Possible File System and/or MFT Corruption after Malware Cleanup

N

nv87654

Member
We have Vista x64 Home Premium Dell desktop that we have struggled for days and days after a SMART HDD Rogue Fake HDD infection. After many, many AV scans, etc. we finally thought we had the system clean because scans were atarting to continuously show clean and the system was booting again. So, after thinking we had recovered the system, we uninstalled McAfee and installed Kaspersky Pure 2.0 as out new AV tool. We scanned again with the new Kaspersky and everything was looking good. Then about 2 days later, after basically letting the system sit idle, we began having problems installing and uninstalling programs, some programs could not start up, Kaspersky database update would fail, getting errors popping up having to do with corrupt file system, corrupt $MFT, etc.:


- Windows Media Player constantly running very high on memory consumption, even though we are not even running Windows Media Player

- Early on, after virus cleaning, we say a error pop up (only twice) saying the $MFT was corrupt and unusable

- Tried uninstalling various applications and it fails

- Kaspersky updates won't commit. Says it cannot create a directory .

- Other apps starting up automatically in Windows (i.e. Logitech, Dell Dock) give file system corruption type errors.


So, I have been on the assumption that the MFT and/or the file system is corrupt and have tried the following tasks:



From the Vista Installation DVD RE command prompt, I have run both of these commands several times with the same result:


sfc /scannow

It runs there for about 20 seconds and then returned with output/error of: "Windows Resource Protection could not start the repair service"



Next, I attempted to run chkdsk from within the same Vista DVD Installation RE command prompt:

Here is the following command I ran:

X:\Sources>chkdsk c: /x /f /r

Output was as follows:

The type of the file system is NTFS.
Volume label is OS.

CHKDSK is verifying files (stage 1 of 5)...
791104 file records processed.
File verification completed.
5387 large file records processed.
0 bad file records processed.
0 EA records processed.
50 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...

14 percent complete. (838035 of 929100 index entries processed)
X:\Sources>

All the chkdsk stops and exits at this same index number 838035 every time I run it.


I have run disk diags and it all says the disks are OK.

But I am suspicious that the MFT might be corrupt or out of sync with the file system.

I have went through these steps more than once and it is the same behavior every time.

Any help or advice on this would be much appreciated.
 

My Computer

System One

My Computers

System One System Two

  • Operating System
    Windows 8.1 Industry Pro x64
    Manufacturer/Model
    HP Pavillion Elite HPE-250f
    CPU
    Intel i7 860 Quad core 2.8 ghz
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5770 1 gb ram
    Monitor(s) Displays
    Alienware 25 AW2521HF
    Screen Resolution
    1920x1080 &1680x1050
    Hard Drives
    1 TB x2
    Other Info
    https://www.cnet.com/products/hp-pavilion-elite-hpe-250f/
  • Operating System
    Windows 2012 R2 Data center/Linux Mint
    Manufacturer/Model
    Dell Poweredge T140
    CPU
    i3 9100 3.6GHz, 8M cache, 4C/4T
    Memory
    8GB 2666MT/s DDR4 ECC UDIMM
    Screen Resolution
    1680x1050
    Hard Drives
    1 TB & 360 GB x2
    Other Info
    https://www.dell.com/en-us/work/shop/productdetailstxn/poweredge-t140?~ck=bt
Thanks for the good advice, townsbg. I have already backed up the C drive via tar command from Linux boot. But, with all due respect, another backup won't really fix the problem without restoring.

A re-install and restore would only be the last of all last, last resorts (this is my wife's photography home business computer with massive amounts of extra programs, emails, photos, etc.), basically a nightmare to rebuild back to the current state. So,

do you have any suggestions on what might we might could try to determine if there really is a file system corruption or a corruption in the $MFT and ways we could possibly fix it. Thanks.
 

My Computer

System One

Have you considered a system restore to before the problem occurred? I didn't see it in the list of things you've tried.
 

My Computer

System One

  • Operating System
    Vista Home Premium 64 bit SP2
    Manufacturer/Model
    Cyberpower
    CPU
    Intel Quad CPU Q6700 2.67 GHZ
    Motherboard
    NVIDIA 780i
    Memory
    4 GB
    Graphics Card(s)
    MSI GTX 560 TI Twin Frozr
    Sound Card
    Sound Blaster SB Audigy
    Monitor(s) Displays
    Viewsonic VG2436
    Screen Resolution
    1920x1080p
    Hard Drives
    Samsung HD 105SI
    WDC WD20
    Case
    Apevia XJupiter
    Cooling
    air
    Keyboard
    Logitech MX 3200
    Mouse
    Logitech MX 600
    Internet Speed
    30 Mbps
Have you tried my suggestion?
 

