Fix Maren's Dell Notebook

[matze]

Maren reported various symptoms with her Laptop, like prompting her for network issues when there are none or discontinuing to react to any keyboard input...

[matze]

Before anything I've removed the (Windows) hard-drive, used an USB-dock to connect it to a Linux system, mounted it read-only and started a general malware scan:

mhennig@w540:~$ clamscan -V
ClamAV 0.98.5/19723/Thu Dec  4 06:40:52 2014

mhennig@w540:~$ sudo grep update /var/log/clamav/freshclam.log | tail -1
Thu Dec  4 06:49:07 2014 -> Database updated (3706274 signatures) from db.local.clamav.net (IP: 144.76.28.11)

mhennig@w540:~$ mount | grep /mnt
/dev/sdd3 on /mnt type fuseblk (ro,relatime,user_id=0,group_id=0,allow_other,blksize=4096)

mhennig@w540:~$ time clamscan -ao --stdout --infected --recursive \
> --leave-temps --allmatch --copy=AdBlockPlus/issues/1656-notebook-defect \
> /mnt > AdBlockPlus/issues/1656-notebook-defect/clamscan.log

The latter process has not finished yet.

[matze]

I just aborted the process; it complained about missing space in /tmp, e.g.:

LibClamAV Error: cli_gentempfd: Can't create temporary file /tmp/clamav-7cf31b30399ee7be7da00ef55d97896f.tmp: No space left on device
LibClamAV Error: cli_gentempfd: Can't create temporary file /tmp/clamav-14b88d3ed23c8aed5b094c2320744741.tmp: No space left on device

I've cleaned up the temporary files and created a new directory for temporary files ...

mhennig@w540:~$ find /tmp/ -maxdepth 1 -type d -name 'clamav-*' -exec rm -rf {} \;
mhennig@w540:~$ mkdir AdBlockPlus/issues/1656-notebook-defect/{tmp,cpy}

... before re-starting the process accordingly:

mhennig@w540:~$ time clamscan -ao --stdout --infected --recursive \
> --leave-temps --allmatch --copy=AdBlockPlus/issues/1656-notebook-defect/cpy \
> --tempdir AdBlockPlus/issues/1656-notebook-defect/tmp /mnt \
> AdBlockPlus/issues/1656-notebook-defect/clamscan.log

Again, this will take a while.

[matze]

The scan just aborted again, reporting IO errors this time:

mhennig@w540:~$ time clamscan -ao --stdout --infected --recursive \
> --leave-temps --allmatch --copy=AdBlockPlus/issues/1656-notebook-defect/cpy \
> --tempdir AdBlockPlus/issues/1656-notebook-defect/tmp /mnt \
> AdBlockPlus/issues/1656-notebook-defect/clamscan.log

LibClamAV Error: fmap_readpage: pread error: Input/output error
LibClamAV Error: fmap_readpage: pread error: Input/output error

real	64m42.359s
user	40m17.100s
sys	1m17.468s

I've been witnessing multiple IO issues with the hard-drive so far, though I'm not sure whether it's the docking device or the drive itself causing these.

There have been multiple findings so far, however:

mhennig@w540:~$ tail AdBlockPlus/issues/1656-notebook-defect/clamscan.log 
----------- SCAN SUMMARY -----------
Known viruses: 3700716
Engine version: 0.98.5
Scanned directories: 31290
Scanned files: 170341
Infected files: 5
Total errors: 24
Data scanned: 31352.84 MB
Data read: 65054.92 MB (ratio 0.48:1)
Time: 3882.169 sec (64 m 42 s)

Pretty common for a Windows system though, and no indicators for relations with the issues Maren reported.

I'll re-run the scan, this time monitoring the hard-drive's IO.

[matze]

Again, the scan could not finish.

The hard-drive seems to be defect: It produces I/O errors at virtually random time, when accessing different files or even when just waking up from idle state. The USB/HDD dock, however, seems to operate fine when using another hard-drive.

I'm currently trying to clone the device using dd(1):

mhennig@w540:~$ sudo time dd if=/dev/sdd of=/dev/sde bs=1024

This seems to be the best chance to restore the notebook. One can seek and remove the malware on the cloned drive and use that one with the device afterwards.

@maren
If that works, you have to live with a regular hard-drive for a while. We need to order a replacement for your SSD then.

[matze]

After cloning the device and re-assembling the notebook as described above, an entire night of scanning led to the same 5 findings only:

/mnt/Windows/SysWOW64/expand.exe: Win.Trojan.Virut-86 FOUND
/mnt/Windows/SysWOW64/msdt.exe: Win.Trojan.9670246 FOUND
/mnt/Windows/winsxs/Backup/x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_17330d9420bf24e8_expand.exe_f43b24c8: Win.Trojan.Virut-86 FOUND
/mnt/Windows/winsxs/wow64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0bcbfdec6b984220/msdt.exe: Win.Trojan.9670246 FOUND
/mnt/Windows/winsxs/x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_17330d9420bf24e8/expand.exe: Win.Trojan.Virut-86 FOUND

Another IO issue did not occur with the cloned drive, though that may be coincidence.

[matze]

I've removed the malware, replacing them with the original files where applicable. Furthermore I've installed proper AV software.

Maren now uses her notebook again (for now without docking station). If no further issues of this kind occur, we can assume that the faulty hard-drive was the reason for the troubles and the malware just yet another issue.

[matze]

@maren Please re-open this ticket in case you experience other symptoms today or on Monday, after using the docking-station again.