Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

qlark (Programmer) (OP)
25 Feb 06 4:19
Not sure what is going on ... yesterday I did a reboot instead of a hibernate and the Blue screen of death showed up ... the last updates from MS were not critical and this problem started shortly after ... I rebooted with F8 to last known boot but since then I have had nothing but problems.

Does anyone know if there may be a Virus and or trojan that stops a chkdsk /f from running?

I have;

- run an overnight Hardware Diag

- removed .net and reinstalled (chkdsk indicated a problem in the .net directories)

- sfc /scannow

- chkdsk /f does not appear to run on reboot ... chkdsk by itself indicates errors

- NIS 2K5 antivirus Scan

- Spybot 1.4 scan

- adaware scan
 
- bartpe chkdsk

- defrag

- Norton Systemworks disk doctor ... again startup appears to not be working

- system restore appears to also be broken ... I can select any date but the restore process won't start
electronicsfreak (TechnicalUser)
25 Feb 06 9:08
If you can download this, then load in safe mode and run a full system scan.

http://www.ewido.net/en/

Download hijackthis from the link below.  Extract to desktop or prefered folder.  Open it up choose do a system scan and save a logfile and post the logfile on here.  Unless your sure of what your doing do not attempt to fix anything yourself as most items are legit.

http://www.majorgeeks.com/download3155.html
qlark (Programmer) (OP)
25 Feb 06 19:34
Ewido didn't like some cookies ... I finally figured out why chkdsk wasn't showing on bootup ... I had /noguiboot on in the boot.ini

OK so chkdsk /f appears to work however subsequent chkdsk's show there are still errors ... I have run GRC's spinrite and it hasn't found any issues with the drive

However I have had a winlogin HARD FAILURE message come up on the screen which caused the machine to immediately reboot.

I am currently running windows beta 2 security software

I ran Hijack and looked up each entry and found nothing out of the ordinary

Its almost sounding like an intermittent hardware failure ... not sure how else to categorize it

First there was the blue screen then chkdsk, then messenger failing, chkdsk is still failing, then this hard failure ... just don't know what to think ... I think I will have to ghost another image do a clean install just to validate any intermittent hardware Failures.

At one point even the event logs were failing ... at this point I can see them ... on the 23rd prior to the blue screen there are numerous Information logs on .NET which confirms my reason for uninstalling .net then reinstalling it ... in the last 2 days there are Browser errors along the theme that it is stopping due to failing to retrieve a backup list ... the other main failure is the Service Control Manager complaining about path not found ... yesterday messenger was having issues with ntdll.dll but today its fine

linney (TechnicalUser)
25 Feb 06 22:50
With so much going on, a backup of any valuable data, followed by a reformat and re-install (or clean re-image)  seem to be in order.

The drive manufacturer will have free diagnostic software to thoroughly check the condition of your hard drive in case that is failing.

If you are regularly inside the computer box, a loose connection may be the cause?

Checking the RAM is easy enough too.

http://www.memtest86.com/
http://oca.microsoft.com/en/windiag.asp

You could have one final go with ChkDsk /r run from the Recovery Console.

HOW TO: Install and Use the Recovery Console for Windows XP (Q307654)
http://support.microsoft.com/support/kb/articles/q307/6/54.asp

BadBigBen (MIS)
26 Feb 06 3:19
I would just, for sake of mind, change the IDE cables to brand new ones...

and use another PSU power plug to the drive(s) just to be safe...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

electronicsfreak (TechnicalUser)
26 Feb 06 11:52
Yeah having a good power supply unit is always good(so as badbigben suggest I would replace it if its factory with the case), because the ones that come with cases are cheap and will take out a computer sometimes when they go out.  My friends computer just became an example of the massive damage one can do.  It took out motherboard, processor, one ram chip and video card.  So fair warning if your using the original power supply that came with the case they are made to barely get you by and can be deadly to a computer when they go out.  So if you are Id reccomend getting a new one from a good known brand and check on the amperage on the power supply before you buy.  Make sure it has at least 18 or more amps on the 12+ as well as good amp rating on the others.  No matter how high the amperage is it wont hurt the board or hardware as they only pull how much amperage they need.  If you dont have enough they will fight over it and cause heavy strain on the psu causing it to die quicker.  Anyways hope this info is useful.
qlark (Programmer) (OP)
26 Feb 06 21:10
I guess I didn't mention this is a Dell Laptop so the Hardrive is fixed in terms of the cables ...

