PDA

View Full Version : CHKDSK - advice sought, please



Roberto
27th June 2005, 01:50
I keep getting error messages telling me about various corrupt files, always ending with words "run chkdsk utility".

If I go into the command prompt and run just "chkdsk" on its own, it spends a minute or two apparently deleting corrupt attribution records, but quickly gives up the attempt, informing me "Errors found: chkdsk cannot continue in read-only mode."

But if I try to run "chkdsk /f" it can't do it at all, because "the volume is in use" (whatever this means) and it gives me the option of doing it at the next start-up. Even if I elect to do this, it makes no difference at all, and "chkdsk /f" is obviously not running.

I seem to have persistent spyware problems which are a major pain in the neck, in spite of having loaded and run every possible anti-spyware software you've ever heard of. At every start-up there are new spyware problems and alerts all over the place, and it's as if the things are re-generating (or not being removed properly when various items of software inform me that they have been).

I have a strong feeling that running "chkdsk /f" will be a really good idea, but how can I do this?

(If it's relevant, it's a fairly new, very high-spec desktop PC with XP (home edition) updated, but without SP2.

Any advice welcome!

Merlin
27th June 2005, 02:12
I had the same Problems....


Check this link....

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/UserTips/Miscellaneous/YoushouldrunCHKDSK.html

I now use the Microsoft Anti-Spyware Program.....EWIDO is good too...theres a 30 day Free Trial at the mo........run Hijack this.....

Roberto
27th June 2005, 02:52
Merlin, many thanks for your kind reply, but I think we're talking at cross-purposes, probably my fault for such a long-winded post! :(

The link you've provided relates to Windows NT, which I don't use. I have Windows XP.

I'm just asking how to run "chkdsk /f" in Windows XP without this problem that I describe above.

I tried doing what it suggested in that article, but realised quickly that it wasn't about my system when it said "Right-click on the drive letter in Windows Explorer and ... ..." (I can't get to a "drive-letter" in my version of Windows Explorer).

Any other suggestions, or have I misunderstood something obvious?

(I have the anti-spyware software you suggest, and many other sorts too, but it doesn't resolve my problem!).

Merlin
27th June 2005, 03:05
Sorry mate....I am not experienced in IT at all.....but I had similar problems....Keith and Glos helped me out with advice...(amongst others)........

My probems are now fortunately cleared up......after lots of hair pulling....and trying various things.....

As you know.....these trojans and spyware will get detected....but some of them will replicate before deletion.......I found them hiding in Registry and History files.......:yikes:

But you need someone who knows whats what before you delete anything....

Roberto
27th June 2005, 03:20
some of them will replicate before deletionYes ... this is beginning to make sense to me. I keep removing them and they just re-appear. I think I have something called "worm:win32/spybot.gen" and I can't get rid of it. Thanks for your comments, anyway ... sounds like I need an expert rather than trying to fix this on my own. Which is good to know anyway, although not such good news. Thanks, mate.

Merlin
27th June 2005, 03:33
http://www.sophos.com/virusinfo/analyses/w32spybotr.html

The above link tells you all you need to know about this blighter.....

Merlin
27th June 2005, 03:35
Dont forget to click on the description and recovery link.....

Win2Win
27th June 2005, 09:05
Run ADAWARE, SPYBOT & Microsofts ANTISPYWARE software. All 3 take care of most.

If your unsure about a virus, run Panda AV Online check.

If, and only IF, use HIJACKTHIS.

It's generally better to get rid of persistent viruses in Safe Mode or DOS

GlosRFC
27th June 2005, 15:15
Some of the more "intelligent" viruses will utilise Windows System Restore feature to replicate themselves. Always turn this off before you run any anti-virus software or the virus will simply reappear as soon as you've finished. As Keith say's zapping them in DOS or Safe Mode is usually best as the System Restore facility doesn't work in those modes.

Don't worry too much about links to NT when you're using XP. In most instances, that advice is still valid as the XP kernel (particularly the security aspect) is based on proven NT technologies. Installing SP2 once you've cleared the virus is also recommended as it should be more robust in preventing you from picking them up (and a lot of the spyware stuff) in the first place.

The reason that you're getting the "volume in use" message may be because of the way that your hard disk has been partitioned. Some partitioning software (Partition Magic is particularly prone to this) try to protect your MBR (Master Boot Record) and won't allow chkdsk to alter or move sectors. You can force XP to run chkdsk/r by running the Recovery Console from your original Windows Setup CD. You'll need to have administrator privileges which shouldn't be a problem if it's your personal PC and a back-up of your important data files is also recommended.

The worm you've identified (worm:win32/spybot.gen) is relatively easy to remove:

1. Right-click the My Computer icon on the desktop and click Properties.
2. Click the System Restore tab.
3. Select Turn off System Restore.
4. Click Apply > Yes > OK.
5. Files in the _Restore folder can now be deleted.
6. Assuming that you don't use Trend Micro AV software, download this file http://www.trendmicro.com/ftp/products/tsc/sysclean.com into a temporary folder on your C: drive. Then go to this link http://www.trendmicro.com/download/pattern.asp download the latest zip patternfile and unzip that into the same temporary folder.
7. Run Adaware, Spybot and Antispyware.
8. Reboot
9. Repeat steps 1 & 2 and re-enable System Restore by clearing Turn off System Restore.

