Solved Bitdefender found Thousands of I/O errors in file system.

[Devadip]

Hi!

My friend brought me his PC about 4 days ago and I found out that it was infected by multiple rootkits, backdoors and trojans. I've never seen anything like it.

I decided to run diskpart clean all command so I can securely format the HDD. I also updated the BIOS since I feared that a bootkit was present (im not an expert at all, but I just wanted to make sure that whatever was on the system would not come back by any means).

I scanned the PC before formatting it. When I saw the breadth of the infection, I decided to secure erase. I scanned the PC with TDSS Killer, Malwarebytes Anti Rootkit and GMER afterwards (after the secure erase) and nothing was found. The only thing that bothers me is the high number of I/O errors found by the Bitdefender Rescue CD scanner. When I scan the "File System" directory, I get a couple thousand I/O errors and Bitdefender is telling me that it can't scan these specific files. It also says "Threats may be present on your system".

I would like to figure out what's causing these errors. I doubt that malware could've survive the diskpart clean all except if I'm dealing with a pretty mean rootkit... I have the Bitdefender report file, but I'm not sure which format is best for sharing. Should I just link the .txt file?

Thanks for your time and have a nice day.

 

[Eric3742]

Firstly, some of those infected files may not be true.
Some anti-virus software do not like other anti-virus software, so it is marked as infected.
And there is some difference between free or paid version.

For me, i am using SuperAntiSpyware free edition, meaning not active.
I do run this SuperAntiSpyware after surfing, almost daily.
Before running, this software do have updates daily, which some do not.
There are options for, quick scan, full scan. But since i run daily, then do a quick scan.
Although i do have a active a Panda Internet Security but not able to do a better job then this SuperAntiSpyware.
So i decide to buy the active version.
I did use this to scan my friend laptop, and did found a lot of nonsense virus, malware, etc.

If you do a clean install, there is no need to do scan for virus, malware, etc.
If not, do a FULL Format, which may take hours depend on the HDD size.

 

[Devadip]

Thanks for the reply. Actually, I did a full format. It took like 6 1/2 hours and it deleted the MBR. Thing is... I just reinstalled Windows and I don't have any other antivirus or antispyware program running actively on my system atm (I haven't connected to the internet yet because I'm a bit paranoid). The only thing I have installed is Malwarebytes free version (I did an offline scan).

I read that the Bitdefender Rescue CD may not be able to scan operating system files, files in use and user-protected files. Maybe the 7k (or so) files are either OS system files, in use or protected.

I will scan the PC with SuperAntiSpyware and I'll keep you in touch.

 

[Devadip]

SuperAntiSPyware found nothing.

Those are the files (a portion of them) that can't be scanned. You must open the file with Notepad++.

 

[Devadip]

Is it safe to connect the PC to my network after using Windows diskpart clean all? From what I know, it writes zeros on the disk and it acts like a secure erase if i'm not mistaken. I've also scanned it in offline safe mode and everything was fine.

Here are the results.

 

[Alejandro85]

The only thing that bothers me is the high number of I/O errors found by the Bitdefender Rescue CD scanner. When I scan the "File System" directory, I get a couple thousand I/O errors and Bitdefender is telling me that it can't scan these specific files. It also says "Threats may be present on your system".

I/O errors have nothing to do with antiviruses or infections or anything related to security. It means that the HD is failing to function as it should, and the AV has no clue what's going on there (it cannot conclude that it's clean, but neither confirm an infection), it's not its business to deal with disk errors, but instead give chkdsk a try beforehand. If those I/O problems are real, it's quite possible that the disk is failing and needing a replacement, virus or not.

However, you should never trust anything if you're running a compromised machine. Those scans are only useful if they're running from an external OS, not the broken one. A rootkit can for sure hide itself by throwing fake I/O errors to disguise itself, so if you're running the infected OS, forget about those results. Booting with a CD, or putting the HD as a slave on another computer is fine though.

I scanned the PC before formatting it.

There is no point in doing so, if you know the computer is infected. If you're formatting, everything will go away, viruses included . Anything found will no longer be there. Curiosity is the only use of a previous scan.

