PDA

View Full Version : Virus and HDD failure: Port 1: SMART detects drive bad, backup and replace.



Swampthing
11-05-2012, 04:17 PM
My G74SX which is just over 11 months old is now reporting HDD failures on both E: and F: drives. I figure I'll probably have replace the drive as I am getting a startup error SMART bad drive, replace, Port 1.

Not sure which drive is Port 1 when I open up the bottom, but am looking for recommendations to replace the 750GB drive that is currently there. I presume it has to be 2.5" but not sure if there are other limitations.

I have a strong suspicious that these errors are being caused by a malicious virus which Spybot RD found on my computer and will not eradicate, claiming I am not the Administator. But of course when you check the User Accounts, I am the Administrator.
Here's what SpyBot RD is reporting, and I would appreciate any assistance in getting it off my hard drive.

W3i.IQ5.fraud: [SBI $5ADC6E84] Program directory (Directory, nothing done)
C:\Windows\System32\AI_RecycleBin\

dstrakele
11-05-2012, 05:34 PM
Check out http://www.advancedinstaller.com/forums/viewtopic.php?f=2&t=20527. C:\Windows\System32\AI_RecycleBin\ appears to be a temporary directory created by Advanced Installer. This is a Windows Installer authoring tool, so it may have been used when you chose to install some 3rd Party program to your system, creating that directory durng the installation process.

I suspect you could delete this directory by uninstalling Advanced Installer if it currently exists on your system. If it was left behind as a remnant after uninstallation, you could right-click on the Command Prompt icon and choose "Run as administrator", then attempt to delete it.

Unfortunately, I believe you are experiencing a hardware problem with your HDD, rather than any malware. It can be replaced with any 2.5 inch 750 GB drive. Do check into Warranty replacement of your HDD.

If you remove one HDD and your laptop still boots up, you know you've got the problem drive.

cl-scott
11-05-2012, 07:18 PM
While I won't discount the possibility, SMART errors generally originate from monitoring software built into the drive's firmware. So the odds of it being some kind of malware related false-positive seem slim at best.

Shawnnepc
11-05-2012, 10:39 PM
Sounds like the current flavor of zeroaccess going around.


Run this: http://www.bleepingcomputer.com/download/rkill/

Download the rkill.com and run it

followed by this:

http://www.bleepingcomputer.com/download/roguekiller/

Let me know if it says Zeroaccess detected

Then this:

http://www.bleepingcomputer.com/download/combofix/

and finally run a full scan of this:

http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/?1

Swampthing
11-06-2012, 10:15 AM
Thanks for the tips! I ran everything as you said, but Rouge Killer stopped 3/4 of the way through and would never finish. I tried a couple times, but it looks like F: may be dead now and that stops it.

Never saw the ZeroAccess thing, but my hosts file did contain a number of entries which I don't think belong.

When I ran SpyBot SD again with "Run as Administrator" I was able to kill the virus and on a second, and third, runthrough, it did not reappear. MalWare never detected the presence of the virus when it was there, nor later... interesting.

But aren't there programs out there like Disk Doctor for Mac that try to repair a volume for you? How about Norton Utilities? Is there a change there is no physical problem with the disk, and that a software repair will work?

dstrakele
11-06-2012, 12:04 PM
CHKDSK [drive letter] /F /R from the Command Prompt will check your file system for errors and your disk media for bad sectors. You may also need to elevate Command Prompt with "Run as administrator". However, I suspect it may fail on F: just like the Rogue Killer scan.

There is always a chance repair of the file system will resolve your issue, but the S.M.A.R.T. errors point more towards a disk hardware problem. I suspect there are a lot of disk errors reported in your System Event Log as a result of the scan failing to complete.

If it does turn out your HDD is defective, do check out the possibility of Warranty replacement.

As I posted earlier, I believe it is more likely the "AI_RecycleBin" directory was just a false positive from SpyBot SD and not an actual virus, so it is not surprising it would not be detected by MalwareBytes AntiMalware.

Shawnnepc
11-06-2012, 04:12 PM
CHKDSK [drive letter] /F /R from the Command Prompt will check your file system for errors and your disk media for bad sectors. You may also need to elevate Command Prompt with "Run as administrator". However, I suspect it may fail on F: just like the Rogue Killer scan.

There is always a chance repair of the file system will resolve your issue, but the S.M.A.R.T. errors point more towards a disk hardware problem. I suspect there are a lot of disk errors reported in your System Event Log as a result of the scan failing to complete.

If it does turn out your HDD is defective, do check out the possibility of Warranty replacement.