I ran Memtest overnight ... no errors

I installed Recovery consol and ran chkdsk /r ... this reported that it repaired some errors

I ran Spinrite 6.0 in mode 4 the highest level which returned a clean bill of health

started XP up and immediately did a chkdsk and still have errors .... ARRGGGG

I have a Ghost image that I may transfer to another drive and see if I can find anything having it as a slave drive in another XP pro machine

The other thought is to clean the drive and reinstall a clean install of XP to verify that the hardware is working consistantly ... if there are errors then Dell Warentee Kicks in.

linney (TechnicalUser)
26 Feb 06 23:25
Description of Enhanced Chkdsk, Autochk, and Chkntfs Tools in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;218461&FR=1&PA=1&SD=HSCH

Chkdsk.exe or Autochk.exe starts when you try to shut down or restart your computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;831426&FR=1&PA=1&SD=HSCH

You can determine whether your file system errors are legitimate.
To know if you've got a file system error, you can type the following command at the command prompt:

fsutil dirty query c: (replace c: with your drive letter)

If the response is that the volume is dirty, then a file system error has occurred, and Chkdsk should run automatically at startup to fix the errors.

http://www.ericphelps.com/uncheck/index.htm

Chkdsk runs everytime on start up?
thread779-958348

Check Disk runs every bootup?
thread779-946488

How to reset the harddisk "error bit"?
thread779-608212
qlark (Programmer) (OP)
27 Feb 06 0:16
Both fsutil dirty query c: and chkntfs c: return volume is not dirty ... yet if I do a chkdsk I first received an MFT error ... running again I get index errors ...

$I30 appear to be the Index always reporting problems ... I have seen this more then once

chkntfs c: still shows not dirty

chkdsk will only run at boot time if I answer Yes to chkdsk /f

so is there possibly a virus/worm/trojan that screws around with chkdsk results?

qlark (Programmer) (OP)
27 Feb 06 3:10
Here is an interesting thread I found on this subject sort of makes me wonder if I'm chasing a dead horse.

http://www.annoyances.org/exec/forum/winxp/r1049211111
linney (TechnicalUser)
27 Feb 06 15:16
qlark (Programmer) (OP)
27 Feb 06 16:29
Strange went looking through your links and found I couldn't find the mft location;

for both c:\ and c:\windows
dir /a or /ah $mft no file found

from c:\
dir /s /a $mft and dir /s /ah $mft nothing found

I have the file settings set to allow viewing hidden files I also have some utilities that scan all files and even these don't find the mft file
linney (TechnicalUser)
27 Feb 06 22:55
Do you have any record of them in the "View Report" after Defragmenting or Analysis of the drive with the defrag program?
firewolfrl (TechnicalUser)
28 Feb 06 12:18
Hmmm! Bootsector error are an easy fix. MFT errors are serious errors. Linney is correct that the defrag records will give you an indicator of the corrupt files that are not readable or movable.
This fix works and is the only way to correct an MFT error.

1. defrag the whole hard drive and note the files that have errors other than normal system file errors for files in use.
This is a great way to find the corrupt files and is better that the defrag method.
http://support.microsoft.com/kb/315688/en-us

2. if you have logical partitions back up all the data on them and empty the data off the drive. you need to make sure there is no files or data in any other partition on the hard drive. turn of system restore to save room. (at this point system restore is not going to help). IF you just have a C:\ drive on that drive then this is not an issue.