If you're not comfortable about downloading the Trend Micro software, then you can manually clear the worm but you'll need to know the exact filenames of the infected files and have a good working knowledge of altering your registry settings. You'll need to remove the identifed files from HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run and HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunOnce. You'll also need to remove Dir0 = 012345:C:\Windows\System32\kazaabackupfiles from HKEY_CURRENT_USER>Software>Kazaa>LocalContent. Finally, you'll also have to delete from your hard disk all those files that have been identified as infected by worm:win32/spybot.gen. The usual caveat applies: Don't do any of these manual registry changes unless you have a reliable back-up of your registry and are confident that you know what you're doing.

Roberto
27th June 2005, 18:31
Very many thanks for such helpful advice, guys.
I've decided that I really do need the services of someone who understands this stuff a lot better than I do, but I'm sure the advice above will be helpful for him, too, and I've printed it off anyway.

This afternoon I disconnected from the net, ran _all_ my anti-spyware software and then ran Norton AV again and it found 22 "new" items of spyware not picked up by Microsoft Antispyware, Spybot Search and Destroy, Adaware or XoftSpy. It was unable to repair, delete or quarantine 16 of them, though. The various links offered to further information at the Symantec site were also pretty useless. I downloaded various "fixes" which scanned independently and couldn't find what Norton AV had found, so obviously couldn't repair any of it. I think it's all going to turn into a Very Big Problem, and I've realised that I'm really way out of depth here. But many thanks for the comments/advice above anyway.

Win2Win
27th June 2005, 19:36
The one's that can't be deleted, I write down the filename, then look for it on Google to see what it is. I'll then first of all rename it if it's iffy, and reboot. That actually clears most.

Anything deeper is done by renaming/deleting in DOS/SAFE MODE and erasing any registry entries.

Be carefull if you have LASS.EXE , pain in the ass to remove. The kids got on the internet with no AV or firewall......shows you how intelligent my ex is !!

Roberto
27th June 2005, 22:30
Again, thanks. The irony of it is that I'm ultra careful with Norton, firewall, scanning with loads of stuff for adware and spyware every day etc. etc. etc. and still all this stuff somehow got in! :(

I've just managed to run Chkdsk and Norton AV in safe mode, but there are now 28 adware files I simply can't get rid of any way at all, and tomorrow I call in the cavalry. If you never hear from me again, guys, it was good knowing you and good luck! :)

GlosRFC
27th June 2005, 23:11
Again, thanks. The irony of it is that I'm ultra careful with Norton, firewall, scanning with loads of stuff for adware and spyware every day etc. etc. etc. and still all this stuff somehow got in! :(


I'm willing to bet that you (or someone on your PC) is using some kind of P2P networking (e.g. Limewire or Kazaa) to search for and download music/video files.

How do I know? Because that's how Win32/spybot.gen is able to get into your PC and how it spreads from one machine to another. It's very rare for it to be sent as an email attachment or downloaded in the normal way so it's unlikely that Norton or your adaware/spyware would spot it. And because you've used Peer to Peer, you will have automatically opened a port to the remote PC thus bypassing your firewall security.

As well as spreading itself through P2P networks, this worm also creates a backdoor by connecting to an IRC server. This allows other IRC remote users to send commands that will be processed on your PC.

sparkyminer
27th June 2005, 23:16
I'm willing to bet that you (or someone on your PC) is using some kind of P2P networking (e.g. Limewire or Kazaa) to search for and download music/video files.


Doesn't AV and Firewalls cover these P2P networking thingies Glos?

GlosRFC
27th June 2005, 23:40
The short answer? No.

The long answer. Both Instant Messaging and Peer 2 Peer software is able to bypass firewalls using port-scanning and tunneling techniques. Neither IM or P2P software uses effective authorisation so there's no way of knowing that the person on the other end is really who they are. And because they both don't use encryption there's no way of knowing if a third-party hasn't hijacked one or other of the accounts or is eavesdropping. Some firewalls do have updates available that will block some of the more common ports but to share files on your computer (and sometimes to access files on other computers within the P2P network) you must open a specific TCP port through the firewall for the P2P software to communicate - bang goes your firewall protection.

Even if you do have your firewall monitoring every single packet that's passing through the network, it's all to easy to set up your P2P designated file-sharing folder as C:. In effect this will make your entire PC software available to someone else, so there's a security risk there. P2P software is also notoriously buggy anyway so that's another risk and they pretty much all contained spyware when they first started. That's why the software was given away free!