As I posted earlier, I believe it is more likely the "AI_RecycleBin" directory was just a false positive from SpyBot SD and not an actual virus, so it is not surprising it would not be detected by MalwareBytes AntiMalware.

There's nothing in Windows that would give you the error he received.

It still sounds like ransomware

dstrakele
11-06-2012, 04:37 PM
That's true - it's not a Windows error message.


SMART errors generally originate from monitoring software built into the drive's firmware.

cl-scott
11-06-2012, 05:20 PM
There's nothing in Windows that would give you the error he received.

It still sounds like ransomware

Maybe I misread things, but I took it as this error was coming up before Windows loads. In which case, it's a hardware issue and time to back the drive up ASAP and get it replaced. If the error is coming up AFTER Windows loads, then that is a distinct possibility, so getting some program that can check the SMART status of a drive might be in order.

dstrakele
11-06-2012, 05:37 PM
HWINFO64 and SpeedFan report the S.M.A.R.T. status of drives. SpeedFan also has a neat online HDD Diagnostic Summary.

Shawnnepc
11-06-2012, 05:46 PM
Maybe I misread things, but I took it as this error was coming up before Windows loads. In which case, it's a hardware issue and time to back the drive up ASAP and get it replaced. If the error is coming up AFTER Windows loads, then that is a distinct possibility, so getting some program that can check the SMART status of a drive might be in order.

.IQ5.fraud is linked to Citadel which is a crimekit that uses Alureon and Zeroaccess.

Zeroaccess is a rootkit that may also trigger S.M.A.R.T errors due to it's installation in the bootsector.

It's strange that it's referencing E: and F: which as per ASUS's strange factory settings may be a partition of the boot drive OR a split partition of the second physical disk.

It's also troubling that RogueKiller didn't finish.

We need more information from the enduser

dstrakele
11-06-2012, 06:06 PM
It's strange that it's referencing E: and F: which as per ASUS's strange factory settings may be a partition of the boot drive OR a split partition of the second physical disk.

It's also troubling that RogueKiller didn't finish.

That error would be expected from a defective stock-partitioned ASUS 2nd data drive. It is also not unusual for a file scan operation to fail on a defective HDD.

Shawnnepc
11-06-2012, 07:25 PM
That error would be expected from a defective stock-partitioned ASUS 2nd data drive. It is also not unusual for a file scan operation to fail on a defective HDD.

It's totally possible ^^

cl-scott
11-06-2012, 08:22 PM
Not sure how well it may work, but there is at least one SMART tool in the Ultimate Boot CD, and that should help isolate any rootkits that may or may not be present. If the drive reports a SMART failure, time to replace it, if not then it seems that we should be spending more time focusing on the malware angle.

Swampthing
11-06-2012, 08:56 PM
Thanks for all the information thus far. I believe the virus was present because after I was able to finally successfully delete, my system speed increased tremendously.

About the SMART error, it occurs right when I power on... and it tells me to hit F1 to resume. Then it will boot Windows and come up with a warning that Windows has detected problems on my disk and suggests that I backup immediately and repair or replace the disk.

I decided to download the latest version of Norton Utilities to see if I can repair the drive via software. Unfortunately it does not show F: in the drive list, but it does show E: which is essentially another partition of the same drive. I'm trying to repair E: now and we'll see what happens... I hope repairing E: will allow F: to show up, and then repair that.

UPDATE: That didn't work. When I try to click on F:, it says the drive is not accessible, parameter incorrect. Any idea how I can fix something like that? Is there a stronger repair tool than Norton Disk Repair that will try to recover the disk?

Can I perform a backup of the drive to something like DROPBOX?

cl-scott
11-07-2012, 12:48 AM
Thanks for all the information thus far. I believe the virus was present because after I was able to finally successfully delete, my system speed increased tremendously.

About the SMART error, it occurs right when I power on... and it tells me to hit F1 to resume. Then it will boot Windows and come up with a warning that Windows has detected problems on my disk and suggests that I backup immediately and repair or replace the disk.

I decided to download the latest version of Norton Utilities to see if I can repair the drive via software. Unfortunately it does not show F: in the drive list, but it does show E: which is essentially another partition of the same drive. I'm trying to repair E: now and we'll see what happens... I hope repairing E: will allow F: to show up, and then repair that.

UPDATE: That didn't work. When I try to click on F:, it says the drive is not accessible, parameter incorrect. Any idea how I can fix something like that? Is there a stronger repair tool than Norton Disk Repair that will try to recover the disk?

