On Sat, 22 Oct 2005 15:16:48 -0500, "Carey Frisch [MVP]"
You should defrag your hard drive.
Uhhh... no. Defragging would be very dangerous on a sick HD, and we
have two reasons why this poster's HD is more likely to be sick than
the average PC out there:
1) He "had to" format and rebuild
2) His HD activity LED is always on
When a HD gets bad sectors, it often bogs down in retries of those
sectors. This will keep the HD activity LED on, and (if it takes long
enough, i.e. many retries) the mouse will stick, the computer may
appear frozen, and some folks will "just" format and rebuild - the
same folks who might try defragging next ;-)
If the light issue persists, turn-off indexing:
That's not a bad shot in the dark. However, a more likely scenario:
- PC gets malware'd
- user "just" formats and rebuilds
- if pre-SP2, PC is now unpatched and no firewall by duhfault
- PC is promptly re-infected via RPC and LSASS defects
- spam smtp, RAT activity etc. keeps that HD all lit up
These days, the time to exploit via those two big defects (if
unpatched and no firewall) is probably still 20 minutes online, or
less. What's changing is the attacks are more likely to be working
bots than the original PoC (Proof-of-Concept) worms.
| Don't know if this is a Win question -- XP Pro, SP2
Glad to see SP2
| I recently had to reformat my HD on my Dell Inspiron 8200, reinstalled XP
| Pro, up'd to SP2. Am running Norton Systemworks 2006, with Norton Ghost,
| Norton Personal Firewall, and Norton GoBack.
What went wrong that you "had" to format?
| I've noticed that my hard-drive light flashes virtually non-stop, and that
| makes me nervous. How can I find the cause?
Well, if the PC is stable, we can skip general hardware diagnostics
(RAM, fans, mobo caps) and zoom straight in to checking the HD. Use
HD Tune from
www.hdtune.com and check three things:
- S.M.A.R.T. history
- HD temperature before and after surface scan
- surface scan (and not the "quick" one either)
Next is to formally scan for traditional (i.e. "bad") malware. You
can fool around in Safe Cmd Only (fairly safe), Safe Mode GUI (less
safe), normal Windows (unsafe) or with online scanners (even less
safe; for starters, you're reaching them via ?malware'd DNS) but I'd
scan from a Bart CDR boot with plenty of up-to-date av scanners etc.
as created on a known-clean PC (not yours).
How to do the Bart thing is beyond the scope of this post
Before leaving Bart, I'd rename away all (and I do mean ALL) Temp,
"Temporart Internet Files", and 3rd-party web browser cache locations.
By "all" I mean these locations within the following:
- every user profile, icluding AllUsers, Default, Administrator
- above also includes the service accounts
- Windows\System32\Config (this is where the system dumps)
- Windows\Temp and Windows\TIF (if present)
This can foil some active malware you may have missed.
Then I'd boot Safe Cmd Only and repeat some scans that have difficulty
in being fully effecting from Bart (i.e. Trend SysClean), then do
scans for commercial malware, and look for "live" rootkits (though
usually the formal scans will have killed them) from Windows.
Finally, I'd post HiJackThis logs to forums that read such things,
look at a few other manual integration reports, and then consider more
innocuous causes. Now that I know the HD's OK, I'd be happy to follow
Carey's advice and do a Defrag, too.
-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
