SFC Scannow and SATA drives

[LURKER]

Pretty new DELLXPS 210 with SATA hard drive and SATA DVD R/W.

I finally got the demons cleaned. They even run in SAFE mode and cannot be quarantined.

Booting onto standard startup of XP, machine now hangs with arrow at top left of screen... waiting for graphics mode, I
think.

There is no floppy drive on the machine. Selecting in the BIOS to boot from internal DVD/CD or USB, it can't find the
SATA DVD drive.

I installed an external USB DVD drive and it boots. I get into Command console that way.

But SFC can't find the SATA Hard drive!

So I put the hard drive into another XP computer with SP3.

XP SFC does not have the VISTA options of:

/OFFBOOTDIR= and /OFFWINDIR=
options.

Now what do I do?

lurker

 

[Patrick Keenan]

Pretty new DELLXPS 210 with SATA hard drive and SATA DVD R/W.

I finally got the demons cleaned. They even run in SAFE mode and cannot
be quarantined.

Booting onto standard startup of XP, machine now hangs with arrow at top
left of screen... waiting for graphics mode, I think.

There is no floppy drive on the machine. Selecting in the BIOS to boot
from internal DVD/CD or USB, it can't find the SATA DVD drive.

I installed an external USB DVD drive and it boots. I get into Command
console that way.

But SFC can't find the SATA Hard drive!

So I put the hard drive into another XP computer with SP3.

XP SFC does not have the VISTA options of:

/OFFBOOTDIR= and /OFFWINDIR=
options.

Now what do I do?

lurker

Try going into the BIOS and set the SATA Controller to run as IDE (perhaps
legacy) and not as Native or AHCI.

If the system is really badly compromised, you may find it faster to do a
clean install to a re-created partition - to a new drive if you don't have
backups - than to go endlessly back and forth trying to fix things.

HTH
-pk

 

[DL]

What does "I finally got the demons cleaned. They even run in SAFE mode
and cannot be quarantined."
mean?
If it means your pc is infected trying to run SFC is probably not going to
help

 

[LURKER]

I fix PC's for friend, neighbors and family. Occasionally people are referred to me. 90% of my activity is removing
trojans / viruses or whatever you want to call them. Usually I get them after the regular antivirus products have
failed. Indeed. this one had Trend as the defender. The machine was clean except for three undetected. Two of them
were recurring Browser Helper Objects (BHO) one of which monitors and logs programs that start up.

So I call them "demons". Until recently, Safe mode usually kept them from running. Not true any more. They get
launched by many different means, from attaching themselves to explorer.exe or other Microsoft windows files, or they
have a driver. Root kits hide them. I don't know all the sneaky methods.

Often I mount the infected hard drive in another machine and clean up SYSTEM32 directory that way, and other hiding places.

I have a tool (not free) from sysinternals that shows me running processes, even those not in the Windows Task List. I
can use that tool (Security Task Manager) to kill and quarantine a process. It's been quite effective until the past
two weeks. Now they often relaunch immediately. It's challenging work.

Root kits and other windows file contamination can often be cleaned with SFC. I do that after getting the demons
neutered. Then I use Service Pack 3 CDROM to update. From there it's conditional what is next.

...but these SATA drives are a big service problem. Some of them need a (SCSI/RAID) driver and BIOS can't handle them.

SATA servicing is new to me now and I'm just trying to find help from other's who have some useful experience in this
SATA arena.

lurker

 

[DL]

There are a number of free applications for cleaning malaware/trojans which
often cannot be detected by AV apps
http://www.claymania.com/removal-trojan-adware.html

Sata drives: it depends on what controler they are connected to, eg AHCI
Intel or other
If other, its frequently neccessary to load the controler drivers from
floppy before the drive can be detected, in any winxp repair process

 

[LURKER]

Thanks for the link!

I did find the file that was a problem. It looked like there was two (2) versions of SVCHOST.EXE in \System32. Here is
a link to an image of the email that I sent to two friends that also clean up machines. The note has screen capture
images in it.

http://rnc3.com/public/SVCHOST_TRICK.jpg

lurker

 

[thecreator]

Hi LURKER,

In order for the Computer to see the SATA DVD R/W Drive at bootup, you
need to go into Computer BIOS and change the SATA Mode from RAID
Configuration to IDE SATA MODE.

I have a SATA Hard Drive and a SATA DVD+RW Drive and I have the SATA
Mode set to IDE in Computer BIOS and Windows XP Home Edition Service Pack 3
has no problems reading a Windows XP Home Edition Service Pack 3 Slip-Stream
Upgrade CD.

Start Run and type in CMD and clicked OK. Then I typed in sfc /scannow
and it worked fine, for me, with the SATA Mode set to IDE.

In order for XP not to wait at Bootup for graphics, make sure that you
have the Monitor plugged into the Graphics Board, not into the Motherboard,
if you have two VGA Connectors available.

By the way, svchost.exe is only 14 kb in size. That is the correct one.

For large Hard Drives, you might wish to set up the computer into
Dual-Boot configuration. This way, you can delete stubborn files without
problems, by booting into the other operating system copy and use Explore
and go to that partition and locate that file and delete it. Then just run
Disk Cleanup on that partition to empty that Recycle Bin.

 

[Bill Blanton]

I saw this recently on an infected machine. You need to remove
the 60KB svch?st.exe file.

I'm guessing the '?' char as seen from the cmd prompt may be a
unicode foreign language 'o' as displayed in explorer.

I was finally able to remove the file from a booted Bart's CD.

 

[LURKER]

Hi LURKER,

In order for the Computer to see the SATA DVD R/W Drive at bootup, you
need to go into Computer BIOS and change the SATA Mode from RAID
Configuration to IDE SATA MODE.

I have a SATA Hard Drive and a SATA DVD+RW Drive and I have the SATA
Mode set to IDE in Computer BIOS and Windows XP Home Edition Service Pack 3
has no problems reading a Windows XP Home Edition Service Pack 3 Slip-Stream
Upgrade CD.

Start Run and type in CMD and clicked OK. Then I typed in sfc /scannow
and it worked fine, for me, with the SATA Mode set to IDE.

In order for XP not to wait at Bootup for graphics, make sure that you
have the Monitor plugged into the Graphics Board, not into the Motherboard,
if you have two VGA Connectors available.

By the way, svchost.exe is only 14 kb in size. That is the correct one.

For large Hard Drives, you might wish to set up the computer into
Dual-Boot configuration. This way, you can delete stubborn files without
problems, by booting into the other operating system copy and use Explore
and go to that partition and locate that file and delete it. Then just run
Disk Cleanup on that partition to empty that Recycle Bin.

Thanks for a lot of useful information. This thread will help a lot of people who find it.

I did change the BIOS. On a Dell, there are not many things one can do, but this one was there. After that, the CD
booted. However... it could not then find the Hard drive. (fume!)

No matter, I use an SATA to USB adapter and plug the problem hard drive via USB into another computer. From there a lot
of procedures can be performed. One does not have to remove the hard drive from the machine.

Lurker

 

[DL]

An winxp sys will probably require you using the F6 option to install sata
controler drivers from floppy

 

[Leonard Grey]

DL is correct. XP does not have native support for SATA. You either
install SATA drivers when installing XP (that's what the OEMs do) or you
press F6 at bootup and install them then.