Can I perform a backup of the drive to something like DROPBOX?

That sounds exactly like what I would expect if it's the drive reporting a SMART error during POST. So while you may also have malware, it sounds like you have a HDD that is not much longer for this world. Back up anything important to wherever. If Dropbox is most convenient for you, do that, otherwise flash drive, DVD, tattoos on the foreheads of children, whatever works for you. Just do it yesterday, and then get that drive replaced.

dstrakele
11-07-2012, 01:38 AM
UPDATE: That didn't work. When I try to click on F:, it says the drive is not accessible, parameter incorrect. Any idea how I can fix something like that? Is there a stronger repair tool than Norton Disk Repair that will try to recover the disk?

When the HDD died in my daughter's computer, I used a utlility called TestDisk (http://www.cgsecurity.org/wiki/TestDisk) to access the defective drive and recover files. The computer was unable to boot, so I placed the drive in a USB drive enclosure and attached it to my laptop. Windows Explorer was unable to read the disk and CHKDSK could not run on it. The System Event Log reported massive amounts of bad blocks on the disk from the access attempts.

Using TestDisk, I was able to access the drive, repair the MBR, see all partitions and directory trees, and recover files. I was very impressed.

Swampthing
11-14-2012, 12:11 AM
Looks like I have serious trouble. Tried many of the solutions put forth even the Test Disk, but it won't do anything for the F: drive, and on top of that, I am now getting random System Drive errors which terminate in an automatic shutdown and reboot.

Does ASUS store any diagnostic tools hidden somewhere on these drives? What are my options at this point? Hey I wouldn't necessarily like it if I had to reset everything to factory settings if it would get everything running properly again, but I fear I have hardware failures.

Given it's only 11 months into my warranty, should I just call ASUS and get a return/repair authorization? What about all the passwords, email, game accounts, etc that I have on the drive. Do I need to delete all those first prior to sending it in?

BTW, I did upgrade to Windows 8 on this PC a couple days after launch, but I don't think that's the problem; my guess is that the laptop had pretty crappy drives installed if they die after only 11 monts.

cl-scott
11-14-2012, 12:21 AM
Looks like I have serious trouble. Tried many of the solutions put forth even the Test Disk, but it won't do anything for the F: drive, and on top of that, I am now getting random System Drive errors which terminate in an automatic shutdown and reboot.

Does ASUS store any diagnostic tools hidden somewhere on these drives? What are my options at this point? Hey I wouldn't necessarily like it if I had to reset everything to factory settings if it would get everything running properly again, but I fear I have hardware failures.

Given it's only 11 months into my warranty, should I just call ASUS and get a return/repair authorization? What about all the passwords, email, game accounts, etc that I have on the drive. Do I need to delete all those first prior to sending it in?

BTW, I did upgrade to Windows 8 on this PC a couple days after launch, but I don't think that's the problem; my guess is that the laptop had pretty crappy drives installed if they die after only 11 monts.

If it's still under warranty, I'd set up an RMA ASAP.

Swampthing
11-18-2012, 01:11 PM
Had to go out of town for work for a bit, but I'll try to check things out. Neither of the drives that could be repaired by Spinrite or Norton Utilities 16; Spinrite won't even load past "Initdisk" and whle Norton recognizes the system drive needs repair, it consistently fails to initialize disk doctor. Windows still keeps saying it detects a hard disk problem and wants to initiate backup, but then won't go through the process due to problems on the system drive.

Seems like once your system drive has errors, it kills alot of possible solutions :(

UPDATE: I was able to confirm they are two Western Digital 750GB drives, each partitioned in half. Finally got Ultmate Boot Disk to run and it discovered Error 0007 on one of my drives. It suggested a Full Media Scan which will take a couple hours. I'll update at that point...

UPDATE 2: "Too many errors found - please contact technical support. Error/status code: 0225" and the other drive won't even test because one or more attributes are below threshold. It appears to fail on "Spin up time, raw read error rate, reallocated sector count, offline uncorrectable sector count, multi-zone error rate, etc etc..."

These are the internal drives: WDC WD7500BPKT port 100 and port 108.

Swampthing
11-18-2012, 08:14 PM
At this point I am seriously thinking RMA, but have no idea who/where to call after checking through the ROG site!

dstrakele
11-18-2012, 09:33 PM
Check out this area: http://rog.asus.com/forum/forumdisplay.php?71-ASUS-Republic-of-Gamers-Global-Warranty-RMA-Help.

