CHKDSK /r response not understood - Virus?

[Jim Rainfordson]

I've been having trouble with a particular partition on my SATA hard
drive which I've discussed in my thread "Logical Drive problem after
restoring older OS drive image".

Since my other thread I have deleted and recreated the entire extended
drive and all it's partitions. Same partition letters and names, but
with slightly different storage sizes. I had some trouble deleting
some of these drives and had to "force delete" a few of them after
Disk Manager stalled for 15 minutes. There is one partition in
particular that is giving me trouble even after I deleted and did a
long format on it. When I run CHKDSK /r it comes up with the
following error:

"Checkdisk cannot run because this volume is used in another process.
Checkdisk my run if this volume is dismounted first. All open handles
to this volume would then be invalid. Force dismount?" To this I
answered yes and ran checkdisk. No errors reported. I ran checkdisk
a second time and this time it told me I must reboot because a process
was running and it need to run before the OS was loaded. I did this
and Checkdisk ran and no errors were reported.

Here's the thing... the drive is empty. It's been recently formated
and there is no user data on it. The only thing on it is the hidden
"RECYCLER" folder and the "Systems Volume Information" folder. I
never used this partition for anything but storage even before I
deleted and recreated it.

I have been using True Image 10 to complete replace and restore the
primary drive containing my one and only OS. This image is months old
and has had no problem working before. However, there must be
something in the the OS or in the boot sector that is convincing the
PC that some kind of phantom process is running on this problem
partition. Everything seems to run fine otherwise, except True Image
which also has trouble with scanning this drive when it tries to make
a backup image. It DOES eventually scan the drive but it takes over
30 minutes to do what has never in the past taken more than 20
seconds.

Is it possible some kind of virus is recreating itself on one of my
partitions? I'm going to download Spybot and some other malware
cleaner software and maybe try a safemode boot.

Any advice is appreciated. I'm stumped.

 

[Pegasus \(MVP\)]

I've been having trouble with a particular partition on my SATA hard
drive which I've discussed in my thread "Logical Drive problem after
restoring older OS drive image".

Since my other thread I have deleted and recreated the entire extended
drive and all it's partitions. Same partition letters and names, but
with slightly different storage sizes. I had some trouble deleting
some of these drives and had to "force delete" a few of them after
Disk Manager stalled for 15 minutes. There is one partition in
particular that is giving me trouble even after I deleted and did a
long format on it. When I run CHKDSK /r it comes up with the
following error:

"Checkdisk cannot run because this volume is used in another process.
Checkdisk my run if this volume is dismounted first. All open handles
to this volume would then be invalid. Force dismount?" To this I
answered yes and ran checkdisk. No errors reported. I ran checkdisk
a second time and this time it told me I must reboot because a process
was running and it need to run before the OS was loaded. I did this
and Checkdisk ran and no errors were reported.

Here's the thing... the drive is empty. It's been recently formated
and there is no user data on it. The only thing on it is the hidden
"RECYCLER" folder and the "Systems Volume Information" folder. I
never used this partition for anything but storage even before I
deleted and recreated it.

I have been using True Image 10 to complete replace and restore the
primary drive containing my one and only OS. This image is months old
and has had no problem working before. However, there must be
something in the the OS or in the boot sector that is convincing the
PC that some kind of phantom process is running on this problem
partition. Everything seems to run fine otherwise, except True Image
which also has trouble with scanning this drive when it tries to make
a backup image. It DOES eventually scan the drive but it takes over
30 minutes to do what has never in the past taken more than 20
seconds.

Is it possible some kind of virus is recreating itself on one of my
partitions? I'm going to download Spybot and some other malware
cleaner software and maybe try a safemode boot.

Any advice is appreciated. I'm stumped.

Although your Subject line says "CHKDSK /r response not understood",
Windows actually understands your command very well. For some
reason the OS has decided that the volume you wish to check is in
use, and it demands a reboot. What is the problem? If chkdsk wants
a reboot, let it reboot and go about its job! In other words, I think you're
chasing a phantom. There is no problem here.

 

[Jim Rainfordson]

Thanks for the post Pegasus.

To be clear, I meant that "I" didn't understand the response. I'm
certainly not adept at this sort of thing. What's puzzling to me is
why is it telling me that drive is in use when I see no evidence that
it is and don't see how it can be given it's completely empty.

The bigger problem is that when I try to reformat the drive (using
Disk Management via control panel admin tools). If I try to delete
the partition (25 Gigs) it hangs for about 15 minutes then says "The
request cannot be completed because the volume is open or in use. It
may be configured as a system, boot, or pagefile volume, or, to hold a
crash dump file." Now, I don't understand all those terms, but again,
the drive is empty and I understand why any processes should effect
that drive. They never did before. Also, a second window pops up
saying "The partition logical drive is currently in use. To force the
deletion of this partition click Yes... do you want to continue?" I
say yes and it eventually works, but if I reformat the drive, the same
error occurs.