3. You need a second formatted drive and a floppy for this to work.
Open the windows Backup utility and do the advance mode.
then Run the Automated System Recovery Wizard. on the next page close the window and go to tools/options then exclude list...****Exclude those files that errored**** in the Defrag report or backup.log....close and restart the backup utilities and follow the directions on these links:
http://www.helpwithwindows.com/WindowsXP/howto-18.html

and if you need this:
http://support.microsoft.com/kb/299526/en-us
Use the second drive for the backup location

4. Then after all the backups are made.
Use the manufacturer of the harddrive utility and completely zero out the hard drive.

5 restore the backup


Just to note: ASR only makes a backup of your files on your System drive (usually drive C:\). If you use other hard drives, you will need to make a separate backup of your documents & files to make a complete "recovery" after disaster!


read these links for some ideas
http://support.microsoft.com/kb/309340/EN-US
http://support.microsoft.com/kb/320820/en-us
http://support.microsoft.com/kb/298278/en-us





qlark (Programmer) (OP)
28 Feb 06 13:10
I truly appreciate everyones time here ...

I did a defrag as one of the first few steps in getting this under control ... I do not recall any errors ... would there be a log file somewhere that I could review?

I now have 3 ghost images of this disk;
1) is roughly 3 months old
2) reported NTFS errors
3) was done after the recovery consol chkdsk /r and reported no errors

The machine has been stable for the last day since I removed the indexing services check mark from the C: properties. Dell wants me to do a clean install but for the moment I will just monitor the machine ... at this point the Application Failures have stopped and haven't received any more Hard Failure notices ... running the extended mem test and GRC's spinrite give me some confidence that this is not a harddrive failure and the fact that I have used the machine all of yesterday and today without incident also makes me think this is not a hardware issue ... I even got one of my kids to play a very machine intensive flight sim game for several hours last night again with no issues

the long thread from 2002 to the end of 2005 suggests the chkdsk issue has been an ongoing problem with all of the NT based products 2K, 2Kpro, XP and even 2k3.

What puzzles me is chkdsk never gives the same report 2 times in a row suggesting that the reports aren't valid (which is the same conclusion I perceive out of that long winded thread I found) ... if the MFT error is a severe error then why doesn't it show up consistently ... also if this is a severe error why doesn't chkdsk or autochk automatically set the Volume dirty flag?

Too many questions

Sorry I digress ... I was actually thinking of wiping the disk and Ghosting the 1st and or 3rd images back to the machine and test the chkdsk process again ... I Suspect that Ghost doesn't recreate a sector for sector image as it can move images between different sized drives (as long as there is enough room for the data contained in the image) to me this should rebuild the NTFS database. Rebuilding the database should rule out any issue that the database has a problem ... however it won't rule out a corrupt and or virus riddled OS.


firewolfrl (TechnicalUser)
28 Feb 06 16:27
qlark, The procedure I gave you is the fix for an MFT error. usually it can pass a chkdsk /r or f scan and just state there is a bad sector in the final info when it is done. this type error does not check as "dirty" after the error is found and it does not toss you into a chkdsk loop.

Can you do a complete defrag without any errors in the log other than normal open file errors?

Also the way I said to do the backup Bypasses the corrupt files and does not copy those files to a backup image.
I am betting that the Ghost Backup images that you want to reinstall have the same error as to what you have now.

The Indexing service refers to the MTF for it to work correctly. as so does the NTFS file system. so in a way it is correct that there is a different error each time it does a Chkdsk scan.

I don't give long for your system before you have a system crash and an unrecoverable HD. the last time I saw this type error the partition table was lost and the only way for data recovery was bit for bit recovery in a lab.

Dell is right that you need to start over with a clean install. AFTER YOU ZERO THE DRIVE.

you may be looking at a new harddrive.

as for rebuilding the NTFS database you will still have the corrupt MFT after the image restore

hey I wish you luck. you might be lucking and cloned before the MFT Fault.
qlark (Programmer) (OP)
28 Feb 06 16:54
Ok so what I hear you saying is that the OS is reporting correctly and that there still must be a problem ie this is not normal ... the GRC spinrite process does a deep analisys of each sector of the hard drive and it reported no errors so I still believe this is not a Drive issue ... I just reran the defrag and it came back with no errors or files left unfragmented ... I then reran the analisys and it came back with more fragmented files but I realized that this was because I left my email services running during the defrag as all the files were related to that program.