Swampthing
11-18-2012, 09:41 PM
OMG. I don't get this. I left the computer on "automatic repair" in Windows 8 and went to the store. I came back and logged in. Everything is suddenly showing up normal now. The System Drive is back, as well as the F drive. All the system slowness is gone too, as well as any of the errors I had been experiencing.

Is Windows 8 automatic repair THAT good??? (Mind you, WIndows 8 did a number of "automatic repairs" up till now.. but I wonder if combining the WD tools from the Ultimate Boot Disk helped finally repair the drives?)

UPDATE: While Norton 16 is showing the system drive health is fine now, I still get the SMART error when rebooting the machine saying "Bad, replace" and must hit F-1 to continue. Also, Norton can't completely repair the F Drive saying it is "irreparable." However, I can see the F Drive on Windows Explorer and can read/write data from it.

Given this I'm looking for your suggestions... should I continue to try repair methods or should I still proceed with RMA??

dstrakele
11-19-2012, 01:44 AM
Good Deal! Did Windows 8 Automatic Repair report it completed successfully?

Back up any important files. Then try running CHKDSK F: /R

Can it complete successfully? Did it find any bad sectors?
See http://windows8themes.org/how-to-run-chkdsk-in-windows-8.html for details.

If things continue to work well, load up HWINFO64 or SpeedFan and check their S.M.A.R.T. status reports. Run SpeedFan's Online Disk Diagnostic or the disk manufacturer's diagnostic utility.

Swampthing
11-22-2012, 10:18 PM
Unfortunately CHKDSK will not work on either my E: or F: drives because it claims they are RAW, and CHKDSK does not work on RAW drives. When I booted up HWINFO64, it does detect show the SMART error :

Raw Read Error Rate: 1/51, Worst: 1 (Data = 65553)

Still getting intermittent problems with F, though mostly gone. i get the Window Error message that pops up and says there is a hard disk problem and should backup the drive.

I still have to hit F1 to start the system do to the SMART error being present. The System Drive seems fine now though.

Is it still worth nailing down these errors? I was looking through the RMA link and it looks like they want me to do everything possible to see if I can fix errors first. Just wondering if I may have reached to point of no return yet.

dstrakele
11-22-2012, 10:57 PM
You are quite far along with troubleshooting your disk issue. You've confirmed a SMART error on your Data drive with a 3rd party utility. CHKDSK won't run on that drive. Norton Disk Doctor and TestDisk are unable to repair it as well as Windows 8 Automatic Repair.

If CHKDSK believes the Data HDD is RAW, the partition table may be damaged. I'd probably abandon attempts to recover data from it and attempt to partition and reformat the drive.

I don't see if you swapped drive bays to confirm it's not a bad SATA port or connection. The only other thing I could think of is if the disk manufacturer has a utility to "low level format" the drive. But I think you've done enough for the repair tech to believe the best action is to slap a new HDD in there and get that laptop out the door.

NOTE: Of interest to this case. http://www.tomshardware.com/forum/240309-45-ntsf-works-CHKDSK reports a similar issue where SuperAntiSpyware was run, removed malware, then CHKDSK could run successfully.

Swampthing
11-24-2012, 12:03 AM
So I decided to take the plunge and backed up all the data on the E: and F: partitions. The errors are stil there and I would like to low-level format the drive to see if they disappear. Of course since the drives have the same name there is the risk I could entirely screw myself and format the wrong one. Still showing that error on the E: drive!

I also ordered a new WD Scorpio Black SATA 3 from AMAZON for $79 in the event the drive is completely trashed.

dstrakele
11-24-2012, 10:48 PM
If the format utility offers no way to distinguish between the two drives, I strongly recommend physically removing the drive containing the C: and D: volumes before proceeding.

Swampthing
11-26-2012, 10:39 AM
Well seems like nothing will repair the RAW READ Error. I did a low-level format using two different utilities, including Western Digital's - and follow up with a drive diagnostic check. Still showing the error.

So at this point my WD Scorpio Black drive will be here tomorrow, and I just plan to pop the old one out and put in the new. The system drive still reads fine, and my opinion is that this should eliminate all the problems I've been having with the system.

Appreciate everyone's help thus far, and I'll let you know how the install goes...

Swampthing
12-02-2012, 11:28 PM
Installed the new drive from Amazon on Tuesday last week. Easy install, as it turns out the second port to the right is the secondary drive. I matched it up with serial numbers before removing, created the partition... all as one partition this time, and everything is now running FANTASTIC.

:cool:Thanks everyone for your help, I was able to narrow it down to a simple hardware problem on a single drive and it only cost less than $100 to fix myself.