If I boot in safe mode, then everything with checkdisk and disk
management seems to work normally. (My True Image which scans the
drive before making a BU also works normally).

While it's true that things seem to be functioning normally, I want to
rule out hard drive failure, viruses. It might be my imagination but
some tasks seem to be running slower.

Any advice is appreciated.

 

[Jim]

Thanks for the post Pegasus.

To be clear, I meant that "I" didn't understand the response. I'm
certainly not adept at this sort of thing. What's puzzling to me is
why is it telling me that drive is in use when I see no evidence that
it is and don't see how it can be given it's completely empty.

The bigger problem is that when I try to reformat the drive (using
Disk Management via control panel admin tools). If I try to delete
the partition (25 Gigs) it hangs for about 15 minutes then says "The
request cannot be completed because the volume is open or in use. It
may be configured as a system, boot, or pagefile volume, or, to hold a
crash dump file." Now, I don't understand all those terms, but again,
the drive is empty and I understand why any processes should effect
that drive. They never did before. Also, a second window pops up
saying "The partition logical drive is currently in use. To force the
deletion of this partition click Yes... do you want to continue?" I
say yes and it eventually works, but if I reformat the drive, the same
error occurs.

If I boot in safe mode, then everything with checkdisk and disk
management seems to work normally. (My True Image which scans the
drive before making a BU also works normally).

While it's true that things seem to be functioning normally, I want to
rule out hard drive failure, viruses. It might be my imagination but
some tasks seem to be running slower.

Any advice is appreciated.

The Recycler folder is in use by XP whether you have any thing on the drive
to delete or not.
The System Volume Information folder is in use by XP to store restore points
on the volume, and it may also contain
information about remote mount points. Even if there is no need for such
duty, XP holds onto the folders anyway.

Just do as the other poster mentioned.

Jim

 

[Jim Rainfordson]

Thanks for the post.

The Recycler folder is in use by XP whether you have any thing on the drive
to delete or not.

Right. I understand that.

The System Volume Information folder is in use by XP to store restore points
on the volume, and it may also contain
information about remote mount points. Even if there is no need for such
duty, XP holds onto the folders anyway.

I don't entirely understand the mounting point concept, but again,
there seems to be nothing going on on that drive that the OS should
consider it to be a process running. If the mounting points are off,
could that cause some kind of conflict that would hinder actions taken
on this drive?

Just do as the other poster mentioned.

Assume there isn't a problem? If there is an extra process effecting
my OS, I think it's reasonable to what to know what it is. It's hard
to accept that whenever I run checkdisk or try to delete my logical
drive that I'll just have to accept huge delays for unknown reasons.
Also, when I run True Image it either hangs or takes over half an hour
to scan my hard drive which before took less than 20 seconds at most.
This makes backing up my data much more time consuming or impossible.
All these problems go away when I run in safemode. Seems to me there
is some process running that's effecting that partition or at least XP
thinks there is.

 

[Pegasus \(MVP\)]

Thanks for the post Pegasus.

To be clear, I meant that "I" didn't understand the response. I'm
certainly not adept at this sort of thing. What's puzzling to me is
why is it telling me that drive is in use when I see no evidence that
it is and don't see how it can be given it's completely empty.

The bigger problem is that when I try to reformat the drive (using
Disk Management via control panel admin tools). If I try to delete
the partition (25 Gigs) it hangs for about 15 minutes then says "The
request cannot be completed because the volume is open or in use. It
may be configured as a system, boot, or pagefile volume, or, to hold a
crash dump file." Now, I don't understand all those terms, but again,
the drive is empty and I understand why any processes should effect
that drive. They never did before. Also, a second window pops up
saying "The partition logical drive is currently in use. To force the
deletion of this partition click Yes... do you want to continue?" I
say yes and it eventually works, but if I reformat the drive, the same
error occurs.

If I boot in safe mode, then everything with checkdisk and disk
management seems to work normally. (My True Image which scans the
drive before making a BU also works normally).

While it's true that things seem to be functioning normally, I want to
rule out hard drive failure, viruses. It might be my imagination but
some tasks seem to be running slower.

Any advice is appreciated.

The fact that things work normally in Safe Mode and not so well
in Normal Mode indicates that you have some agent in Normal Mode
that intereferes with disk management operations. You can do this
to identify this agent:
- Physically disconnect your machine from the Internet.
- Run msconfig.exe.
- Untick every item under the Startup tab.
- Tick "Hide Microsoft Services" under the Services tab.
- Untick all remaining services.
- Reboot the machine and test your disk management functions.