I will go and reread your MFT repair process and see whether this can be done on the laptop or if I need to clone a drive and do it in a desktop machine then clone back the resulting image.

here is the details of the last defrag;

      Disk Defragmenter
        Volume ATSM (C:)
            Volume size                                = 55.85 GB
            Cluster size                               = 4 KB
            Used space                                 = 34.06 GB
            Free space                                 = 21.79 GB
            Percent free space                         = 39 %
        Volume fragmentation
            Total fragmentation                        = 0 %
            File fragmentation                         = 0 %
            Free space fragmentation                   = 0 %
        File fragmentation
            Total files                                = 129,730
            Average file size                          = 334 KB
            Total fragmented files                     = 0
            Total excess fragments                     = 0
            Average fragments per file                 = 0.99
        Pagefile fragmentation
            Pagefile size                              = 768 MB
            Total fragments                            = 1
        Folder fragmentation
            Total folders                              = 7,426
            Fragmented folders                         = 1
            Excess folder fragments                    = 0
        Master File Table (MFT) fragmentation
            Total MFT size                             = 219 MB
            MFT record count                           = 137,847
            Percent MFT in use                         = 61 %
            Total MFT fragments                        = 3
        ---------------------------------------------------------------------
        Fragments       File Size       Files that cannot be defragmented
        None
firewolfrl (TechnicalUser)
28 Feb 06 18:03
Looks like there is no MFT file error so you may be in luck.
But, I am not so sure. So, It's just a waiting game now to see how long stability lasts.

the errors you descibed earlier can also be contributed to bad ram. ( Iknow! I know! I may be reaching....LOL)


good luck
firewolfrl (TechnicalUser)
2 Mar 06 2:45
qlark,
Do you by chance use Ghost 10?
I have seen multiple posts in different forums and also the Langa list newsletter has a mention of it concerning MFT errors that come and go and assorted aplications that randomly error

I saw this excerp from the langalist and thought of you:

Hi Fred! I recently had to do a complete restore of my C: drive using Ghost 10 and thought it went fine. Now I've run into a problem I can't figure out. I keep getting the following sporadic warnings:

        <application filename> - Corrupt File
        The file or directory C: is corrupt and
        Unreadable. Please run the Chkdsk utility.

I've run Chkdsk and it says there is no problem. The system seems to be running OK except every now and then I get one of these warnings about various applications. The applications seem to be working though.

I did some research and found out the problem is a potentially corrupt Master File Table (MFT). But so far I can't figure out what to do about it.

So I think that the main issue is the Ghost 10 that causes these random errors and maybe does not apply the MFT correctly on restore. I don't use ghost anymore because I use a mirrored backup that I can boot if there is a system crash.


I hope this helps. You should reseach and maybe even get a hold of support for the ghost 10 to see if there is an unlisted fix.





qlark (Programmer) (OP)
2 Mar 06 4:03
I actually did some research on Ghost 10 because I was going to buy it ... Ghost 10 does its backup while windows is still running and most of the real technical reviews of this version of Ghost recommended staying clear of it because there could never be any certainty that a perfect image could be obtained from a live Windows OS.

Therefore I am still using Ghost 2k3 which must use MSDOS or PCDOS to do its magic.

Thanx for thinking of me. So far, touch wood, my system has been stable although Norton gave me a bit of a scare this morning by disappearing from my system tray even though the NIS status said it was still active  ... I rebooted and have been fine the remainder of the day.
firewolfrl (TechnicalUser)
2 Mar 06 10:40
LOL, I sure can relate on disapearing systray Icons. About half don't load till you log off then on again.(a flaky startup program is the issue). I just worked around that issue with startup delayer. so far so good.


You ought to look into the Acronis product line for backup.
I have been very happy with Acronis True Image.
http://www.acronis.com/
I make a once a week exact copy of my main working drive. Having a bootable backup saves me from using the sledge hammer on the box.....lol


just so you know the ghost 2003 has some of the same issues as 10....the best one was the old stuff for win 98.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close