GlosRFC
27th June 2005, 23:42
Don't know why I bothered typing all that as I've just found a link that explains most of the security concerns better than I can :D

http://www.mcgill.ca/ncs/products/security/p2p/

sparkyminer
27th June 2005, 23:47
So should I get rid of it? I'm almost fanatical in my pc protection ever since my daughter open an e-mail with a virus. Cost me time, money and grief to restore my pc.
I don't go online 'til I've checked my AV is up and running properly. My kids are using Limewire at the moment and It seems to run OK and the pc shows no signs of playing up, but if there's any danger then it's going.

sparkyminer
28th June 2005, 00:04
It's gone. :D

GlosRFC
28th June 2005, 00:12
That was drastic :yikes:

Seriously though, it can be a concern if you leave it on and you can't be watching it all the time when the kids are using it. Used moderately and sensibly, P2P is okay so long as you're aware that you're opening your system up to more risks, and that you have measures in place to counteract those risks. If you're not aware (and you should be if you read that link I supplied) or you don't have appropriate security measures, then you've probably done the right thing Sparky.

Win2Win
28th June 2005, 08:50
I never use chatrooms sush as AOL, MSN, as my kids use the spare comp for that, and it is always ridden with viruses when they've finished. Same as my mates comp.

Also when downloading, I scan everything before running it, around 5% have viruses of one sort or another. I've never found a virus on a Torrent file yet though.

Roberto
28th June 2005, 11:54
No music downloads here, and no p2p (don't even know what it is), and nobody else ever touches my PC on pain of death, mutilation and Tony Blackburn jokes (not necessarily in that order). But I do use MSN messenger quite a bit. Nasty business, all this adware and junk. Neither Trend Micro nor Norton AV can clean it (nor any of the normal Spyware toys). But I've got someone coming round later who will take the hard disc out and do the job properly (he says). So, we'll see ...

I feel like I felt when I was about 18 and had my first car and didn't know how to do anything apart from put petrol, oil and water into it and drive it. At the first sign of trouble, I was useless and incompetent but still dependent on the bloody thing. :(

Win2Win
28th June 2005, 12:18
You don't need to take the drive out, it only takes 5-10 mins to do it in Safe Mode or DOS - I guess he doesn't know what he's doing then!!

Merlin
28th June 2005, 12:21
The thing is Roberto all these trojans etc you have were already there (probably) prior to installing your protection.....

Some trojans and adware are sleepers which are triggered by various catalysts.......or commands.......

Whats that saying now!

¨ They dont come through doors but through windows...... Or something like that......as long as you use windows (like me).....you will always have problems from time to time....

sparkyminer
28th June 2005, 13:15
That was drastic :yikes:

If you're not aware (and you should be if you read that link I supplied) or you don't have appropriate security measures, then you've probably done the right thing Sparky.
See my earlier post. If there's any chance of it becoming infected then it's going. :D

Roberto
28th June 2005, 13:28
You don't need to take the drive out, it only takes 5-10 mins to do it in Safe Mode or DOS - I guess he doesn't know what he's doing then!!Well ... we'll see. I've already tried running various scanning/cleaning things in safe mode, though. Didn't work. But that might easily be mostly because I don't know what I'm doing, admittedly. And I'm too scared to erase registry stuff in DOS, God knows what might happen!

Norton AV was installed the day (in fact the hour) I bought this PC, the other things very shortly afterwards, so I'm as certain as I can be that these problems "got through" everything.

Win2Win
28th June 2005, 13:34
Did you write down the filenames of the trojans and then physically delete them while in Safe Mode?

Roberto
28th June 2005, 22:47
Did you write down the filenames of the trojans and then physically delete them while in Safe Mode?I had eventually tried that late last night, yes, but some of them just kept re-appearing. Not sure if they were trojans, actually.

Anyway, the problems are all resolved now. You were right, Keith, of course: he didn't take out the hard drive at all, did it all from safe mode and dos. Took him over 4 hours altogether (and this is a guy who does this for a living), and he had to make quite a few phone-calls etc. for help/advice, too.

The "main culprits" were some extremely unpleasant stuff called "Aurora" and "Nail.exe" (both of which he'd seen a couple of times over the last week and knew how hard they would be to shift). But done now, and ok. Nasty business indeed.

GlosRFC
28th June 2005, 23:23
Aurora is tough to remove because it not only replicates itself, but it also creates a randomly-named executable that lurks in your Windows/System32 directory. Not only does it create all these false executables but, if you delete one of them, the other will check for its existence and recreate yet another random executable if it can't find it. So by simply following the standard method of deleting all files that are identified as belonging to this virus you are, in effect, initiating the replication process yourself :yikes:

The simplest way of counter-acting this kind of self-duplication is to create a pair of dummy text files called nail.txt and aurora.txt, rename them nail.exe and aurora.exe and copy them into the windows\system32 directory. Then make them read only. When the virus tries to replicate it is fooled into thinking that the original copies still exist and happily evaporates when you press the delete key. But of course, the new text files are incapable of replicating themselves and you can either leave them as future protection or zap them too. :D

Glad you're sorted now though - like Keith I was a bit mystified why anyone would want to remove a hard drive just to eradicate a virus unless they wanted to take it away with them.

Also thought it might be prudent to run my own full AV test having not done so for about 5 months now - 424,938 files inspected and clean so no surprises there :D :D

Roberto
29th June 2005, 01:04
Yes, I follow the logic ... thanks for your helpful comments, Glos and others.

Win2Win
29th June 2005, 08:27
:doh Strange that Vegy's live bedroom webcam stream comes from your IP address then Glos :laugh