Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

returning XP Home SP3 OS to factory settings after virus infection


  • Please log in to reply
87 replies to this topic

#1 Arney X

Arney X

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 05 January 2012 - 02:50 AM

This is part 2 of a string started in the Internal Hardware forum last month (12/12/11), regarding an internal drive that died and disabled the OS (Win XP Home SP3, as described below). If you'd like to read up on part 1 and catch up on details up to date, here's the link:

http://www.bleepingcomputer.com/forums/topic432005.html/page__p__2506142__fromsearch__1#entry2506142

The original, overall goal in this process is to recover from a devastating TDL4 virus infection that was healed, but compromised the OS in the process. Here's the link for that process, which took place back in May 2011:

http://www.bleepingcomputer.com/forums/topic396906.html/page__p__2244270__fromsearch__1#entry2244270

I'm running Windows XP Home SP3 on an HP 754n desktop. I've upgraded the RAM from 512M to 1G, and the HDD from 80G to a new out-of-the-box Maxtor 500G (IDE). Both upgrades were done about a year ago with no problems. I installed the 80G drive as my G: drive, slave to the 500G C: drive, and emptied it a few months ago.

Back in May (2011) I had a TDL4 virus, and during the course of removing it my system was compromised & never restored to full working order. HP offers a utility which restores the machine to OEM defaults, essentially replacing the programs without touching the data. I've tried it once before & it worked beautifully (which is more than I can say for HP tech support). I don't remember the name of the utility, but in an effort to find it, I've had a few stumbling blocks on the way to the stated goal: in trying to back up my C: drive before resetting the OS, the external drive I was using for backup died (http://www.bleepingcomputer.com/forums/topic428225.html/page__p__2477449__fromsearch__1#entry2477449).

A short time after that was resolved, Windows refused to boot due to the old internal HDD's death & simultaneous frying of the existing ribbon cable (see link above). That issue was finally resolved, and I headed back on track by buying a new 500G HDD to clone (instead of backing up) the current drive before restoring the settings.

That cloning was just completed, and I am about to test the cloned drive. If the clone was successful, I will be on to the next step, which will be to proceed to the HP website to restore the XP OS on the "original new" drive. If that is successful, the next step would be to do the same to the cloned "new original" drive.

If both those steps are successful, the next phase would be to bring both drives up to date, since the OS restore will bring the drives to the status of the HP 754n desktop when it was new - many years ago, as SP1 and various other outdated settings. Updating will take some doing, since many programs, utilities & such have been well updated since then. But bringing the desktop back to factory settings is essential, since many of the original pre-loaded programs & utilities are no longer supported, with many of the software companies having gone out of business or bought by other companies by now, their former products no longer available, supported or even recognized. The process will be tedious, but I've found no other way of restoring it thoroughly & successfully without these steps.

I'm left with one question for the imminent future: Although I cloned the new drive in an effort to back up the old drive, should I restore both drives then bring them both up to date, or skip the middle step, restore + update the old drive, then clone the new drive again - now with the updated settings? Cloning the new drive took two days, and I'm sure it will take the same time to do it again. Performing all the steps listed above may or may not take a shorter time, but will be much more tedious. Just something to ponder for now.

Questions? Comments? Go right ahead. I'm waiting to hear. Thanks in advance for your help & input. I'll report back again after I test the newly cloned drive.

- Arney X

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:23 AM

Posted 05 January 2012 - 03:49 AM

G'day again Arney X,

2 days/48 hours .... that was a marathon effort! We should be able to do much better than that!!! I am not sure what might have been going on there.

Awaiting the results of testing the clone: Does it appear and behave exactly as the original when booted instead of the original?

Let's just do one step at a time here.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 05 January 2012 - 04:27 AM

G'day again, Cowran! Thanks for the quick response. I'm back from my clone wars. At first boot, everything progressed as expected. The system told me that it found new hardware, and a second balloon said that I would have to reboot for all features to take effect & be active.

I rebooted, and the first thing I found was that the desktop configuration was 4 times larger than normal. I waited for it to finish booting - which seemed to be a bit faster than the older 500G drive upon both boots - then restarted again. This time everything appeared as normal, once again, and I tested a few programs. All was as expected, and I came here. No problems to report. Only the clone drive is currently connected, to the end (master) of the ribbon cable.

Next?

#4 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:23 AM

Posted 05 January 2012 - 05:21 AM

Have you run SeaTools (from a bootable CD) on both new Maxtors to test that they are in fact both good to go? If not, I advise you to do it (whether they are brand new hard drives or not, it is best to test them before attempting to use them). Let one run overnight tonight. Let the other run overnight, tomorrow night .... for example.