I expect the functions to be fully operative. Now restore the
various services and startup tasks until you have identified the
culprit.

 

[Jim]

Thanks for the post.


Right. I understand that.


I don't entirely understand the mounting point concept, but again,
there seems to be nothing going on on that drive that the OS should
consider it to be a process running. If the mounting points are off,
could that cause some kind of conflict that would hinder actions taken
on this drive?

A mount point is just another way to describe the action of sharing
resources on a remote computer.

Assume there isn't a problem? If there is an extra process effecting
my OS, I think it's reasonable to what to know what it is. It's hard
to accept that whenever I run checkdisk or try to delete my logical
drive that I'll just have to accept huge delays for unknown reasons.
Also, when I run True Image it either hangs or takes over half an hour
to scan my hard drive which before took less than 20 seconds at most.
This makes backing up my data much more time consuming or impossible.
All these problems go away when I run in safemode. Seems to me there
is some process running that's effecting that partition or at least XP
thinks there is.

It seems that something isn't quite correct. Follow the advice given by
Pegasus.

Jim

 

[Jim Rainfordson]

Pegasus,

Thanks very much for the help. I can't tell you how much I appreciate
the kindness of people in newsgroups when I need help.

Well, I've just spent most of the day going back and forth reseting
and testing the PC as you suggested. It's been a very long day.

Following your msconfig.exe advice here's what I discovered. None of
the startup apps are a problem. None of the non-microsoft services
are a problem. However, when I go to SERVICES tab and I UNCHECK the
box next to "Distributed Link Tracking Client" (but leave all else the
same) , the problem goes away. This sounds silly, but I also had the
problem go away once when I unchecked the "Themes" box. But when I
did it again to confirm, the problem DID occur even when the "Themes"
box was unchecked.

I hope you have a theory because I have no idea what "Distributed Link
Tracking Client" does and I'm still totally puzzled by how this
problem has manifested.

Again, the short history is that I was using Disk Management when it
stalled on one of the drives. I ran it again and it was okay. Later,
I used True Image to restore an older image of the primary drive and
it was after that that this problem started happening. I've restored
this backup image many times without fail and it's a total image of
the main partition so nothing should be surviving upon restore. This
is what leads me to wonder if there's some issue with the Main Boot
Record, although I've tried the fixmbr from Windows recovery console
without success. Again, I'm not too familiar with the tech here...

My next step is to download virus/malware scanning software. I just
can't understand how this problem is appearing when I restore a
primary drive image that I know is clean.

Anyway, thanks for the advice.

Jim

 

[Pegasus \(MVP\)]

Nice sleuthing job!

I typed "Distributed Link Tracking" into a Google search
box and got about 114,000 hits, this being the first one:
http://support.microsoft.com/kb/312403

Although this service does appear to be active in WinXP,
I don't think you need it. I suspect something went wrong
with it on your machine. I would disable it under msconfig
and keep an eye on the situation.

If this is a recent problem then you could, of course, use
System Restore to return the machine to a healthy state.

 

[Jim Rainfordson]

Pegasus,

Anti-malware scans have come up clean.

During normal operations, I don't think this process effects me much
although I truly don't have a full understanding of it. I do a little
home networking occasionally but nothing much and it's usually not set
up.

I haven't tried it, but I disagree that system restore would do any
good. Each time I restore the fresh image of the primary drive I'm
essentially already performing a "system restore".

It's not very satisfying, but I'll take your advice and just uncheck
the box and keep an eye on it. So far I haven't found any articles
showing how to reset it or clear its bad associations. And if
deleting and recreating the entire extended partition didn't clear it
up, there's really nothing more I can do other than completely
reinstall the OS from scratch, and that's not gonna happen.

Well, thanks for your help in all this Pegasus. I've very grateful to
have this newsgroup available to me.

 

[Pegasus \(MVP\)]

Pegasus,

Anti-malware scans have come up clean.

During normal operations, I don't think this process effects me much
although I truly don't have a full understanding of it. I do a little
home networking occasionally but nothing much and it's usually not set
up.

I haven't tried it, but I disagree that system restore would do any
good. Each time I restore the fresh image of the primary drive I'm
essentially already performing a "system restore".

It's not very satisfying, but I'll take your advice and just uncheck
the box and keep an eye on it. So far I haven't found any articles
showing how to reset it or clear its bad associations. And if
deleting and recreating the entire extended partition didn't clear it
up, there's really nothing more I can do other than completely
reinstall the OS from scratch, and that's not gonna happen.

Well, thanks for your help in all this Pegasus. I've very grateful to
have this newsgroup available to me.

Thanks for the feedback.