Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Bitdefender found Thousands of I/O errors in file system.

20 Jul 2016   #1
Devadip

Windows 7 Home Premium 64bit.
 
 
Bitdefender found Thousands of I/O errors in file system.

Hi!

My friend brought me his PC about 4 days ago and I found out that it was infected by multiple rootkits, backdoors and trojans. I've never seen anything like it.

I decided to run diskpart clean all command so I can securely format the HDD. I also updated the BIOS since I feared that a bootkit was present (im not an expert at all, but I just wanted to make sure that whatever was on the system would not come back by any means).

I scanned the PC before formatting it. When I saw the breadth of the infection, I decided to secure erase. I scanned the PC with TDSS Killer, Malwarebytes Anti Rootkit and GMER afterwards (after the secure erase) and nothing was found. The only thing that bothers me is the high number of I/O errors found by the Bitdefender Rescue CD scanner. When I scan the "File System" directory, I get a couple thousand I/O errors and Bitdefender is telling me that it can't scan these specific files. It also says "Threats may be present on your system".

I would like to figure out what's causing these errors. I doubt that malware could've survive the diskpart clean all except if I'm dealing with a pretty mean rootkit... I have the Bitdefender report file, but I'm not sure which format is best for sharing. Should I just link the .txt file?

Thanks for your time and have a nice day.


My System SpecsSystem Spec
.
20 Jul 2016   #2
Eric3742

Windows 7 x64
 
 

Firstly, some of those infected files may not be true.
Some anti-virus software do not like other anti-virus software, so it is marked as infected.
And there is some difference between free or paid version.

For me, i am using SuperAntiSpyware free edition, meaning not active.
I do run this SuperAntiSpyware after surfing, almost daily.
Before running, this software do have updates daily, which some do not.
There are options for, quick scan, full scan. But since i run daily, then do a quick scan.
Although i do have a active a Panda Internet Security but not able to do a better job then this SuperAntiSpyware.
So i decide to buy the active version.
I did use this to scan my friend laptop, and did found a lot of nonsense virus, malware, etc.

If you do a clean install, there is no need to do scan for virus, malware, etc.
If not, do a FULL Format, which may take hours depend on the HDD size.
My System SpecsSystem Spec
20 Jul 2016   #3
Devadip

Windows 7 Home Premium 64bit.
 
 

Thanks for the reply. Actually, I did a full format. It took like 6 1/2 hours and it deleted the MBR. Thing is... I just reinstalled Windows and I don't have any other antivirus or antispyware program running actively on my system atm (I haven't connected to the internet yet because I'm a bit paranoid). The only thing I have installed is Malwarebytes free version (I did an offline scan).

I read that the Bitdefender Rescue CD may not be able to scan operating system files, files in use and user-protected files. Maybe the 7k (or so) files are either OS system files, in use or protected.

I will scan the PC with SuperAntiSpyware and I'll keep you in touch.
My System SpecsSystem Spec
.

20 Jul 2016   #4
Devadip

Windows 7 Home Premium 64bit.
 
 

SuperAntiSPyware found nothing.

Those are the files (a portion of them) that can't be scanned. You must open the file with Notepad++.


Attached Files
File Type: txt Bitdefender report.txt (256.2 KB, 2 views)
My System SpecsSystem Spec
20 Jul 2016   #5
Devadip

Windows 7 Home Premium 64bit.
 
 

Is it safe to connect the PC to my network after using Windows diskpart clean all? From what I know, it writes zeros on the disk and it acts like a secure erase if i'm not mistaken. I've also scanned it in offline safe mode and everything was fine.

Here are the results.


Attached Files
File Type: txt Addition.txt (11.0 KB, 2 views)
File Type: txt FRST.txt (17.6 KB, 1 views)
File Type: txt combofix report.txt (4.5 KB, 1 views)
File Type: txt RogueKiller report.txt (6.5 KB, 0 views)
My System SpecsSystem Spec
20 Jul 2016   #6
Alejandro85

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Devadip View Post
The only thing that bothers me is the high number of I/O errors found by the Bitdefender Rescue CD scanner. When I scan the "File System" directory, I get a couple thousand I/O errors and Bitdefender is telling me that it can't scan these specific files. It also says "Threats may be present on your system".
I/O errors have nothing to do with antiviruses or infections or anything related to security. It means that the HD is failing to function as it should, and the AV has no clue what's going on there (it cannot conclude that it's clean, but neither confirm an infection), it's not its business to deal with disk errors, but instead give chkdsk a try beforehand. If those I/O problems are real, it's quite possible that the disk is failing and needing a replacement, virus or not.

However, you should never trust anything if you're running a compromised machine. Those scans are only useful if they're running from an external OS, not the broken one. A rootkit can for sure hide itself by throwing fake I/O errors to disguise itself, so if you're running the infected OS, forget about those results. Booting with a CD, or putting the HD as a slave on another computer is fine though.


Quote   Quote: Originally Posted by Devadip View Post
I scanned the PC before formatting it.
There is no point in doing so, if you know the computer is infected. If you're formatting, everything will go away, viruses included . Anything found will no longer be there. Curiosity is the only use of a previous scan.


Quote   Quote: Originally Posted by Devadip View Post
From what I know, it writes zeros on the disk and it acts like a secure erase if i'm not mistaken.
No! This is terribly wrong. Diskpart sole purpose is to manage partition tables and a few special system tables, but nothing else. All a full clean really does is to delete the full partition table, leaving the rest alone (you can realize that based on that it's lightning fast command, while filling everything with zeros would take hours). It's not documented and not meant to do otherwise, and in fact, it's quite easy to undo a diskpart clean once you know its tricks.
I find it disturbing that for the last days the forum seems to be spreading such a myth.