Let us know the results ... before we move on.

If you are satisfied that all is well with the clone, then you need "use" it no more. Connect the original hard drive to continue with your normal activities on the computer.

Meanwhile, tomorrow, I will try to get a better idea of how long cloning a 500 GB IDE HDD "should" take using the Acronis software. Tell me, how much space on the 500 GB HDD is "used" and "not used" (open My Computer > right-click on C: drive > Properties). I will make allowance for the recovery partition after that.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 05 January 2012 - 05:41 AM

I haven't run SeaTools on the new drives, but I ran it on the "current" older drive last month, when we resolved the issue with the dead 80GB HDD & ribbon cable. That test was successful, as you may remember. I will run it on the newly cloned drive now. I think I should hold off on testing the 2nd new drive until we're ready to decide how we want to use it, but if it's going to be some time until we can communicate again, I'll run the tests on it during that "down" time, if you'd like.

Maxtor MaxBlast told me, during its cloning process, that the C: drive has 433GB on it, while the D: partition has 33GB on it. Of that 433GB (432, actually), 160GB is used and 272GB is free.

As it's approaching both our bedtimes, I believe I'll run SeaTools on the new drive & report the findings back here tomorrow. Again, if you think I should run SeaTools on the unused new drive now instead of later, just say so, and I'll squeeze it in.

I'll speak to you again in "a few hours." Thanks, and be well.

- Arney

#6 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:23 AM

Posted 05 January 2012 - 05:52 AM

Yes, I am about to head off to bed for the night.

Yes, I remember us using SeaTools before. I want you to get that "spare" new Maxtor out of its box and tested so we can include it/use it while we are playing around with this stuff. No use waiting until you need to use it before testing it: Test it now, before you need to use it.

Catch up with you tomorrow.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 06 January 2012 - 02:12 AM

SeaTools Short Test & Long Test both successful. I have not had the opportunity to test the second new drive yet. I tried defragmenting the drive before tonight, but it was so seriously fragmented that I cancelled it after a few hours. Would you want me to finish the defrag or just continue to our next step?

I also noticed that this "old" drive started running a lot slower again after the test. Coincidence?

Edited by Arney X, 06 January 2012 - 02:19 AM.


#8 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 06 January 2012 - 04:07 AM

I have an idea about the drive running slowly suddenly. After the partial defrag, the system has to re-index all over again. Indexing always slows down the system immensely. I may put it to sleep after the final defrag, just to test that theory.

#9 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:23 AM

Posted 06 January 2012 - 04:15 AM

I have an idea about the drive running slowly suddenly. After the partial defrag, the system has to re-index all over again. Indexing always slows down the system immensely. I may put it to sleep after the final defrag, just to test that theory.

For now, I wouldn't bother testing that theory: Simply turn indexing off until we are finished working on the system. I would also suggest disabling the "sleep" option also until we are finished at least ... if not permanently altogether ... along with hibernation!

MY TEST: Time taken to clone IDE HDDs.
(Sorry, but a shortage of handy large-capacity IDE HDDs available to use means I've had to make do with using a couple of smaller HDDs.)

320 GB IDE HDD PRIMARY MASTER > cloned to > 80 GB IDE HDD PRIMARY SLAVE
(Both set to CABLE SELECT, and using the two connectors on the one ribbon cable)
Cloned using Acronis/DiscWizard, with the partitions re-sized (I chose manual adjustment from the default automatic adjustment) to fit onto the smaller (80 GB) HDD.

320 GB IDE HDD PRIMARY MASTER
3 partitions occupied the whole HDD.
C: drive 127 GB total, 17 GB used >
D: drive 85 total, 4 used >
E: drive 85 total, 36 used >

80 GB IDE HDD PRIMARY SLAVE after cloning ...
C: drive 23 total, 17 used >
D: drive 10 total, 4 used >
E: drive 41 total, 36 used >

Total used space: 56 GB of data
Total time taken: 34 minutes
-------------------------------------
Given that you reported 33 GB used in your recovery partition, and 160 GB used in your C: drive (total = 193 GB), I think allowing about 4x the amount of time for your job would be more than adequate, works out to 2 hours.

So, as I suspected, cloning your HDD should have taken more like 2 hours than the 48 it did take!