From what I know, it writes zeros on the disk and it acts like a secure erase if i'm not mistaken.

No! This is terribly wrong. Diskpart sole purpose is to manage partition tables and a few special system tables, but nothing else. All a full clean really does is to delete the full partition table, leaving the rest alone (you can realize that based on that it's lightning fast command, while filling everything with zeros would take hours). It's not documented and not meant to do otherwise, and in fact, it's quite easy to undo a diskpart clean once you know its tricks.
I find it disturbing that for the last days the forum seems to be spreading such a myth.

Note that, however, while all the data is intact, the OS has no clue on how to use it, as the main indexes describing its meaning are lost. That's why it's so dangerous and issuing it is almost equal to all data being lost.

Is it safe to connect the PC to my network after using Windows diskpart clean all?

Once you've reinstalled a clean OS, it's just like a new machine. Everything that was previously there is gone, and I find safe to assume that the computer is clean, no matter how bad was before.

I doubt that malware could've survive the diskpart clean all except if I'm dealing with a pretty mean rootkit.

Technically, everything survives a diskpart clean But in practice no, nothing remains, no matter how nasty the virus was. And no, not even the meanest of rootkits can survive a reformat. Reason is simple, you boot another OS to blow the infected thing up. At that point, no software in the affected computer runs, including malware, so it has no chance to lie to you. If you reformated using a safe computer, it's safe to assume that all is clean now. Typically you reformat using the Windows install CD, which if downloaded and stored in safe locations, is reasonable to trust in it.

 

[Devadip]

I see. Thanks for the information! I did a chkdsk and there were no problems whatsoever. I also tested the WD drive with WD WinDLG and there were no errors.

Maybe it's just me, but when I saw this post talking about diskpart, I didn't quite get the difference between diskpart clean all and secure erase because of the way it was written (and I didn't know what secure erase was). "You could use the clean all command (secure erase) to do the above and also have each and every disk sector on the HDD written over and zeroed out completely to securely delete all data on the disk to help prevent the data from being able to be recovered."

It's an excellent guide, but it's just the "secure erase" hyperlink that got me confused the first time I saw this tutorial. I get it now though. Sorry for my ignorance.

 

[Devadip]

I will install Windows on the formatted drive for now because my friend is coming back in two days and he want to be able to use his PC. He has to leave town every sunday for work so he'll probably want to play some games during his 2 days off.

If the HDD is failing, I'll tell him to get an SSD I guess. There won't be any personal files on the HDD anyways. He's planning on buying an SSD soon.

 

[DonnaB]

Hi Devadip,

Did Bitdefender produce a scan report that could be uploaded to the forum? The I/O errors can also be generated if you have open files during the scan. See here.

There are also several drivers that need to be installed/updated. See below:

==================== Éléments en erreur du Gestionnaire de périphériques =============

Name: Contrôleur PCI de communications simplifiées
Description: Contrôleur PCI de communications simplifiées
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Contrôleur Ethernet
Description: Contrôleur Ethernet
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Contrôleur de bus USB
Description: Contrôleur de bus USB
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Contrôleur de bus SM
Description: Contrôleur de bus SM
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


I see no hint of infection in the logs you uploaded above. If you want to confirm it is clean you could scan with ESET Online scanner which uses multiple AV databases.

I don't see any AV installed for that matter. I would suggest installing one as soon as possible, especially if you choose to surf the net looking for a solution. Are you able to connect to the internet?

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista/Win7 right click on the IE icon and choose "Run as administrator

Please go here then click on the Scan Now button to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options

• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• wait for the virus definitions to be downloaded
• Wait for the scan to finish

When the scan is complete

• If no threats were found
  • Place a checkmark in Uninstall application on close
  • close program
  • Report to me that nothing was found

If threats were found

• click on "list of threats found"
• click on "export to text file" and save it as ESET SCAN and save to the desktop
• Click on back
• Place a checkmark in Uninstall application on close
• click on finish
• close program
• upload the report here

 

[Devadip]

I installed the missing drivers and I scanned with ESET Online Scanner. Nothing was found. Everything is fine. Thanks for your time and help.