Note that, however, while all the data is intact, the OS has no clue on how to use it, as the main indexes describing its meaning are lost. That's why it's so dangerous and issuing it is almost equal to all data being lost.


Quote   Quote: Originally Posted by Devadip View Post
Is it safe to connect the PC to my network after using Windows diskpart clean all?
Once you've reinstalled a clean OS, it's just like a new machine. Everything that was previously there is gone, and I find safe to assume that the computer is clean, no matter how bad was before.


Quote   Quote: Originally Posted by Devadip View Post
I doubt that malware could've survive the diskpart clean all except if I'm dealing with a pretty mean rootkit.
Technically, everything survives a diskpart clean But in practice no, nothing remains, no matter how nasty the virus was. And no, not even the meanest of rootkits can survive a reformat. Reason is simple, you boot another OS to blow the infected thing up. At that point, no software in the affected computer runs, including malware, so it has no chance to lie to you. If you reformated using a safe computer, it's safe to assume that all is clean now. Typically you reformat using the Windows install CD, which if downloaded and stored in safe locations, is reasonable to trust in it.
My System SpecsSystem Spec
20 Jul 2016   #7
Devadip

Windows 7 Home Premium 64bit.
 
 

I see. Thanks for the information! I did a chkdsk and there were no problems whatsoever. I also tested the WD drive with WD WinDLG and there were no errors.

Maybe it's just me, but when I saw this post talking about diskpart, I didn't quite get the difference between diskpart clean all and secure erase because of the way it was written (and I didn't know what secure erase was). "You could use the clean all command (secure erase) to do the above and also have each and every disk sector on the HDD written over and zeroed out completely to securely delete all data on the disk to help prevent the data from being able to be recovered."

It's an excellent guide, but it's just the "secure erase" hyperlink that got me confused the first time I saw this tutorial. I get it now though. Sorry for my ignorance.
My System SpecsSystem Spec
20 Jul 2016   #8
Devadip

Windows 7 Home Premium 64bit.
 
 

I will install Windows on the formatted drive for now because my friend is coming back in two days and he want to be able to use his PC. He has to leave town every sunday for work so he'll probably want to play some games during his 2 days off.

If the HDD is failing, I'll tell him to get an SSD I guess. There won't be any personal files on the HDD anyways. He's planning on buying an SSD soon.
My System SpecsSystem Spec
20 Jul 2016   #9
DonnaB

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
 
 

Hi Devadip,

Did Bitdefender produce a scan report that could be uploaded to the forum? The I/O errors can also be generated if you have open files during the scan. See here.

There are also several drivers that need to be installed/updated. See below:

==================== Éléments en erreur du Gestionnaire de périphériques =============

Name: Contrôleur PCI de communications simplifiées
Description: Contrôleur PCI de communications simplifiées
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Contrôleur Ethernet
Description: Contrôleur Ethernet
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Contrôleur de bus USB
Description: Contrôleur de bus USB
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Contrôleur de bus SM
Description: Contrôleur de bus SM
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


I see no hint of infection in the logs you uploaded above. If you want to confirm it is clean you could scan with ESET Online scanner which uses multiple AV databases.

I don't see any AV installed for that matter. I would suggest installing one as soon as possible, especially if you choose to surf the net looking for a solution. Are you able to connect to the internet?

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista/Win7 right click on the IE icon and choose "Run as administrator

Please go here then click on the Scan Now button to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete
  • If no threats were found
    • Place a checkmark in Uninstall application on close
    • close program
    • Report to me that nothing was found

If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • Place a checkmark in Uninstall application on close
  • click on finish
  • close program
  • upload the report here
My System SpecsSystem Spec
22 Jul 2016   #10
Devadip

Windows 7 Home Premium 64bit.
 
 

I installed the missing drivers and I scanned with ESET Online Scanner. Nothing was found. Everything is fine. Thanks for your time and help.
My System SpecsSystem Spec
Reply

 Bitdefender found Thousands of I/O errors in file system.




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
thousands of files every couple of hours .5gig found
HELLO AND THANKS FOR YOUR TIME Could someoeone tell me where thesefiles are necessary and how to stop them. Even after Sytem Ninja finds the ccleaner finds more
General Discussion
HP Connection has thousands of errors in event log.
This issue is on a wireless connection on a Hp Pavilion dv7-6123cl My internet is Comcast-Cable Blast My modem-router is a ARRIS TC862 I avast as my anti-virus softwareMicrosoft Windows Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Deborina>ipconfig/all Windows...
Network & Sharing
fix file system errors Windows 7 using XP PC
MY son added a SSD 120 GB this week to my PC with windows 7 ...I would hit the Esc key on bootup to boot to my HD windows 7 but that went south and won't boot anymore. I am using an XP PC to run error checking on the HD and wanted to know if it mattered that error checking was run from XP instead...
General Discussion
blue screen errors "NTFS file system / system service exception
Hello, receiving random different BSODs: NTFS_FILE_SYSTEM SYSTEM_SERVICE_EXCEPTION MEMORY_MANAGEMENT CRITICAL_STRUCTURE_CORRUPTION Details:
BSOD Help and Support
File back-up not found on Windows 7 system
Hello. I have just reinstalled Windows 7 for the third time and when I attempt to back-up my files get the following message: 'The backup application could not start due to an internal error. The specified service does not exist as an installed service (0x80070424).' Any suggestions...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 21:23.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App