The cloning software programs will normally clone/copy (if there are no problems with the HDD or file system on the HDD) with a method based on using files/stored data rather than a sector-by-sector copying from one disk to the other. Hence the time taken is proportional to the data on the disk. On the other hand, the time taken when using the sector-by-sector method (necessary if there are problems with the HDD &/or file system) is independent of the amount of data stored on the disk. Even so, even with this method employed for some unknown reason in your case, the time taken still does seem excessive.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 06 January 2012 - 04:21 AM

Sorry...I used the wrong term, and my sentence structure may have been confusing. What I meant was to put indexing to sleep - which is more accurately referred to as "snoozing" it - not the system itself. I rarely ever use sleep mode or hibernate for the entire system. I will gladly disable Indexing.

#11 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 06 January 2012 - 04:54 AM

I can only guess as to why the cloning took so long. Remember, the first step/question that appeared after I pressed the button to clone was whether I wanted to install the drive first. I answered no, and proceeded. There was never a question asking whether I wanted to clone by folder or by sector. That choice was done automatically.

I keep forgetting that the BC site shuts down at 4:30AM US/ 8:30PM AU for maintenance, I suppose. Frustrating. I've got precious little time left now. Sorry.

Edited by Arney X, 06 January 2012 - 04:57 AM.


#12 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:23 AM

Posted 06 January 2012 - 04:58 AM

Please do the following ...
  • Right-click on My Computer > Hardware tab > Device Manager.
  • Locate IDE ATA/ATAPI controllers, and expand it.
  • Right-click on Primary IDE Channel > Advanced Settings tab.
    • Report what you see beside Transfer Mode and beside Current Transfer Mode for both Device 0 and Device 1
    .
  • Do the same for the Secondary IDE Channel.
Looking for a reason for slow data transfer rate ...
FYI: IDE ATA and ATAPI disks use PIO mode after multiple time-out or CRC errors occur
http://support.microsoft.com/kb/817472

SYMPTOMS
After you suspending and resume your computer several times, hard disk performance may be reduced. If you use Device Manager to view the properties of the IDE channel to which the drive is connected, the Advanced Settings tab may show that the current transfer mode for the drive is "PIO Mode."

CAUSE
After the Windows IDE/ATAPI Port driver (Atapi.sys) receives a cumulative total of six time-out or cyclical redundancy check (CRC) errors, the driver reduces the communications speed (the transfer mode) from the highest Direct Memory Access (DMA) mode to lower DMA modes in steps. If the driver continues to receive time-out or CRC errors, the driver eventually reduces the transfer mode to the slowest mode (PIO mode).


You wrote: "I can only guess as to why the cloning took so long. Remember, the first step/question that appeared after I pressed the button to clone was whether I wanted to install the drive first. I answered no, and proceeded."
I believe that to be completely unrelated. The install option was most probably only going to offer to initialise the new hard drive, and perhaps ask if you wished to partition it ... and perhaps format it ready to be used as a secondary/slave drive to a Windows system. (BUT ... I could well be wrong about this. Why it would ask whether you wanted to install the drive first after choosing the clone option, I really have no idea about!)

Edited by AustrAlien, 06 January 2012 - 05:11 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:23 AM

Posted 06 January 2012 - 05:04 AM

I tried defragmenting the drive before tonight, but it was so seriously fragmented that I cancelled it after a few hours. Would you want me to finish the defrag ...

What program are you using to defrag the drive? Windows XP default defrag tool ... or some other?
Yes, it can take a considerable length of time to get the job done, especially if it has been neglected for a long time.

I also noticed that this "old" drive started running a lot slower again after the test. Coincidence?

I don't believe so and am looking for the reason.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 06 January 2012 - 05:15 AM

You are correct, sir. Primary IDE Channel, Device 0, Transfer Mode is "DMA if available" and current transfer mode is PIO. For Device 1, Transfer Mode is "DMA if available" and current transfer mode is "Not Applicable."

Secondary IDE channel, Device 0, Transfer Mode is "DMA if available" and current transfer mode is PIO. For Device 1, Transfer Mode is "DMA if available" and current transfer mode is "Ultra DMA Mode 2."

#15 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:07:23 PM

Posted 06 January 2012 - 05:21 AM

I defrag regularly...every few days, that is. I use the Windows XP default defrag tool as well as System Mechanic's defrag tool. My primary choice is usually the System Mechanic tool, but if that gets hung up for some reason, I revert to the Windows tool. Most recently, upon analyzing drive C: the Windows defrag tool said that the drive didn't need to be defragged...but there were blocks of red, fragmented files that were usually not there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users