My Computers

System One System Two

  • Operating System
    Windows 8.1 Industry Pro x64
    Manufacturer/Model
    HP Pavillion Elite HPE-250f
    CPU
    Intel i7 860 Quad core 2.8 ghz
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5770 1 gb ram
    Monitor(s) Displays
    Alienware 25 AW2521HF
    Screen Resolution
    1920x1080 &1680x1050
    Hard Drives
    1 TB x2
    Other Info
    https://www.cnet.com/products/hp-pavilion-elite-hpe-250f/
  • Operating System
    Windows 2012 R2 Data center/Linux Mint
    Manufacturer/Model
    Dell Poweredge T140
    CPU
    i3 9100 3.6GHz, 8M cache, 4C/4T
    Memory
    8GB 2666MT/s DDR4 ECC UDIMM
    Screen Resolution
    1680x1050
    Hard Drives
    1 TB & 360 GB x2
    Other Info
    https://www.dell.com/en-us/work/shop/productdetailstxn/poweredge-t140?~ck=bt
@wither 3 - Not we could not try to restore to a previous restore point. We had to delete all our system restore points because the rogue.Fake HDD and related malware infected the restore point files in the System Volume Information directory. Also, I have had bad experiences in the past with restoring from the WIndows restore points and it hosed up my computer for good and has to re-install.
 

My Computer

System One

I meant have you followed the steps to restore the mft?
 

My Computers

System One System Two

  • Operating System
    Windows 8.1 Industry Pro x64
    Manufacturer/Model
    HP Pavillion Elite HPE-250f
    CPU
    Intel i7 860 Quad core 2.8 ghz
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5770 1 gb ram
    Monitor(s) Displays
    Alienware 25 AW2521HF
    Screen Resolution
    1920x1080 &1680x1050
    Hard Drives
    1 TB x2
    Other Info
    https://www.cnet.com/products/hp-pavilion-elite-hpe-250f/
  • Operating System
    Windows 2012 R2 Data center/Linux Mint
    Manufacturer/Model
    Dell Poweredge T140
    CPU
    i3 9100 3.6GHz, 8M cache, 4C/4T
    Memory
    8GB 2666MT/s DDR4 ECC UDIMM
    Screen Resolution
    1680x1050
    Hard Drives
    1 TB & 360 GB x2
    Other Info
    https://www.dell.com/en-us/work/shop/productdetailstxn/poweredge-t140?~ck=bt
townsbg - I apologize. I had overlooked the link you provided above where you mentioned backing it up. Sorry about that. I will check out that link and see what I can do. Thanks a lot for your help and your patience.
 

My Computer

System One

@townsbg - I checked out your link, which was a link to another forum post with someone's description that was very confusing. And the one and only response was a set of even more links. I read through those and only found one related to NTFS or $MFT corruption and it basically says to run chkdsk /F.

Bt,u that is my main problem. All my chkdsk commands that I run hangs at the same spot (14 %) everytime and will not complete ... it bails out back to the command line after about 14% of checking.


"NTFS File system corruption

In very rare circumstances, the NTFS Metafiles $MFT or $BITMAP may become corrupted and result in lost disk space. This issue can be identified and fixed by running a chkdsk /F against the volume in question. Toward the end of chkdsk, you receive the following message if the $BITMAP needs to be adjusted:
Correcting errors in the master file table's (MFT) BITMAP attribute.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system." ... How to locate and correct disk space problems on NTFS volumes

Am I still missing something here? Can you help boil it down for me if possible?
 

My Computer

System One

Maybe this article will give you some ideas about fixing the MFT-

Optimizing NTFS
 

My Computer

System One

  • Operating System
    Vista Home Premium 64 bit SP2
    Manufacturer/Model
    Cyberpower
    CPU
    Intel Quad CPU Q6700 2.67 GHZ
    Motherboard
    NVIDIA 780i
    Memory
    4 GB
    Graphics Card(s)
    MSI GTX 560 TI Twin Frozr
    Sound Card
    Sound Blaster SB Audigy
    Monitor(s) Displays
    Viewsonic VG2436
    Screen Resolution
    1920x1080p
    Hard Drives
    Samsung HD 105SI
    WDC WD20
    Case
    Apevia XJupiter
    Cooling
    air
    Keyboard
    Logitech MX 3200
    Mouse
    Logitech MX 600
    Internet Speed
    30 Mbps

My Computers

System One System Two

  • Operating System
    Windows 8.1 Industry Pro x64
    Manufacturer/Model
    HP Pavillion Elite HPE-250f
    CPU
    Intel i7 860 Quad core 2.8 ghz
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5770 1 gb ram
    Monitor(s) Displays
    Alienware 25 AW2521HF
    Screen Resolution
    1920x1080 &1680x1050
    Hard Drives
    1 TB x2
    Other Info
    https://www.cnet.com/products/hp-pavilion-elite-hpe-250f/
  • Operating System
    Windows 2012 R2 Data center/Linux Mint
    Manufacturer/Model
    Dell Poweredge T140
    CPU
    i3 9100 3.6GHz, 8M cache, 4C/4T
    Memory
    8GB 2666MT/s DDR4 ECC UDIMM
    Screen Resolution
    1680x1050
    Hard Drives
    1 TB & 360 GB x2
    Other Info
    https://www.dell.com/en-us/work/shop/productdetailstxn/poweredge-t140?~ck=bt
You must log in or register to reply here.
Back
Top