged and CHKDSK can't repair it.

I am going to try this utility when I get the time to understand now to operate it:

http://www.z-a-recovery.com/

0
 
slulayAuthor Commented:
Oh, one more thing I tried....boot time defrags with both OO Defrag and PerfectDisk.  

These are supposed to defrag the MFT and PerfectDisk is supposed to clean up the entries ion the MFT.

No change in the problem.
0
 
briancassinCommented:
thank you I'm sorry it was not fixable
0
All Courses

From novice to tech pro — start learning today.